simplify setup

2025-12-10 20:22:38 +00:00 · 2024-10-16 20:55:37 +02:00
parent 4cb17953b0
commit cb8f071729
7 changed files with 38 additions and 122 deletions
--- a/acceptance/Dockerfile
+++ b/acceptance/Dockerfile
@@ -1,6 +1,5 @@
 FROM golang:1.19-alpine
 RUN apk add curl jq
-RUN go install github.com/zitadel/zitadel-tools@v0.4.0
 COPY setup.sh /setup.sh
 RUN chmod +x /setup.sh
 ENTRYPOINT [ "/setup.sh" ]
--- a/acceptance/docker-compose.yaml
+++ b/acceptance/docker-compose.yaml
@@ -6,7 +6,7 @@ services:
    ports:
      - "8080:8080"
    volumes:
-      - ./machinekey:/machinekey
+      - ./pat:/pat
      - ./zitadel.yaml:/zitadel.yaml
    depends_on:
      db:
@@ -46,11 +46,11 @@ services:
    container_name: setup
    build: .
    environment:
-      KEY: /key/zitadel-admin-sa.json
-      SERVICE: http://zitadel:8080
+      PAT_FILE: /pat/zitadel-admin-sa.pat
+      ZITADEL_API_INTERNAL_URL: http://zitadel:8080
      WRITE_ENVIRONMENT_FILE: /apps/login/.env.local
    volumes:
-      - "./machinekey:/key"
+      - "./pat:/pat"
      - "../apps/login:/apps/login"
    depends_on:
      wait_for_zitadel:
--- a/acceptance/machinekey/.gitignore
+++ b/acceptance/machinekey/.gitignore
--- a/acceptance/machinekey/.gitkeep
+++ b/acceptance/machinekey/.gitkeep
--- a/acceptance/pat/zitadel-admin-sa.pat
+++ b/acceptance/pat/zitadel-admin-sa.pat
@@ -0,0 +1 @@
+fEJWwOJ3lFAn-COq0QxdXz_xCGrmp8Kj2l4i-xGWbh1UM2OtNwNz3_MblwOf_Lsd13B8ORk
--- a/acceptance/setup.sh
+++ b/acceptance/setup.sh
@@ -1,125 +1,34 @@
 #!/bin/sh

-set -e
+set -ex

-KEY=${KEY:-./machinekey/zitadel-admin-sa.json}
-echo "Using key path ${KEY} to the instance admin service account."
+PAT_FILE=${PAT_FILE:-./pat/zitadel-admin-sa.pat}
+ZITADEL_API_PROTOCOL="${ZITADEL_API_PROTOCOL:-http}"
+ZITADEL_API_DOMAIN="${ZITADEL_API_DOMAIN:-localhost}"
+ZITADEL_API_PORT="${ZITADEL_API_PORT:-8080}"
+ZITADEL_API_URL="${ZITADEL_API_URL:-${ZITADEL_API_PROTOCOL}://${ZITADEL_API_DOMAIN}:${ZITADEL_API_PORT}}"
+ZITADEL_API_INTERNAL_URL="${ZITADEL_API_INTERNAL_URL:-${ZITADEL_API_URL}}"

-AUDIENCE=${AUDIENCE:-http://localhost:8080}
-echo "Using audience ${AUDIENCE} for which the key is used."
+if [ -z "${PAT}" ]; then
+  echo "Reading PAT from file ${PAT_FILE}"
+  PAT=$(cat ${PAT_FILE})
+fi

-SERVICE=${SERVICE:-$AUDIENCE}
-echo "Using the service ${SERVICE} to connect to ZITADEL. For example in docker compose this can differ from the audience."
+if [ -z "${ZITADEL_SERVICE_USER_ID}" ]; then
+  echo "Reading ZITADEL_SERVICE_USER_ID from userinfo endpoint"
+  USERINFO_RESPONSE=$(curl -s --request POST \
+    --url "${ZITADEL_API_INTERNAL_URL}/oidc/v1/userinfo" \
+    --header "Authorization: Bearer ${PAT}" \
+    --header "Host: ${ZITADEL_API_DOMAIN}")
+  echo "Received userinfo response: ${USERINFO_RESPONSE}"
+  ZITADEL_SERVICE_USER_ID=$(echo "${USERINFO_RESPONSE}" | jq --raw-output '.sub')
+fi

 WRITE_ENVIRONMENT_FILE=${WRITE_ENVIRONMENT_FILE:-$(dirname "$0")/../apps/login/.env.local}
 echo "Writing environment file to ${WRITE_ENVIRONMENT_FILE} when done."

