netbox-diode-project/oauth2/client/bootstrap-clients.sh

#!/usr/bin/env bash

set -euo pipefail

# Constants
CREDENTIALS_FILE="/etc/config/oauth2/client/client-credentials.json"

# Create the credentials file if it doesn't exist
if [ ! -f "$CREDENTIALS_FILE" ]; then
  echo "ERROR: credentials file $CREDENTIALS_FILE not found"
  exit 1
fi

# Wait for Hydra to be ready
sleep 3

# Function to create client
create_client() {
  local client_id=$1
  local client_secret=$2
  local scope=$3
  local exists_in_hydra=false

  # Check if client exists in Hydra
  if hydra get oauth2-client $client_id --endpoint $HYDRA_ADMIN_URL >/dev/null 2>&1; then
    exists_in_hydra=true
  fi

  # Log client existence status
  if [ "$exists_in_hydra" = true ]; then
    echo "INFO: client $client_id exists in Hydra"
    return 0
  fi

  # Create new client if it doesn't exist in Hydra
  if [ "$exists_in_hydra" = false ]; then
    client_output=$(hydra create oauth2-client --endpoint $HYDRA_ADMIN_URL \
      --id $client_id \
      --secret $client_secret \
      --grant-type "client_credentials" \
      --response-type "token" \
      --scope "$scope" \
      --token-endpoint-auth-method "client_secret_post" \
      --format json)

    echo "INFO: client $client_id created"
  fi
}

# Load client credentials
jq -c '.[]' "$CREDENTIALS_FILE" | while read -r client; do
  client_id=$(echo "$client" | jq -r '.client_id')
  client_secret=$(echo "$client" | jq -r '.client_secret')
  scope=$(echo "$client" | jq -r '.scope')
  create_client "$client_id" "$client_secret" "$scope"
done
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`#!/usr/bin/env bash`
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 20:46:59 -07:00
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`set -euo pipefail`
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 20:46:59 -07:00
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`# Constants`
			`CREDENTIALS_FILE="/etc/config/oauth2/client/client-credentials.json"`
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 20:46:59 -07:00
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`# Create the credentials file if it doesn't exist`
			`if [ ! -f "$CREDENTIALS_FILE" ]; then`
			`echo "ERROR: credentials file $CREDENTIALS_FILE not found"`
			`exit 1`
			`fi`
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 20:46:59 -07:00
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`# Wait for Hydra to be ready`
			`sleep 3`
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 20:46:59 -07:00
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`# Function to create client`
			`create_client() {`
			`local client_id=$1`
			`local client_secret=$2`
			`local scope=$3`
			`local exists_in_hydra=false`
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 20:46:59 -07:00
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`# Check if client exists in Hydra`
			`if hydra get oauth2-client $client_id --endpoint $HYDRA_ADMIN_URL >/dev/null 2>&1; then`
			`exists_in_hydra=true`
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 20:46:59 -07:00			`fi`

Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`# Log client existence status`
			`if [ "$exists_in_hydra" = true ]; then`
			`echo "INFO: client $client_id exists in Hydra"`
			`return 0`
			`fi`
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 20:46:59 -07:00
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 21:51:40 -07:00			`# Create new client if it doesn't exist in Hydra`
			`if [ "$exists_in_hydra" = false ]; then`
			`client_output=$(hydra create oauth2-client --endpoint $HYDRA_ADMIN_URL \`
			`--id $client_id \`
			`--secret $client_secret \`
			`--grant-type "client_credentials" \`
			`--response-type "token" \`
			`--scope "$scope" \`
			`--token-endpoint-auth-method "client_secret_post" \`
			`--format json)`

			`echo "INFO: client $client_id created"`
			`fi`
			`}`

			`# Load client credentials`
			`jq -c '.[]' "$CREDENTIALS_FILE" \| while read -r client; do`
			`client_id=$(echo "$client" \| jq -r '.client_id')`
			`client_secret=$(echo "$client" \| jq -r '.client_secret')`
			`scope=$(echo "$client" \| jq -r '.scope')`
			`create_client "$client_id" "$client_secret" "$scope"`
			`done`