refactor: merge vendor user into saas-admin
The admin user IS the platform admin — no separate vendor user needed. The saas-vendor role is now always assigned to the admin user during bootstrap. Removes VENDOR_ENABLED, VENDOR_USER, VENDOR_PASS from all config, prompts, compose templates, and bootstrap script. In multi-tenant mode: admin logs in with saas-admin credentials, gets platform:admin scope via saas-vendor role, manages tenants directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
@@ -22,8 +22,6 @@ DEFAULT_HTTP_PORT="80"
|
||||
DEFAULT_HTTPS_PORT="443"
|
||||
DEFAULT_LOGTO_CONSOLE_PORT="3002"
|
||||
DEFAULT_LOGTO_CONSOLE_EXPOSED="true"
|
||||
DEFAULT_VENDOR_ENABLED="false"
|
||||
DEFAULT_VENDOR_USER="vendor"
|
||||
DEFAULT_COMPOSE_PROJECT="cameleer-saas"
|
||||
DEFAULT_COMPOSE_PROJECT_STANDALONE="cameleer"
|
||||
DEFAULT_DOCKER_SOCKET="/var/run/docker.sock"
|
||||
@@ -42,9 +40,6 @@ _ENV_HTTP_PORT="${HTTP_PORT:-}"
|
||||
_ENV_HTTPS_PORT="${HTTPS_PORT:-}"
|
||||
_ENV_LOGTO_CONSOLE_PORT="${LOGTO_CONSOLE_PORT:-}"
|
||||
_ENV_LOGTO_CONSOLE_EXPOSED="${LOGTO_CONSOLE_EXPOSED:-}"
|
||||
_ENV_VENDOR_ENABLED="${VENDOR_ENABLED:-}"
|
||||
_ENV_VENDOR_USER="${VENDOR_USER:-}"
|
||||
_ENV_VENDOR_PASS="${VENDOR_PASS:-}"
|
||||
_ENV_MONITORING_NETWORK="${MONITORING_NETWORK:-}"
|
||||
_ENV_COMPOSE_PROJECT="${COMPOSE_PROJECT:-}"
|
||||
_ENV_DOCKER_SOCKET="${DOCKER_SOCKET:-}"
|
||||
@@ -66,9 +61,6 @@ HTTP_PORT=""
|
||||
HTTPS_PORT=""
|
||||
LOGTO_CONSOLE_PORT=""
|
||||
LOGTO_CONSOLE_EXPOSED=""
|
||||
VENDOR_ENABLED=""
|
||||
VENDOR_USER=""
|
||||
VENDOR_PASS=""
|
||||
MONITORING_NETWORK=""
|
||||
VERSION=""
|
||||
COMPOSE_PROJECT=""
|
||||
@@ -169,9 +161,6 @@ parse_args() {
|
||||
--https-port) HTTPS_PORT="$2"; shift ;;
|
||||
--logto-console-port) LOGTO_CONSOLE_PORT="$2"; shift ;;
|
||||
--logto-console-exposed) LOGTO_CONSOLE_EXPOSED="$2"; shift ;;
|
||||
--vendor-enabled) VENDOR_ENABLED="$2"; shift ;;
|
||||
--vendor-user) VENDOR_USER="$2"; shift ;;
|
||||
--vendor-password) VENDOR_PASS="$2"; shift ;;
|
||||
--monitoring-network) MONITORING_NETWORK="$2"; shift ;;
|
||||
--version) VERSION="$2"; shift ;;
|
||||
--compose-project) COMPOSE_PROJECT="$2"; shift ;;
|
||||
@@ -219,7 +208,6 @@ show_help() {
|
||||
echo "Expert options:"
|
||||
echo " --postgres-password, --clickhouse-password, --http-port,"
|
||||
echo " --https-port, --logto-console-port, --logto-console-exposed,"
|
||||
echo " --vendor-enabled, --vendor-user, --vendor-password,"
|
||||
echo " --compose-project, --docker-socket, --node-tls-reject"
|
||||
echo ""
|
||||
echo "Re-run options:"
|
||||
@@ -256,9 +244,6 @@ load_config_file() {
|
||||
https_port) [ -z "$HTTPS_PORT" ] && HTTPS_PORT="$value" ;;
|
||||
logto_console_port) [ -z "$LOGTO_CONSOLE_PORT" ] && LOGTO_CONSOLE_PORT="$value" ;;
|
||||
logto_console_exposed) [ -z "$LOGTO_CONSOLE_EXPOSED" ] && LOGTO_CONSOLE_EXPOSED="$value" ;;
|
||||
vendor_enabled) [ -z "$VENDOR_ENABLED" ] && VENDOR_ENABLED="$value" ;;
|
||||
vendor_user) [ -z "$VENDOR_USER" ] && VENDOR_USER="$value" ;;
|
||||
vendor_password) [ -z "$VENDOR_PASS" ] && VENDOR_PASS="$value" ;;