-AUDIENCE_HOST="$(echo $AUDIENCE | cut -d/ -f3)"
-echo "Deferred the Host header ${AUDIENCE_HOST} which will be sent in requests that ZITADEL then maps to a virtual instance"
-
-JWT=$(zitadel-tools key2jwt --key ${KEY} --audience ${AUDIENCE})
-echo "Created JWT from Admin service account key ${JWT}"
-
-TOKEN_RESPONSE=$(curl -s --request POST \
-  --url ${SERVICE}/oauth/v2/token \
-  --header 'Content-Type: application/x-www-form-urlencoded' \
-  --header "Host: ${AUDIENCE_HOST}" \
-  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
-  --data scope='openid profile email urn:zitadel:iam:org:project:id:zitadel:aud' \
-  --data assertion="${JWT}")
-echo "Got response from token endpoint:"
-echo "${TOKEN_RESPONSE}" | jq
-
-TOKEN=$(echo -n ${TOKEN_RESPONSE} | jq --raw-output '.access_token')
-echo "Extracted access token ${TOKEN}"
-
-ORG_RESPONSE=$(curl -s --request GET \
-  --url ${SERVICE}/admin/v1/orgs/default \
-  --header 'Accept: application/json' \
-  --header "Authorization: Bearer ${TOKEN}" \
-  --header "Host: ${AUDIENCE_HOST}")
-echo "Got default org response:"
-echo "${ORG_RESPONSE}" | jq
-
-ORG_ID=$(echo -n ${ORG_RESPONSE} | jq --raw-output '.org.id')
-echo "Extracted default org id ${ORG_ID}"
-
-echo "ZITADEL_API_URL=${AUDIENCE}
-ZITADEL_ORG_ID=${ORG_ID}
-ZITADEL_SERVICE_USER_TOKEN=${TOKEN}" > ${WRITE_ENVIRONMENT_FILE}
+echo "ZITADEL_API_URL=${ZITADEL_API_URL}
+ZITADEL_SERVICE_USER_ID=${ZITADEL_SERVICE_USER_ID}
+ZITADEL_SERVICE_USER_TOKEN=${PAT}" > ${WRITE_ENVIRONMENT_FILE}
 echo "Wrote environment file ${WRITE_ENVIRONMENT_FILE}"
 cat ${WRITE_ENVIRONMENT_FILE}
-
-if ! grep -q 'localhost' ${WRITE_ENVIRONMENT_FILE}; then
-  echo "Not developing against localhost, so creating a human user might not be necessary"
-  exit 0
-fi
-
-HUMAN_USER_USERNAME="zitadel-admin@zitadel.localhost"
-HUMAN_USER_PASSWORD="Password1!"
-
-HUMAN_USER_PAYLOAD=$(cat << EOM
-{
-  "userName": "${HUMAN_USER_USERNAME}",
-  "profile": {
-    "firstName": "ZITADEL",
-    "lastName": "Admin",
-    "displayName": "ZITADEL Admin",
-    "preferredLanguage": "en"
-  },
-  "email": {
-    "email": "zitadel-admin@zitadel.localhost",
-    "isEmailVerified": true
-  },
-  "password": "${HUMAN_USER_PASSWORD}",
-  "passwordChangeRequired": false
-}
-EOM
-)
-echo "Creating human user"
-echo "${HUMAN_USER_PAYLOAD}" | jq
-
-HUMAN_USER_RESPONSE=$(curl -s --request POST \
-  --url ${SERVICE}/management/v1/users/human/_import \
-  --header 'Content-Type: application/json' \
-  --header 'Accept: application/json' \
-  --header "Authorization: Bearer ${TOKEN}" \
-  --header "Host: ${AUDIENCE_HOST}" \
-  --data-raw "${HUMAN_USER_PAYLOAD}")
-echo "Create human user response"
-echo "${HUMAN_USER_RESPONSE}" | jq
-
-if [ "$(echo -n "${HUMAN_USER_RESPONSE}" | jq --raw-output '.code')" == "6" ]; then
-  echo "admin user already exists"
-  exit 0
-fi
-
-HUMAN_USER_ID=$(echo -n ${HUMAN_USER_RESPONSE} | jq --raw-output '.userId')
-echo "Extracted human user id ${HUMAN_USER_ID}"
-
-HUMAN_ADMIN_PAYLOAD=$(cat << EOM
-{
-  "userId": "${HUMAN_USER_ID}",
-  "roles": [
-    "IAM_OWNER"
-  ]
-}
-EOM
-)
-echo "Granting iam owner to human user"
-echo "${HUMAN_ADMIN_PAYLOAD}" | jq
-
-HUMAN_ADMIN_RESPONSE=$(curl -s --request POST \
-  --url ${SERVICE}/admin/v1/members \
-  --header 'Content-Type: application/json' \
-  --header 'Accept: application/json' \
-  --header "Authorization: Bearer ${TOKEN}" \
-  --header "Host: ${AUDIENCE_HOST}" \
-  --data-raw "${HUMAN_ADMIN_PAYLOAD}")
-
-echo "Grant iam owner to human user response"
-echo "${HUMAN_ADMIN_RESPONSE}" | jq
-
-echo "You can now log in at ${AUDIENCE}/ui/login"
-echo "username: ${HUMAN_USER_USERNAME}"
-echo "password: ${HUMAN_USER_PASSWORD}"
--- a/acceptance/zitadel.yaml
+++ b/acceptance/zitadel.yaml
@@ -1,12 +1,19 @@
 FirstInstance:
-  MachineKeyPath: /machinekey/zitadel-admin-sa.json
+  PatPath: /pat/zitadel-admin-sa.pat
  Org:
+    Human:
+      UserName: zitadel-admin
+      FirstName: ZITADEL
+      LastName: Admin
+      Password: Password1!
+      PasswordChangeRequired: true
+      PreferredLanguage: en
    Machine:
      Machine:
        Username: zitadel-admin-sa
        Name: Admin
-      MachineKey:
-        Type: 1
+      Pat:
+        ExpirationDate: 2099-01-01T00:00:00Z

 Database:
  EventPushConnRatio: 0.2 # 4
				`@@ -0,0 +1 @@`
				`fEJWwOJ3lFAn-COq0QxdXz_xCGrmp8Kj2l4i-xGWbh1UM2OtNwNz3_MblwOf_Lsd13B8ORk`