monacousa-portal/scripts/update-kong-keys.sh

#!/bin/bash
# Update kong.yml with API keys from .env
# Run this after setting up .env with your production keys

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
ENV_FILE="$PROJECT_DIR/.env"
KONG_FILE="$PROJECT_DIR/supabase/docker/kong.yml"

# Check if .env exists
if [ ! -f "$ENV_FILE" ]; then
    echo "Error: .env file not found at $ENV_FILE"
    exit 1
fi

# Load environment variables
source "$ENV_FILE"

# Verify keys are set
if [ -z "$ANON_KEY" ]; then
    echo "Error: ANON_KEY is not set in .env"
    exit 1
fi

if [ -z "$SERVICE_ROLE_KEY" ]; then
    echo "Error: SERVICE_ROLE_KEY is not set in .env"
    exit 1
fi

# Backup original kong.yml
cp "$KONG_FILE" "$KONG_FILE.bak"

# Create updated kong.yml
cat > "$KONG_FILE" << EOF
_format_version: "2.1"
_transform: true

###
### Consumers / Users
###
consumers:
  - username: ANON
    keyauth_credentials:
      - key: $ANON_KEY
  - username: SERVICE_ROLE
    keyauth_credentials:
      - key: $SERVICE_ROLE_KEY

###
### Access Control Lists
###
acls:
  - consumer: ANON
    group: anon
  - consumer: SERVICE_ROLE
    group: admin

###
### API Routes
###
services:
  ## Redirect /auth/verify to SvelteKit app for email links
  - name: auth-verify-redirect
    url: http://portal:3000/auth/verify
    routes:
      - name: auth-verify-redirect
        strip_path: false
        paths:
          - /auth/verify
        preserve_host: false
    plugins:
      - name: cors

  ## Auth Service (GoTrue)
  - name: auth-v1-open
    url: http://auth:9999/verify
    routes:
      - name: auth-v1-open
        strip_path: true
        paths:
          - /auth/v1/verify
    plugins:
      - name: cors

  - name: auth-v1-open-callback
    url: http://auth:9999/callback
    routes:
      - name: auth-v1-open-callback
        strip_path: true
        paths:
          - /auth/v1/callback
    plugins:
      - name: cors

  - name: auth-v1-open-authorize
    url: http://auth:9999/authorize
    routes:
      - name: auth-v1-open-authorize
        strip_path: true
        paths:
          - /auth/v1/authorize
    plugins:
      - name: cors

  - name: auth-v1
    url: http://auth:9999/
    routes:
      - name: auth-v1
        strip_path: true
        paths:
          - /auth/v1/
    plugins:
      - name: cors
      - name: key-auth
        config:
          hide_credentials: false
      - name: acl
        config:
          hide_groups_header: true
          allow:
            - admin
            - anon

  ## REST Service (PostgREST)
  - name: rest-v1
    url: http://rest:3000/
    routes:
      - name: rest-v1
        strip_path: true
        paths:
          - /rest/v1/
    plugins:
      - name: cors
      - name: key-auth
        config:
          hide_credentials: false
      - name: acl
        config:
          hide_groups_header: true
          allow:
            - admin
            - anon

  ## Realtime Service
  - name: realtime-v1-ws
    url: http://realtime:4000/socket
    routes:
      - name: realtime-v1-ws
        strip_path: true
        paths:
          - /realtime/v1/websocket
    plugins:
      - name: cors
      - name: key-auth
        config:
          hide_credentials: false
      - name: acl
        config:
          hide_groups_header: true
          allow:
            - admin
            - anon

  - name: realtime-v1
    url: http://realtime:4000/
    routes:
      - name: realtime-v1
        strip_path: true
        paths:
          - /realtime/v1/
    plugins:
      - name: cors
      - name: key-auth
        config:
          hide_credentials: false
      - name: acl
        config:
          hide_groups_header: true
          allow:
            - admin
            - anon

  ## Storage Service - Public objects (no auth required)
  - name: storage-v1-public
    url: http://storage:5000/object/public
    routes:
      - name: storage-v1-public
        strip_path: true
        paths:
          - /storage/v1/object/public
    plugins:
      - name: cors

  ## Storage Service - All other operations (auth required)
  - name: storage-v1
    url: http://storage:5000/
    routes:
      - name: storage-v1
        strip_path: true
        paths:
          - /storage/v1/
    plugins:
      - name: cors
      - name: key-auth
        config:
          hide_credentials: false
      - name: acl
        config:
          hide_groups_header: true
          allow:
            - admin
            - anon

  ## PostgreSQL Meta (for Studio)
  - name: meta
    url: http://meta:8080/
    routes:
      - name: meta
        strip_path: true
        paths:
          - /pg/
    plugins:
      - name: key-auth
        config:
          hide_credentials: false
      - name: acl
        config:
          hide_groups_header: true
          allow:
            - admin
EOF

echo "Kong configuration updated successfully!"
echo "Restart Kong to apply changes: docker compose restart kong"
Add script to update kong.yml with production API keys - Creates scripts/update-kong-keys.sh - Reads ANON_KEY and SERVICE_ROLE_KEY from .env - Generates kong.yml with correct API keys - Run after setting up .env to configure Kong authentication Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-26 10:03:40 +01:00			`#!/bin/bash`
			`# Update kong.yml with API keys from .env`
			`# Run this after setting up .env with your production keys`

			`set -e`

			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`PROJECT_DIR="$(dirname "$SCRIPT_DIR")"`
			`ENV_FILE="$PROJECT_DIR/.env"`
			`KONG_FILE="$PROJECT_DIR/supabase/docker/kong.yml"`

