sam
2f459e6f4a
Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
57 lines
1.5 KiB
Bash
Executable File
57 lines
1.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -euo pipefail
|
|
|
|
# Constants
|
|
CREDENTIALS_FILE="/etc/config/oauth2/client/client-credentials.json"
|
|
|
|
# Create the credentials file if it doesn't exist
|
|
if [ ! -f "$CREDENTIALS_FILE" ]; then
|
|
echo "ERROR: credentials file $CREDENTIALS_FILE not found"
|
|
exit 1
|
|
fi
|
|
|
|
# Wait for Hydra to be ready
|
|
sleep 3
|
|
|
|
# Function to create client
|
|
create_client() {
|
|
local client_id=$1
|
|
local client_secret=$2
|
|
local scope=$3
|
|
local exists_in_hydra=false
|
|
|
|
# Check if client exists in Hydra
|
|
if hydra get oauth2-client $client_id --endpoint $HYDRA_ADMIN_URL >/dev/null 2>&1; then
|
|
exists_in_hydra=true
|
|
fi
|
|
|
|
# Log client existence status
|
|
if [ "$exists_in_hydra" = true ]; then
|
|
echo "INFO: client $client_id exists in Hydra"
|
|
return 0
|
|
fi
|
|
|
|
# Create new client if it doesn't exist in Hydra
|
|
if [ "$exists_in_hydra" = false ]; then
|
|
client_output=$(hydra create oauth2-client --endpoint $HYDRA_ADMIN_URL \
|
|
--id $client_id \
|
|
--secret $client_secret \
|
|
--grant-type "client_credentials" \
|
|
--response-type "token" \
|
|
--scope "$scope" \
|
|
--token-endpoint-auth-method "client_secret_post" \
|
|
--format json)
|
|
|
|
echo "INFO: client $client_id created"
|
|
fi
|
|
}
|
|
|
|
# Load client credentials
|
|
jq -c '.[]' "$CREDENTIALS_FILE" | while read -r client; do
|
|
client_id=$(echo "$client" | jq -r '.client_id')
|
|
client_secret=$(echo "$client" | jq -r '.client_secret')
|
|
scope=$(echo "$client" | jq -r '.scope')
|
|
create_client "$client_id" "$client_secret" "$scope"
|
|
done
|