diff --git a/deploy.sh b/deploy.sh index 1201afe..24120de 100644 --- a/deploy.sh +++ b/deploy.sh @@ -141,6 +141,206 @@ generate_secrets() { log_info "Copy these values to your .env file" } +# Generate Kong configuration with API keys from .env +generate_kong_config() { + log_info "Generating Kong configuration..." + + # Load environment variables + if [ -f .env ]; then + export $(grep -v '^#' .env | grep -E '^(ANON_KEY|SERVICE_ROLE_KEY)=' | xargs) + fi + + if [ -z "$ANON_KEY" ] || [ -z "$SERVICE_ROLE_KEY" ]; then + log_error "ANON_KEY and SERVICE_ROLE_KEY must be set in .env" + exit 1 + fi + + cat > supabase/docker/kong.yml << KONG_EOF +_format_version: "2.1" +_transform: true + +consumers: + - username: ANON + keyauth_credentials: + - key: ${ANON_KEY} + - username: SERVICE_ROLE + keyauth_credentials: + - key: ${SERVICE_ROLE_KEY} + +acls: + - consumer: ANON + group: anon + - consumer: SERVICE_ROLE + group: admin + +services: + - name: auth-verify-redirect + url: http://portal:3000/auth/verify + routes: + - name: auth-verify-redirect + strip_path: false + paths: + - /auth/verify + preserve_host: false + plugins: + - name: cors + + - name: auth-v1-open + url: http://auth:9999/verify + routes: + - name: auth-v1-open + strip_path: true + paths: + - /auth/v1/verify + plugins: + - name: cors + + - name: auth-v1-open-callback + url: http://auth:9999/callback + routes: + - name: auth-v1-open-callback + strip_path: true + paths: + - /auth/v1/callback + plugins: + - name: cors + + - name: auth-v1-open-authorize + url: http://auth:9999/authorize + routes: + - name: auth-v1-open-authorize + strip_path: true + paths: + - /auth/v1/authorize + plugins: + - name: cors + + - name: auth-v1 + url: http://auth:9999/ + routes: + - name: auth-v1 + strip_path: true + paths: + - /auth/v1/ + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + - name: rest-v1 + url: http://rest:3000/ + routes: + - name: rest-v1 + strip_path: true + paths: + - /rest/v1/ + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + - name: realtime-v1-ws + url: http://realtime:4000/socket + routes: + - name: realtime-v1-ws + strip_path: true + paths: + - /realtime/v1/websocket + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + - name: realtime-v1 + url: http://realtime:4000/ + routes: + - name: realtime-v1 + strip_path: true + paths: + - /realtime/v1/ + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + - name: storage-v1-public + url: http://storage:5000/object/public + routes: + - name: storage-v1-public + strip_path: true + paths: + - /storage/v1/object/public + plugins: + - name: cors + + - name: storage-v1 + url: http://storage:5000/ + routes: + - name: storage-v1 + strip_path: true + paths: + - /storage/v1/ + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + - name: meta + url: http://meta:8080/ + routes: + - name: meta + strip_path: true + paths: + - /pg/ + plugins: + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin +KONG_EOF + + log_info "Kong configuration generated with production API keys" +} + # Deploy/start services deploy() { log_info "Deploying Monaco USA Portal..." @@ -151,8 +351,11 @@ deploy() { exit 1 fi - # Build and start - docker compose -f $COMPOSE_FILE -p $PROJECT_NAME build --no-cache portal + # Generate Kong config with production API keys + generate_kong_config + + # Pull latest portal image and start all services + docker compose -f $COMPOSE_FILE -p $PROJECT_NAME pull portal docker compose -f $COMPOSE_FILE -p $PROJECT_NAME up -d log_info "Deployment complete!" diff --git a/scripts/generate-kong-config.sh b/scripts/generate-kong-config.sh new file mode 100644 index 0000000..b9b09cb --- /dev/null +++ b/scripts/generate-kong-config.sh @@ -0,0 +1,218 @@ +#!/bin/bash +# Generate Kong configuration with production API keys +# Usage: ./scripts/generate-kong-config.sh + +set -e + +# Load environment variables if .env exists +if [ -f .env ]; then + export $(grep -v '^#' .env | xargs) +fi + +# Check required variables +if [ -z "$ANON_KEY" ] || [ -z "$SERVICE_ROLE_KEY" ]; then + echo "Error: ANON_KEY and SERVICE_ROLE_KEY must be set in .env" + exit 1 +fi + +# Create the Kong configuration +cat > supabase/docker/kong.yml << KONG_EOF +_format_version: "2.1" +_transform: true + +### +### Consumers / Users +### +consumers: + - username: ANON + keyauth_credentials: + - key: ${ANON_KEY} + - username: SERVICE_ROLE + keyauth_credentials: + - key: ${SERVICE_ROLE_KEY} + +### +### Access Control Lists +### +acls: + - consumer: ANON + group: anon + - consumer: SERVICE_ROLE + group: admin + +### +### API Routes +### +services: + ## Redirect /auth/verify to SvelteKit app for email links + - name: auth-verify-redirect + url: http://portal:3000/auth/verify + routes: + - name: auth-verify-redirect + strip_path: false + paths: + - /auth/verify + preserve_host: false + plugins: + - name: cors + + ## Auth Service (GoTrue) + - name: auth-v1-open + url: http://auth:9999/verify + routes: + - name: auth-v1-open + strip_path: true + paths: + - /auth/v1/verify + plugins: + - name: cors + + - name: auth-v1-open-callback + url: http://auth:9999/callback + routes: + - name: auth-v1-open-callback + strip_path: true + paths: + - /auth/v1/callback + plugins: + - name: cors + + - name: auth-v1-open-authorize + url: http://auth:9999/authorize + routes: + - name: auth-v1-open-authorize + strip_path: true + paths: + - /auth/v1/authorize + plugins: + - name: cors + + - name: auth-v1 + url: http://auth:9999/ + routes: + - name: auth-v1 + strip_path: true + paths: + - /auth/v1/ + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + ## REST Service (PostgREST) + - name: rest-v1 + url: http://rest:3000/ + routes: + - name: rest-v1 + strip_path: true + paths: + - /rest/v1/ + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + ## Realtime Service + - name: realtime-v1-ws + url: http://realtime:4000/socket + routes: + - name: realtime-v1-ws + strip_path: true + paths: + - /realtime/v1/websocket + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + - name: realtime-v1 + url: http://realtime:4000/ + routes: + - name: realtime-v1 + strip_path: true + paths: + - /realtime/v1/ + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + ## Storage Service - Public objects (no auth required) + - name: storage-v1-public + url: http://storage:5000/object/public + routes: + - name: storage-v1-public + strip_path: true + paths: + - /storage/v1/object/public + plugins: + - name: cors + + ## Storage Service - All other operations (auth required) + - name: storage-v1 + url: http://storage:5000/ + routes: + - name: storage-v1 + strip_path: true + paths: + - /storage/v1/ + plugins: + - name: cors + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin + - anon + + ## PostgreSQL Meta (for Studio) + - name: meta + url: http://meta:8080/ + routes: + - name: meta + strip_path: true + paths: + - /pg/ + plugins: + - name: key-auth + config: + hide_credentials: false + - name: acl + config: + hide_groups_header: true + allow: + - admin +KONG_EOF + +echo "Kong configuration generated at supabase/docker/kong.yml"