From 83801d24995ad8b581e45ad21d5f12f697b804a1 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 13 Apr 2026 17:28:19 +0200
Subject: [PATCH] fix: use localhost for bootstrap, restart Logto with public
 endpoints

Start Logto with localhost endpoints so bootstrap can reach the
Management API without going through Traefik. After bootstrap
completes, restart Logto with the real public endpoints for
production use. This eliminates the Traefik race condition entirely.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/cameleer-logto/logto-entrypoint.sh | 45 ++++++++++++-----------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/docker/cameleer-logto/logto-entrypoint.sh b/docker/cameleer-logto/logto-entrypoint.sh
index 00b23da..d900d1b 100644
--- a/docker/cameleer-logto/logto-entrypoint.sh
+++ b/docker/cameleer-logto/logto-entrypoint.sh
@@ -1,13 +1,21 @@
 #!/bin/sh
 set -e
 
+# Save the real public endpoints for after bootstrap
+REAL_ENDPOINT="$ENDPOINT"
+REAL_ADMIN_ENDPOINT="$ADMIN_ENDPOINT"
+
 echo "[entrypoint] Seeding Logto database..."
 npm run cli db seed -- --swe 2>/dev/null || true
 
 echo "[entrypoint] Deploying database alterations..."
 npm run cli db alteration deploy 2>/dev/null || true
 
-echo "[entrypoint] Starting Logto..."
+# Start Logto with localhost endpoints so it can reach itself without Traefik
+export ENDPOINT="http://localhost:3001"
+export ADMIN_ENDPOINT="http://localhost:3002"
+
+echo "[entrypoint] Starting Logto (bootstrap mode)..."
 npm start &
 LOGTO_PID=$!
 
@@ -24,26 +32,11 @@ for i in $(seq 1 120); do
   sleep 1
 done
 
-# Wait for admin endpoint to be routable through Traefik
-# The Management API needs ADMIN_ENDPOINT for admin tenant OIDC discovery.
-# Since bootstrap runs inside this container (not a separate one), Traefik
-# may not have discovered our labels yet — wait for it.
-if [ -n "$ADMIN_ENDPOINT" ]; then
-  echo "[entrypoint] Waiting for admin endpoint ($ADMIN_ENDPOINT) to be routable..."
-  for i in $(seq 1 60); do
-    if curl -sfk "$ADMIN_ENDPOINT/oidc/.well-known/openid-configuration" >/dev/null 2>&1; then
-      echo "[entrypoint] Admin endpoint ready."
-      break
-    fi
-    if [ "$i" -eq 60 ]; then
-      echo "[entrypoint] WARNING: Admin endpoint not reachable after 60s, bootstrap may fail"
-    fi
-    sleep 1
-  done
-fi
-
-# Run bootstrap if not already done
+# Run bootstrap if not already done — use localhost since we're inside the container
 BOOTSTRAP_FILE="/data/logto-bootstrap.json"
+export LOGTO_ENDPOINT="http://localhost:3001"
+export LOGTO_ADMIN_ENDPOINT="http://localhost:3002"
+
 if [ -f "$BOOTSTRAP_FILE" ]; then
   CACHED_SECRET=$(jq -r '.m2mClientSecret // empty' "$BOOTSTRAP_FILE" 2>/dev/null)
   CACHED_SPA=$(jq -r '.spaClientId // empty' "$BOOTSTRAP_FILE" 2>/dev/null)
@@ -58,5 +51,13 @@ else
   /scripts/logto-bootstrap.sh
 fi
 
-echo "[entrypoint] Logto is running (PID $LOGTO_PID)."
-wait $LOGTO_PID
+# Restart Logto with real public endpoints
+echo "[entrypoint] Bootstrap done. Restarting Logto with public endpoints..."
+kill $LOGTO_PID 2>/dev/null
+wait $LOGTO_PID 2>/dev/null || true
+
+export ENDPOINT="$REAL_ENDPOINT"
+export ADMIN_ENDPOINT="$REAL_ADMIN_ENDPOINT"
+
+echo "[entrypoint] Starting Logto (production mode)..."
+exec npm start