Switch KB & Neo4j to new keboola.systems domain (ST-3586)

deploy/terraform/cloudrun-neodash.tf

@@ -43,7 +43,7 @@ resource "google_cloud_run_v2_service" "neodash" {
 
       env {
         name  = "standaloneHost"
-        value = "neo4j.internal.${var.base_domain}"
+        value = "neo4j.${var.base_domain}"
       }
 
       env {

deploy/terraform/load-balancer.tf

@@ -15,7 +15,7 @@ resource "google_compute_managed_ssl_certificate" "cert_v3" {
 
   managed {
     domains = [
-      "kb.internal.${var.base_domain}",
+      "kb.${var.base_domain}",
       "kb.staging.${var.staging_domain}"
     ]
   }
@@ -102,7 +102,7 @@ resource "google_compute_url_map" "default" {
 
   # Production UI
   host_rule {
-    hosts        = ["kb.internal.${var.base_domain}"]
+    hosts        = ["kb.${var.base_domain}"]
     path_matcher = "neodash-prod"
   }
 

deploy/terraform/ssl-proxy-lb.tf

@@ -18,7 +18,7 @@ resource "google_compute_managed_ssl_certificate" "db_cert" {
 
   managed {
     domains = [
-      "neo4j.internal.${var.base_domain}",
+      "neo4j.${var.base_domain}",
       "neo4j.staging.${var.staging_domain}"
     ]
   }

deploy/terraform/terraform.tfvars.example

@@ -11,7 +11,8 @@ zone       = "us-central1-a"
 environment = "prod"
 
 # Domain Configuration (Load Balancer & SSL)
-base_domain       = "keboola.com"
+base_domain       = "keboola.systems"
+staging_domain    = "keboola.systems"
 iap_support_email = "support@keboola.com"
 
 # Confluence Configuration

deploy/terraform/variables.tf

@@ -35,15 +35,15 @@ variable "confluence_space_keys" {
 }
 
 variable "base_domain" {
-  description = "Base domain for production (e.g. keboola.com)"
+  description = "Base domain for production (e.g. keboola.systems)"
   type        = string
-  default     = "keboola.com"
+  default     = "keboola.systems"
 }
 
 variable "staging_domain" {
-  description = "Base domain for staging (e.g. keboola.dev)"
+  description = "Base domain for staging (e.g. keboola.systems)"
   type        = string
-  default     = "keboola.dev"
+  default     = "keboola.systems"
 }
 
 variable "iap_support_email" {

docs/NEO4J_FIX_DOCUMENTATION.md

@@ -317,7 +317,7 @@ python3 test-neo4j-connection.py --target staging --verbose
 ║   2026-02-05 14:16:06                           ║
 ╚═══════════════════════════════════════════════╝
 