			`# Check if .env exists`
			`if [ ! -f "$ENV_FILE" ]; then`
			`echo "Error: .env file not found at $ENV_FILE"`
			`exit 1`
			`fi`

			`# Load environment variables`
			`source "$ENV_FILE"`

			`# Verify keys are set`
			`if [ -z "$ANON_KEY" ]; then`
			`echo "Error: ANON_KEY is not set in .env"`
			`exit 1`
			`fi`

			`if [ -z "$SERVICE_ROLE_KEY" ]; then`
			`echo "Error: SERVICE_ROLE_KEY is not set in .env"`
			`exit 1`
			`fi`

			`# Backup original kong.yml`
			`cp "$KONG_FILE" "$KONG_FILE.bak"`

			`# Create updated kong.yml`
			`cat > "$KONG_FILE" << EOF`
			`_format_version: "2.1"`
			`_transform: true`

			`###`
			`### Consumers / Users`
			`###`
			`consumers:`
			`- username: ANON`
			`keyauth_credentials:`
			`- key: $ANON_KEY`
			`- username: SERVICE_ROLE`
			`keyauth_credentials:`
			`- key: $SERVICE_ROLE_KEY`

			`###`
			`### Access Control Lists`
			`###`
			`acls:`
			`- consumer: ANON`
			`group: anon`
			`- consumer: SERVICE_ROLE`
			`group: admin`

			`###`
			`### API Routes`
			`###`
			`services:`
			`## Redirect /auth/verify to SvelteKit app for email links`
			`- name: auth-verify-redirect`
			`url: http://portal:3000/auth/verify`
			`routes:`
			`- name: auth-verify-redirect`
			`strip_path: false`
			`paths:`
			`- /auth/verify`
			`preserve_host: false`
			`plugins:`
			`- name: cors`

			`## Auth Service (GoTrue)`
			`- name: auth-v1-open`
			`url: http://auth:9999/verify`
			`routes:`
			`- name: auth-v1-open`
			`strip_path: true`
			`paths:`
			`- /auth/v1/verify`
			`plugins:`
			`- name: cors`

			`- name: auth-v1-open-callback`
			`url: http://auth:9999/callback`
			`routes:`
			`- name: auth-v1-open-callback`
			`strip_path: true`
			`paths:`
			`- /auth/v1/callback`
			`plugins:`
			`- name: cors`

			`- name: auth-v1-open-authorize`
			`url: http://auth:9999/authorize`
			`routes:`
			`- name: auth-v1-open-authorize`
			`strip_path: true`
			`paths:`
			`- /auth/v1/authorize`
			`plugins:`
			`- name: cors`

			`- name: auth-v1`
			`url: http://auth:9999/`
			`routes:`
			`- name: auth-v1`
			`strip_path: true`
			`paths:`
			`- /auth/v1/`
			`plugins:`
			`- name: cors`
			`- name: key-auth`
			`config:`
			`hide_credentials: false`
			`- name: acl`
			`config:`
			`hide_groups_header: true`
			`allow:`
			`- admin`
			`- anon`

			`## REST Service (PostgREST)`
			`- name: rest-v1`
			`url: http://rest:3000/`
			`routes:`
			`- name: rest-v1`
			`strip_path: true`
			`paths:`
			`- /rest/v1/`
			`plugins:`
			`- name: cors`
			`- name: key-auth`
			`config:`
			`hide_credentials: false`
			`- name: acl`
			`config:`
			`hide_groups_header: true`
			`allow:`
			`- admin`
			`- anon`

			`## Realtime Service`
			`- name: realtime-v1-ws`
			`url: http://realtime:4000/socket`
			`routes:`
			`- name: realtime-v1-ws`
			`strip_path: true`
			`paths:`
			`- /realtime/v1/websocket`
			`plugins:`
			`- name: cors`
			`- name: key-auth`
			`config:`
			`hide_credentials: false`
			`- name: acl`
			`config:`
			`hide_groups_header: true`
			`allow:`
			`- admin`
			`- anon`

			`- name: realtime-v1`
			`url: http://realtime:4000/`
			`routes:`
			`- name: realtime-v1`
			`strip_path: true`
			`paths:`
			`- /realtime/v1/`
			`plugins:`
			`- name: cors`
			`- name: key-auth`
			`config:`
			`hide_credentials: false`
			`- name: acl`
			`config:`
			`hide_groups_header: true`
			`allow:`
			`- admin`
			`- anon`

			`## Storage Service - Public objects (no auth required)`
			`- name: storage-v1-public`
			`url: http://storage:5000/object/public`
			`routes:`
			`- name: storage-v1-public`
			`strip_path: true`
			`paths:`
			`- /storage/v1/object/public`
			`plugins:`
			`- name: cors`

			`## Storage Service - All other operations (auth required)`
			`- name: storage-v1`
			`url: http://storage:5000/`
			`routes:`
			`- name: storage-v1`
			`strip_path: true`
			`paths:`
			`- /storage/v1/`
			`plugins:`
			`- name: cors`
			`- name: key-auth`
			`config:`
			`hide_credentials: false`
			`- name: acl`
			`config:`
			`hide_groups_header: true`
			`allow:`
			`- admin`
			`- anon`

			`## PostgreSQL Meta (for Studio)`
			`- name: meta`
			`url: http://meta:8080/`
			`routes:`
			`- name: meta`
			`strip_path: true`
			`paths:`
			`- /pg/`
			`plugins:`
			`- name: key-auth`
			`config:`
			`hide_credentials: false`
			`- name: acl`
			`config:`
			`hide_groups_header: true`
			`allow:`
			`- admin`
			`EOF`

			`echo "Kong configuration updated successfully!"`
			`echo "Restart Kong to apply changes: docker compose restart kong"`