hzhang
782e42ac64
Solves the OIDC-only bootstrap lockout (admin can't reach the in-app OIDC settings page when password login is disabled and OIDC is unset). - Frontend image entrypoint injects /runtime-config.js from the deploy-time HARBORFORGE_OIDC_ONLY env so the SPA knows the mode before the backend exists. - Setup wizard gains an "OIDC" step (between Admin and Backend): required when OIDC-only (incl. admin's OIDC subject so the bootstrap admin can sign in), optional otherwise; written into harborforge.json. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
27 lines
1001 B
Docker
27 lines
1001 B
Docker
# Build stage
|
|
FROM node:20-alpine AS build
|
|
WORKDIR /app
|
|
COPY package.json package-lock.json* ./
|
|
RUN npm install
|
|
COPY . .
|
|
RUN npm run build
|
|
|
|
# Runtime stage
|
|
FROM node:20-alpine
|
|
RUN npm install -g serve@14
|
|
WORKDIR /app
|
|
COPY --from=build /app ./
|
|
ENV FRONTEND_DEV_MODE=0
|
|
# OIDC-only mode flag. Injected into the SPA at container start as
|
|
# /runtime-config.js so the setup wizard knows it before the backend
|
|
# exists; /auth/config remains authoritative once the backend is up.
|
|
ARG HARBORFORGE_OIDC_ONLY=false
|
|
ENV HARBORFORGE_OIDC_ONLY=${HARBORFORGE_OIDC_ONLY}
|
|
EXPOSE 3000
|
|
CMD ["sh", "-c", "\
|
|
if [ \"$HARBORFORGE_OIDC_ONLY\" = \"true\" ]; then OO=true; else OO=false; fi; \
|
|
CFG=\"window.__HF_RUNTIME__={\\\"oidc_only\\\":$OO};\"; \
|
|
mkdir -p public; printf '%s' \"$CFG\" > public/runtime-config.js; \
|
|
[ -d dist ] && printf '%s' \"$CFG\" > dist/runtime-config.js; \
|
|
if [ \"$FRONTEND_DEV_MODE\" = \"1\" ]; then npm run dev -- --host 0.0.0.0 --port 3000 --strictPort; else serve -s dist -l 3000; fi"]
|