From 9042356e81cc9aec5e497820fc90cce8ea961fa9 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 13 Apr 2026 17:22:05 +0200
Subject: [PATCH] fix: wait for Traefik to discover routes before bootstrap

The Management API requires the admin OIDC endpoint (ADMIN_ENDPOINT)
to be reachable. Since bootstrap now runs inside the Logto container
(not a separate container), Traefik may not have discovered the labels
yet. Wait for the admin endpoint to be routable before running bootstrap.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/cameleer-logto/logto-entrypoint.sh | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docker/cameleer-logto/logto-entrypoint.sh b/docker/cameleer-logto/logto-entrypoint.sh
index 7eb5a07..00b23da 100644
--- a/docker/cameleer-logto/logto-entrypoint.sh
+++ b/docker/cameleer-logto/logto-entrypoint.sh
@@ -24,6 +24,24 @@ for i in $(seq 1 120); do
   sleep 1
 done
 
+# Wait for admin endpoint to be routable through Traefik
+# The Management API needs ADMIN_ENDPOINT for admin tenant OIDC discovery.
+# Since bootstrap runs inside this container (not a separate one), Traefik
+# may not have discovered our labels yet — wait for it.
+if [ -n "$ADMIN_ENDPOINT" ]; then
+  echo "[entrypoint] Waiting for admin endpoint ($ADMIN_ENDPOINT) to be routable..."
+  for i in $(seq 1 60); do
+    if curl -sfk "$ADMIN_ENDPOINT/oidc/.well-known/openid-configuration" >/dev/null 2>&1; then
+      echo "[entrypoint] Admin endpoint ready."
+      break
+    fi
+    if [ "$i" -eq 60 ]; then
+      echo "[entrypoint] WARNING: Admin endpoint not reachable after 60s, bootstrap may fail"
+    fi
+    sleep 1
+  done
+fi
+
 # Run bootstrap if not already done
 BOOTSTRAP_FILE="/data/logto-bootstrap.json"
 if [ -f "$BOOTSTRAP_FILE" ]; then