|
||||
monitoring_network) [ -z "$MONITORING_NETWORK" ] && MONITORING_NETWORK="$value" ;;
|
||||
version) [ -z "$VERSION" ] && VERSION="$value" ;;
|
||||
compose_project) [ -z "$COMPOSE_PROJECT" ] && COMPOSE_PROJECT="$value" ;;
|
||||
@@ -285,9 +270,6 @@ load_env_overrides() {
|
||||
[ -z "$HTTPS_PORT" ] && HTTPS_PORT="$_ENV_HTTPS_PORT"
|
||||
[ -z "$LOGTO_CONSOLE_PORT" ] && LOGTO_CONSOLE_PORT="$_ENV_LOGTO_CONSOLE_PORT"
|
||||
[ -z "$LOGTO_CONSOLE_EXPOSED" ] && LOGTO_CONSOLE_EXPOSED="$_ENV_LOGTO_CONSOLE_EXPOSED"
|
||||
[ -z "$VENDOR_ENABLED" ] && VENDOR_ENABLED="$_ENV_VENDOR_ENABLED"
|
||||
[ -z "$VENDOR_USER" ] && VENDOR_USER="$_ENV_VENDOR_USER"
|
||||
[ -z "$VENDOR_PASS" ] && VENDOR_PASS="$_ENV_VENDOR_PASS"
|
||||
[ -z "$MONITORING_NETWORK" ] && MONITORING_NETWORK="$_ENV_MONITORING_NETWORK"
|
||||
[ -z "$VERSION" ] && VERSION="${CAMELEER_VERSION:-}"
|
||||
[ -z "$COMPOSE_PROJECT" ] && COMPOSE_PROJECT="$_ENV_COMPOSE_PROJECT"
|
||||
@@ -437,7 +419,7 @@ run_simple_prompts() {
|
||||
|
||||
echo ""
|
||||
echo " Deployment mode:"
|
||||
echo " [1] Multi-tenant vendor — manage platform, provision tenants on demand"
|
||||
echo " [1] Multi-tenant SaaS — manage platform, provision tenants on demand"
|
||||
echo " [2] Single-tenant — one server instance, local auth, no identity provider"
|
||||
echo ""
|
||||
local deploy_choice
|
||||
@@ -445,11 +427,9 @@ run_simple_prompts() {
|
||||
case "${deploy_choice:-1}" in
|
||||
2)
|
||||
DEPLOYMENT_MODE="standalone"
|
||||
VENDOR_ENABLED="false"
|
||||
;;
|
||||
*)
|
||||
DEPLOYMENT_MODE="saas"
|
||||
VENDOR_ENABLED="true"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
@@ -470,21 +450,6 @@ run_expert_prompts() {
|
||||
prompt_password CLICKHOUSE_PASSWORD "ClickHouse password" ""
|
||||
fi
|
||||
|
||||
if [ "$DEPLOYMENT_MODE" = "saas" ]; then
|
||||
echo ""
|
||||
if prompt_yesno "Enable vendor account?"; then
|
||||
VENDOR_ENABLED="true"
|
||||
prompt VENDOR_USER "Vendor username" "${VENDOR_USER:-$DEFAULT_VENDOR_USER}"
|
||||
if prompt_yesno "Auto-generate vendor password?" "y"; then
|
||||
VENDOR_PASS=""
|
||||
else
|
||||
prompt_password VENDOR_PASS "Vendor password" ""
|
||||
fi
|
||||
else
|
||||
VENDOR_ENABLED="false"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo -e "${BOLD} Networking:${NC}"
|
||||
prompt HTTP_PORT "HTTP port" "${HTTP_PORT:-$DEFAULT_HTTP_PORT}"
|
||||
@@ -523,8 +488,6 @@ merge_config() {
|
||||
: "${HTTPS_PORT:=$DEFAULT_HTTPS_PORT}"
|
||||
: "${LOGTO_CONSOLE_PORT:=$DEFAULT_LOGTO_CONSOLE_PORT}"
|
||||
: "${LOGTO_CONSOLE_EXPOSED:=$DEFAULT_LOGTO_CONSOLE_EXPOSED}"
|
||||
: "${VENDOR_ENABLED:=$DEFAULT_VENDOR_ENABLED}"
|
||||
: "${VENDOR_USER:=$DEFAULT_VENDOR_USER}"
|
||||
: "${VERSION:=$CAMELEER_DEFAULT_VERSION}"
|
||||
: "${DOCKER_SOCKET:=$DEFAULT_DOCKER_SOCKET}"
|
||||
|
||||
@@ -597,10 +560,6 @@ generate_passwords() {
|
||||
CLICKHOUSE_PASSWORD=$(generate_password)
|
||||
log_info "Generated ClickHouse password."
|
||||
fi
|
||||
if [ "$VENDOR_ENABLED" = "true" ] && [ -z "$VENDOR_PASS" ]; then
|
||||
VENDOR_PASS=$(generate_password)
|
||||
log_info "Generated vendor password."
