fix: use separate CH credentials, remove dead bootstrap code

- ClickHouse: pass user/password via ProvisioningProperties instead of baking into JDBC URLs. All consumers (InfrastructureService, TenantDataCleanupService, DockerTenantProvisioner) use the same source. - Bootstrap: remove dead tenant config (CAMELEER_AUTH_TOKEN, t-default org, example tenant vars) — tenants are created dynamically by vendor. - Bootstrap JSON: remove unused fields (tenantName, tenantSlug, bootstrapToken, tenantAdminUser, organizationId). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 14:12:42 +02:00
parent da4a263cd7
commit 96aa6579b0
7 changed files with 13 additions and 27 deletions
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -27,13 +27,6 @@ API_RESOURCE_NAME="Cameleer SaaS API"
 # Users (configurable via env vars)
 SAAS_ADMIN_USER="${SAAS_ADMIN_USER:-admin}"
 SAAS_ADMIN_PASS="${SAAS_ADMIN_PASS:-admin}"
-TENANT_ADMIN_USER="${TENANT_ADMIN_USER:-camel}"
-TENANT_ADMIN_PASS="${TENANT_ADMIN_PASS:-camel}"
-
-# Tenant config
-TENANT_NAME="Example Tenant"
-TENANT_SLUG="default"
-BOOTSTRAP_TOKEN="${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}"

 # Vendor seed (optional — creates saas-vendor role + vendor user)
 VENDOR_SEED_ENABLED="${VENDOR_SEED_ENABLED:-false}"
@@ -474,16 +467,9 @@ if [ -n "$ADMIN_TENANT_USER_ID" ] && [ "$ADMIN_TENANT_USER_ID" != "null" ]; then
    log "WARNING: admin tenant roles not found"
  fi

-  # Add to t-default organization with admin role
-  admin_api_post "/api/organizations/t-default/users" "{\"userIds\": [\"$ADMIN_TENANT_USER_ID\"]}" >/dev/null 2>&1
-  TENANT_ADMIN_ORG_ROLE_ID=$(admin_api_get "/api/organization-roles" | jq -r '.[] | select(.name == "admin") | .id')
-  if [ -n "$TENANT_ADMIN_ORG_ROLE_ID" ] && [ "$TENANT_ADMIN_ORG_ROLE_ID" != "null" ]; then
-    admin_api_post "/api/organizations/t-default/users/$ADMIN_TENANT_USER_ID/roles" "{\"organizationRoleIds\": [\"$TENANT_ADMIN_ORG_ROLE_ID\"]}" >/dev/null 2>&1
-    log "Added to t-default organization with admin role."
-  fi
-  # Switch admin tenant sign-in mode from Register to SignIn (user already created)
+  # Switch sign-in mode from Register to SignIn (admin user already created)
  admin_api_patch "/api/sign-in-exp" '{"signInMode": "SignIn"}' >/dev/null 2>&1
-  log "Set admin tenant sign-in mode to SignIn."
+  log "Set sign-in mode to SignIn."

  log "SaaS admin granted Logto console access."
 else
@@ -577,12 +563,7 @@ cat > "$BOOTSTRAP_FILE" <<EOF
  "tradAppId": "$TRAD_ID",
  "tradAppSecret": "$TRAD_SECRET",
  "apiResourceIndicator": "$API_RESOURCE_INDICATOR",
-  "organizationId": "$ORG_ID",
-  "tenantName": "$TENANT_NAME",
-  "tenantSlug": "$TENANT_SLUG",
-  "bootstrapToken": "$BOOTSTRAP_TOKEN",
  "platformAdminUser": "$SAAS_ADMIN_USER",
-  "tenantAdminUser": "$TENANT_ADMIN_USER",
  "oidcIssuerUri": "${LOGTO_ENDPOINT}/oidc",
  "oidcAudience": "$API_RESOURCE_INDICATOR"
 }
@@ -680,7 +661,6 @@ if [ "$VENDOR_SEED_ENABLED" = "true" ]; then
      [ -n "$ADMIN_USER_ROLE_ID" ] && [ "$ADMIN_USER_ROLE_ID" != "null" ] && V_ROLE_IDS=$(echo "$V_ROLE_IDS" | jq ". + [\"$ADMIN_USER_ROLE_ID\"]")
      [ -n "$ADMIN_ROLE_ID" ] && [ "$ADMIN_ROLE_ID" != "null" ] && V_ROLE_IDS=$(echo "$V_ROLE_IDS" | jq ". + [\"$ADMIN_ROLE_ID\"]")
      [ "$V_ROLE_IDS" != "[]" ] && admin_api_post "/api/users/$VENDOR_CONSOLE_USER_ID/roles" "{\"roleIds\": $V_ROLE_IDS}" >/dev/null 2>&1
-      admin_api_post "/api/organizations/t-default/users" "{\"userIds\": [\"$VENDOR_CONSOLE_USER_ID\"]}" >/dev/null 2>&1
      log "Vendor granted Logto console access."
    fi
  else