cameleer/cameleer-saas
2
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

infra: add OIDC config to bootstrap output, stop reading Logto DB for secrets

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-05 12:44:27 +02:00
parent 9e6440d97c
commit 4da9cf23cb
1 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docker/logto-bootstrap.sh
View File

@@ -52,6 +52,13 @@ pgpass() { PGPASSWORD="${PG_PASSWORD:-cameleer_dev}"; export PGPASSWORD; }
# Install jq + curl # Install jq + curl
apk add --no-cache jq curl >/dev/null 2>&1 apk add --no-cache jq curl >/dev/null 2>&1
# Read cached secrets from previous run
if [ -f "$BOOTSTRAP_FILE" ]; then
CACHED_M2M_SECRET=$(jq -r '.m2mClientSecret // empty' "$BOOTSTRAP_FILE" 2>/dev/null)
CACHED_TRAD_SECRET=$(jq -r '.tradAppSecret // empty' "$BOOTSTRAP_FILE" 2>/dev/null)
log "Found cached bootstrap file"
fi
# ============================================================ # ============================================================
# PHASE 1: Wait for services # PHASE 1: Wait for services
# ============================================================ # ============================================================
@@ -151,9 +158,7 @@ TRAD_ID=$(echo "$EXISTING_APPS" | jq -r ".[] | select(.name == \"$TRAD_APP_NAME\
TRAD_SECRET="" TRAD_SECRET=""
if [ -n "$TRAD_ID" ]; then if [ -n "$TRAD_ID" ]; then
log "Traditional app exists: $TRAD_ID" log "Traditional app exists: $TRAD_ID"
pgpass TRAD_SECRET="${CACHED_TRAD_SECRET:-}"
TRAD_SECRET=$(psql -h "$PG_HOST" -U "$PG_USER" -d "$PG_DB_LOGTO" -t -A -c \
"SELECT secret FROM applications WHERE id = '$TRAD_ID' AND tenant_id = 'default';")
else else
log "Creating Traditional Web app..." log "Creating Traditional Web app..."
TRAD_RESPONSE=$(api_post "/api/applications" "{ TRAD_RESPONSE=$(api_post "/api/applications" "{
@@ -189,9 +194,7 @@ M2M_ID=$(echo "$EXISTING_APPS" | jq -r ".[] | select(.name == \"$M2M_APP_NAME\"
M2M_SECRET="" M2M_SECRET=""
if [ -n "$M2M_ID" ]; then if [ -n "$M2M_ID" ]; then
log "M2M app exists: $M2M_ID" log "M2M app exists: $M2M_ID"
pgpass M2M_SECRET="${CACHED_M2M_SECRET:-}"
M2M_SECRET=$(psql -h "$PG_HOST" -U "$PG_USER" -d "$PG_DB_LOGTO" -t -A -c \
"SELECT secret FROM applications WHERE id = '$M2M_ID' AND tenant_id = 'default';")
else else
log "Creating M2M app..." log "Creating M2M app..."
M2M_RESPONSE=$(api_post "/api/applications" "{ M2M_RESPONSE=$(api_post "/api/applications" "{
@@ -422,13 +425,16 @@ cat > "$BOOTSTRAP_FILE" <<EOF
"m2mClientId": "$M2M_ID", "m2mClientId": "$M2M_ID",
"m2mClientSecret": "$M2M_SECRET", "m2mClientSecret": "$M2M_SECRET",
"tradAppId": "$TRAD_ID", "tradAppId": "$TRAD_ID",
"tradAppSecret": "$TRAD_SECRET",
"apiResourceIndicator": "$API_RESOURCE_INDICATOR", "apiResourceIndicator": "$API_RESOURCE_INDICATOR",
"organizationId": "$ORG_ID", "organizationId": "$ORG_ID",
"tenantName": "$TENANT_NAME", "tenantName": "$TENANT_NAME",
"tenantSlug": "$TENANT_SLUG", "tenantSlug": "$TENANT_SLUG",
"bootstrapToken": "$BOOTSTRAP_TOKEN", "bootstrapToken": "$BOOTSTRAP_TOKEN",
"platformAdminUser": "$SAAS_ADMIN_USER", "platformAdminUser": "$SAAS_ADMIN_USER",
"tenantAdminUser": "$TENANT_ADMIN_USER" "tenantAdminUser": "$TENANT_ADMIN_USER",
"oidcIssuerUri": "${LOGTO_ENDPOINT}/oidc",
"oidcAudience": "$API_RESOURCE_INDICATOR"
} }
EOF EOF