hzhang
5ea2cdfc9e
Drops the AbstractWizard config-volume bootstrap entirely. All deploy-time
config now comes from docker env vars (.env). First-deploy admin user + OIDC
provider config are operator-driven via `docker exec hf_backend hf-cli ...`.
Backend changes:
- entrypoint.sh: drop config-wait loop, just exec uvicorn
- app/core/config.py: drop _resolve_db_url + OIDC_* env vars (DB only now);
keep HARBORFORGE_OIDC_ONLY (deploy-time policy)
- app/init_wizard.py → app/init_bootstrap.py: drop load_config / admin / OIDC /
default-project bootstrap; keep idempotent startup seed (permissions,
default roles, acc-mgr + deleted-user builtins)
- app/main.py: /config/status now returns {initialized: <admin exists>};
startup() imports init_bootstrap.run_bootstrap
- app/api/routers/oidc.py: get_effective_oidc reads DB only (no env fallback)
- app/services/harborforge_config.py: removed (replaced by direct env reads)
- app/services/discord_wakeup.py: HF_DISCORD_GUILD_ID / HF_DISCORD_BOT_TOKEN env
- app/api/routers/users.py + tests/conftest.py: rename init_wizard refs
New hf-cli surface (app/cli/, invoked via /usr/local/bin/hf-cli shim):
hf-cli admin create-user --email <e> [--username <u>] [--password <p>]
[--oidc-issuer <url> --oidc-subject <sub>]
hf-cli admin list
hf-cli admin set-role --username <u> --role <admin|mgr|dev|guest|account-manager>
hf-cli admin reset-password --username <u> --password <p>
hf-cli admin bind-oidc --username <u> --oidc-issuer <url> --oidc-subject <sub>
hf-cli config oidc [--issuer/...] [--client-id/...] [--client-secret/...]
[--redirect-uri/...] [--enabled true|false] [--show-secret]
Bootstrap migration on existing deployments: existing admin / OIDC settings
in the DB are preserved across the cutover; only the wizard config-volume
+ wizard sidecar services need to be removed from compose. Restart picks
up the new entrypoint + skips the config wait.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
59 lines
1.6 KiB
Docker
59 lines
1.6 KiB
Docker
# Stage 1: build dependencies
|
|
FROM python:3.11-slim AS builder
|
|
|
|
WORKDIR /app
|
|
|
|
# Install build dependencies
|
|
RUN apt-get update && apt-get install -y \
|
|
build-essential \
|
|
default-libmysqlclient-dev \
|
|
pkg-config \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Pre-download wheels to avoid recompiling bcrypt from source
|
|
RUN pip install --no-cache-dir --prefix=/install \
|
|
'bcrypt==4.0.1' \
|
|
'cffi>=2.0' \
|
|
'pycparser>=2.0'
|
|
|
|
# Install Python dependencies
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir --prefix=/install -r requirements.txt
|
|
|
|
# Stage 2: slim runtime
|
|
FROM python:3.11-slim
|
|
|
|
WORKDIR /app
|
|
|
|
# Install runtime dependencies only (no build tools)
|
|
RUN apt-get update && apt-get install -y \
|
|
default-libmysqlclient-dev \
|
|
curl \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Copy installed packages from builder
|
|
COPY --from=builder /install /usr/local
|
|
|
|
# Copy application code
|
|
COPY app/ ./app/
|
|
COPY requirements.txt ./
|
|
|
|
# Make entrypoint
|
|
COPY entrypoint.sh .
|
|
RUN chmod +x entrypoint.sh
|
|
|
|
# Install hf-cli as a /usr/local/bin shim that re-enters the app package
|
|
# (so `docker exec hf-backend hf-cli admin create-user ...` works). The
|
|
# CLI reads the same DATABASE_URL / SECRET_KEY env as the backend.
|
|
RUN printf '#!/bin/sh\nexec python -m app.cli "$@"\n' > /usr/local/bin/hf-cli && \
|
|
chmod +x /usr/local/bin/hf-cli
|
|
|
|
# OIDC-only mode: when "true", password login is rejected, user creation
|
|
# ignores passwords (passwordless users that sign in via a bound OIDC
|
|
# identity / API keys). Overridable at runtime via the same env var.
|
|
ARG HARBORFORGE_OIDC_ONLY=false
|
|
ENV HARBORFORGE_OIDC_ONLY=${HARBORFORGE_OIDC_ONLY}
|
|
|
|
EXPOSE 8000
|
|
ENTRYPOINT ["./entrypoint.sh"]
|