feat: clean control plane — remove all example tenant resources
- Removed cameleer3-server and cameleer3-server-ui from docker-compose (tenants provision their own server instances via the vendor console) - Removed viewer/camel user from bootstrap (tenant users created during provisioning) - Removed Phase 7 server OIDC configuration (provisioned servers get OIDC config from env vars, claim mappings via Logto Custom JWT) - Removed server-related env vars from bootstrap (SERVER_ENDPOINT, etc.) - Removed jardata volume from dev overlay Clean slate: docker compose up gives you Traefik + PostgreSQL + ClickHouse + Logto + SaaS platform + vendor seed. Everything else (servers, tenants, users) created through the vendor console. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
@@ -504,104 +504,10 @@ fi
|
||||
fi # end: ADMIN_TOKEN check
|
||||
fi # end: M_ADMIN_SECRET check
|
||||
|
||||
# --- Viewer user (for testing read-only OIDC role in server) ---
|
||||
log "Checking for viewer user '$TENANT_ADMIN_USER'..."
|
||||
TENANT_USER_ID=$(api_get "/api/users?search=$TENANT_ADMIN_USER" | jq -r ".[] | select(.username == \"$TENANT_ADMIN_USER\") | .id")
|
||||
if [ -n "$TENANT_USER_ID" ]; then
|
||||
log "Viewer user exists: $TENANT_USER_ID"
|
||||
else
|
||||
log "Creating viewer user '$TENANT_ADMIN_USER'..."
|
||||
TENANT_RESPONSE=$(api_post "/api/users" "{
|
||||
\"username\": \"$TENANT_ADMIN_USER\",
|
||||
\"password\": \"$TENANT_ADMIN_PASS\",
|
||||
\"name\": \"Viewer\"
|
||||
}")
|
||||
TENANT_USER_ID=$(echo "$TENANT_RESPONSE" | jq -r '.id')
|
||||
log "Created viewer user: $TENANT_USER_ID"
|
||||
fi
|
||||
|
||||
# ============================================================
|
||||
# PHASE 6: Create organization + add users
|
||||
# ============================================================
|
||||
|
||||
# No example organization created — the vendor creates tenants via the SaaS UI.
|
||||
# Users (admin, viewer) are created above but not added to any org.
|
||||
# No viewer user — tenant users are created by the vendor during tenant provisioning.
|
||||
# No example organization — tenants are created via the vendor console.
|
||||
# No server OIDC config — each provisioned server gets OIDC from env vars.
|
||||
ORG_ID=""
|
||||
log "Skipping example organization (tenants are created by the vendor)."
|
||||
|
||||
# ============================================================
|
||||
# PHASE 7: Configure cameleer3-server OIDC
|
||||
# ============================================================
|
||||
|
||||
SERVER_HEALTHY="no"
|
||||
for i in 1 2 3; do
|
||||
if curl -sf "${SERVER_ENDPOINT}/api/v1/health" >/dev/null 2>&1; then
|
||||
SERVER_HEALTHY="yes"
|
||||
break
|
||||
fi
|
||||
sleep 2
|
||||
done
|
||||
log "Phase 7 check: SERVER_HEALTHY=$SERVER_HEALTHY, TRAD_SECRET length=${#TRAD_SECRET}"
|
||||
|
||||
if [ "$SERVER_HEALTHY" = "yes" ] && [ -n "$TRAD_SECRET" ]; then
|
||||
log "Configuring cameleer3-server OIDC..."
|
||||
|
||||
# Login to server as admin
|
||||
SERVER_TOKEN_RESPONSE=$(curl -s -X POST "${SERVER_ENDPOINT}/api/v1/auth/login" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"username\": \"$SERVER_UI_USER\", \"password\": \"$SERVER_UI_PASS\"}")
|
||||
SERVER_TOKEN=$(echo "$SERVER_TOKEN_RESPONSE" | jq -r '.accessToken' 2>/dev/null)
|
||||
|
||||
if [ -n "$SERVER_TOKEN" ] && [ "$SERVER_TOKEN" != "null" ]; then
|
||||
# Configure OIDC
|
||||
OIDC_RESPONSE=$(curl -s -X PUT "${SERVER_ENDPOINT}/api/v1/admin/oidc" \
|
||||
-H "Authorization: Bearer $SERVER_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{
|
||||
\"enabled\": true,
|
||||
\"issuerUri\": \"$LOGTO_PUBLIC_ENDPOINT/oidc\",
|
||||
\"clientId\": \"$TRAD_ID\",
|
||||
\"clientSecret\": \"$TRAD_SECRET\",
|
||||
\"autoSignup\": true,
|
||||
\"defaultRoles\": [\"VIEWER\"],
|
||||
\"displayNameClaim\": \"name\",
|
||||
\"rolesClaim\": \"roles\",
|
||||
\"audience\": \"$API_RESOURCE_INDICATOR\",
|
||||
\"additionalScopes\": []
|
||||
}")
|
||||
log "OIDC config response: $(echo "$OIDC_RESPONSE" | head -c 200)"
|
||||
log "cameleer3-server OIDC configured."
|
||||
|
||||
# Seed claim mapping rules (roles → server RBAC)
|
||||
log "Seeding claim mapping rules..."
|
||||
EXISTING_MAPPINGS=$(curl -s -H "Authorization: Bearer $SERVER_TOKEN" \
|
||||
"${SERVER_ENDPOINT}/api/v1/admin/claim-mappings" 2>/dev/null || echo "[]")
|
||||
|
||||
seed_claim_mapping() {
|
||||
local match_value="$1"
|
||||
local target="$2"
|
||||
local priority="$3"
|
||||
local exists=$(echo "$EXISTING_MAPPINGS" | jq -r ".[] | select(.matchValue == \"$match_value\") | .id")
|
||||
if [ -n "$exists" ]; then
|
||||
log " Claim mapping '$match_value' → $target exists"
|
||||
else
|
||||
local resp=$(curl -s -X POST "${SERVER_ENDPOINT}/api/v1/admin/claim-mappings" \
|
||||
-H "Authorization: Bearer $SERVER_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"claim\":\"roles\",\"matchType\":\"contains\",\"matchValue\":\"$match_value\",\"action\":\"assignRole\",\"target\":\"$target\",\"priority\":$priority}")
|
||||
log " Created claim mapping '$match_value' → $target"
|
||||
fi
|
||||
}
|
||||
|
||||
seed_claim_mapping "server:admin" "ADMIN" 10
|
||||
seed_claim_mapping "server:operator" "OPERATOR" 20
|
||||
log "Claim mapping rules seeded."
|
||||
else
|
||||
log "WARNING: Could not login to cameleer3-server — skipping OIDC config"
|
||||
fi
|
||||
else
|
||||
log "WARNING: cameleer3-server not available or no Traditional app secret — skipping OIDC config"
|
||||
fi
|
||||
|
||||
# ============================================================
|
||||
# PHASE 7b: Configure Logto Custom JWT for access tokens
|
||||
|
||||
Reference in New Issue
Block a user