-✓ TCP connection to LB: Connected to neo4j.staging.keboola.dev:443
+✓ TCP connection to LB: Connected to neo4j.staging.keboola.systems:443
 ✓ TLS handshake through LB: TLSv1.3
 ✓ Bolt handshake through LB: Bolt 0.1028
 ✓ Driver connection: Query executed successfully (returned: 1)
@@ -385,7 +385,7 @@ python3 test-neo4j-connection.py --target production
 ```
 Browser/Client
   ↓
-neo4j.staging.keboola.dev:443 (SSL Load Balancer)
+neo4j.staging.keboola.systems:443 (SSL Load Balancer)
   ↓
 TLS/SSL Termination (TLSv1.3)
   ↓
@@ -494,7 +494,7 @@ User Journey:
 | `standalone` | `true` | Neodash connects directly to Neo4j |
 | `standaloneUser` | `neo4j` | Service account username |
 | `standalonePassword` | (from Secret Manager) | Service account password |
-| `standaloneHost` | `neo4j.staging.keboola.dev` | Neo4j host |
+| `standaloneHost` | `neo4j.staging.keboola.systems` | Neo4j host |
 | `standalonePort` | `443` | HTTPS port for TLS |
 | `standaloneProtocol` | `bolt+s` | Bolt over SSL |
 
@@ -554,7 +554,7 @@ gcloud compute network-endpoint-groups describe neo4j-staging-neg --zone=us-cent
 
 **Symptom**:
 ```
-✗ TCP connection to LB: DNS resolution failed for neo4j.internal.keboola.dev
+✗ TCP connection to LB: DNS resolution failed for neo4j.keboola.systems
 ```
 
 **Cause**: Running from outside GCP network (expected for production)

docs/WEB_UI_ACCESS.md

@@ -9,16 +9,16 @@ Access is secured via **Google Identity-Aware Proxy (IAP)**, meaning no VPN is r
 
 | Environment | UI URL (Browser) | DB Host (Connection Settings) | Access Control |
 |---|---|---|---|
-| **Production** | `https://kb.internal.keboola.com` | `neo4j.internal.keboola.com` | IAP (UI) / Cloud Armor (DB) |
-| **Staging** | `https://kb.staging.keboola.com` | `neo4j.staging.keboola.com` | IAP (UI) / Cloud Armor (DB) |
+| **Production** | `https://kb.keboola.systems` | `neo4j.keboola.systems` | IAP (UI) / Cloud Armor (DB) |
+| **Staging** | `https://kb.staging.keboola.systems` | `neo4j.staging.keboola.systems` | IAP (UI) / Cloud Armor (DB) |
 
 ## User Guide: How to Connect
 
-1.  **Open the UI**: Navigate to the UI URL (e.g., `https://kb.internal.keboola.com`).
+1.  **Open the UI**: Navigate to the UI URL (e.g., `https://kb.keboola.systems`).
 2.  **Log In**: You will be redirected to Google Login. Use your company email.
 3.  **Neodash Connect Screen**:
     *   **Protocol**: `neo4j+s` (Secure Bolt)
-    *   **Hostname**: `neo4j.internal.keboola.com` (Do not add `https://`)
+    *   **Hostname**: `neo4j.keboola.systems` (Do not add `https://`)
     *   **Port**: `443` (Default for SSL)
     *   **Username**: `neo4j`
     *   **Password**: *Ask your administrator for the read-only or admin password.*
@@ -65,7 +65,8 @@ Run the helper script with your credentials:
 
 Ensure your `terraform.tfvars` has the correct domain and authorized users:
 ```hcl
-base_domain = "keboola.com"
+base_domain = "keboola.systems"
+staging_domain = "keboola.systems"
 iap_support_email = "support@keboola.com"
 
 # Important: Only these users can log in via IAP
@@ -87,23 +88,23 @@ After Terraform completes, it will output the `load_balancer_ip`. You must creat
 
 | Type | Name | Value |
 |---|---|---|
-| A | `kb.internal` | `<LOAD_BALANCER_IP>` |
-| A | `neo4j.internal` | `<LOAD_BALANCER_IP>` |
+| A | `kb` | `<LOAD_BALANCER_IP>` |
+| A | `neo4j` | `<LOAD_BALANCER_IP>` |
 | A | `kb.staging` | `<LOAD_BALANCER_IP>` |
 | A | `neo4j.staging` | `<LOAD_BALANCER_IP>` |
 
 Wait for DNS propagation (TTL) and Google Managed SSL provisioning (can take 15-60 minutes).
 
 ### 4. Post-Deployment Verification
 
-1.  Visit `https://kb.internal.keboola.com`.
+1.  Visit `https://kb.keboola.systems`.
 2.  Verify Google Login redirect works.
 3.  Verify Neodash loads.
 4.  Retrieve the generated Neo4j password:
     ```bash
     gcloud secrets versions access latest --secret="neo4j-password"
     ```
-5.  Try connecting Neodash to `neo4j.internal.keboola.com:443`.
+5.  Try connecting Neodash to `neo4j.keboola.systems:443`.
 
 ---
 

plan/phases/13-web-ui/CHECKLIST.md

@@ -26,7 +26,7 @@
 - [x] Document credentials retrieval (`gcloud secrets versions access ...`).
 
 ## Pre-requisites (Manual Action Required)
-- [ ] **Domain Name**: Identify the domain to use (e.g., `kb.dev.keboola.com` or similar).
+- [ ] **Domain Name**: Identify the domain to use (e.g., `kb.keboola.systems` or similar).
 - [ ] **OAuth Consent Screen**:
     - Go to GCP Console -> APIs & Services -> OAuth consent screen.
     - Create "Internal" app (if Org exists) or "External" (testing).