|
||||
fi
|
||||
}
|
||||
|
||||
# --- File generation ---
|
||||
@@ -703,11 +662,6 @@ EOF
|
||||
|
||||
cat >> "$f" << EOF
|
||||
|
||||
# Vendor account
|
||||
VENDOR_SEED_ENABLED=${VENDOR_ENABLED}
|
||||
VENDOR_USER=${VENDOR_USER}
|
||||
VENDOR_PASS=${VENDOR_PASS:-}
|
||||
|
||||
# Docker
|
||||
DOCKER_SOCKET=${DOCKER_SOCKET}
|
||||
DOCKER_GID=$(stat -c '%g' "${DOCKER_SOCKET}" 2>/dev/null || echo "0")
|
||||
@@ -858,9 +812,6 @@ EOF
|
||||
PG_DB_SAAS: cameleer_saas
|
||||
SAAS_ADMIN_USER: ${SAAS_ADMIN_USER:-admin}
|
||||
SAAS_ADMIN_PASS: ${SAAS_ADMIN_PASS:-admin}
|
||||
VENDOR_SEED_ENABLED: "${VENDOR_SEED_ENABLED:-false}"
|
||||
VENDOR_USER: ${VENDOR_USER:-vendor}
|
||||
VENDOR_PASS: ${VENDOR_PASS:-vendor}
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\" && test -f /data/logto-bootstrap.json"]
|
||||
interval: 10s
|
||||
@@ -1310,8 +1261,6 @@ http_port=${HTTP_PORT}
|
||||
https_port=${HTTPS_PORT}
|
||||
logto_console_port=${LOGTO_CONSOLE_PORT}
|
||||
logto_console_exposed=${LOGTO_CONSOLE_EXPOSED}
|
||||
vendor_enabled=${VENDOR_ENABLED}
|
||||
vendor_user=${VENDOR_USER}
|
||||
monitoring_network=${MONITORING_NETWORK}
|
||||
version=${VERSION}
|
||||
compose_project=${COMPOSE_PROJECT}
|
||||
@@ -1365,17 +1314,6 @@ ClickHouse: default / ${CLICKHOUSE_PASSWORD}
|
||||
|
||||
EOF
|
||||
|
||||
if [ "$VENDOR_ENABLED" = "true" ]; then
|
||||
cat >> "$f" << EOF
|
||||
Vendor User: ${VENDOR_USER}
|
||||
Vendor Password: ${VENDOR_PASS}
|
||||
|
||||
EOF
|
||||
else
|
||||
echo "Vendor User: (not enabled)" >> "$f"
|
||||
echo "" >> "$f"
|
||||
fi
|
||||
|
||||
if [ "$LOGTO_CONSOLE_EXPOSED" = "true" ]; then
|
||||
echo "Logto Console: ${PUBLIC_PROTOCOL}://${PUBLIC_HOST}:${LOGTO_CONSOLE_PORT}" >> "$f"
|
||||
else
|
||||
@@ -1424,9 +1362,9 @@ EOF
|
||||
## First Steps
|
||||
|
||||
1. Open the Platform UI in your browser
|
||||
2. Log in with the admin credentials from `credentials.txt`
|
||||
3. Create your first tenant via the Vendor console
|
||||
4. The platform will provision a dedicated server instance for the tenant
|
||||
2. Log in as admin with the credentials from `credentials.txt`
|
||||
3. Create tenants from the admin console
|
||||
4. The platform will provision a dedicated server instance for each tenant
|
||||
|
||||
## Architecture
|
||||
|
||||
@@ -1475,7 +1413,7 @@ EOF
|
||||
cat >> "$f" << 'EOF'
|
||||
|
||||
The platform generated a self-signed certificate on first boot. To replace it:
|
||||
1. Log in as admin and navigate to **Certificates** in the vendor console
|
||||
1. Log in as admin and navigate to **Certificates** in the admin console
|
||||
2. Upload your certificate and key via the UI
|
||||
3. Activate the new certificate (zero-downtime swap)
|
||||
EOF
|
||||
@@ -1693,11 +1631,6 @@ print_credentials() {
|
||||
echo ""
|
||||
|
||||
if [ "$DEPLOYMENT_MODE" = "saas" ]; then
|
||||
if [ "$VENDOR_ENABLED" = "true" ]; then
|
||||
echo -e " Vendor User: ${BOLD}${VENDOR_USER}${NC}"
|
||||
echo -e " Vendor Password: ${BOLD}${VENDOR_PASS}${NC}"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$LOGTO_CONSOLE_EXPOSED" = "true" ]; then
|
||||
echo -e " Logto Console: ${BLUE}${PUBLIC_PROTOCOL}://${PUBLIC_HOST}:${LOGTO_CONSOLE_PORT}${NC}"
|
||||
echo ""
|
||||
|
||||
Reference in New Issue
Block a user