#!/bin/bash # Update kong.yml with API keys from .env # Run this after setting up .env with your production keys set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_DIR="$(dirname "$SCRIPT_DIR")" ENV_FILE="$PROJECT_DIR/.env" KONG_FILE="$PROJECT_DIR/supabase/docker/kong.yml" # Check if .env exists if [ ! -f "$ENV_FILE" ]; then echo "Error: .env file not found at $ENV_FILE" exit 1 fi # Load environment variables source "$ENV_FILE" # Verify keys are set if [ -z "$ANON_KEY" ]; then echo "Error: ANON_KEY is not set in .env" exit 1 fi if [ -z "$SERVICE_ROLE_KEY" ]; then echo "Error: SERVICE_ROLE_KEY is not set in .env" exit 1 fi # Backup original kong.yml cp "$KONG_FILE" "$KONG_FILE.bak" # Create updated kong.yml cat > "$KONG_FILE" << EOF _format_version: "2.1" _transform: true ### ### Consumers / Users ### consumers: - username: ANON keyauth_credentials: - key: $ANON_KEY - username: SERVICE_ROLE keyauth_credentials: - key: $SERVICE_ROLE_KEY ### ### Access Control Lists ### acls: - consumer: ANON group: anon - consumer: SERVICE_ROLE group: admin ### ### API Routes ### services: ## Redirect /auth/verify to SvelteKit app for email links - name: auth-verify-redirect url: http://portal:3000/auth/verify routes: - name: auth-verify-redirect strip_path: false paths: - /auth/verify preserve_host: false plugins: - name: cors ## Auth Service (GoTrue) - name: auth-v1-open url: http://auth:9999/verify routes: - name: auth-v1-open strip_path: true paths: - /auth/v1/verify plugins: - name: cors - name: auth-v1-open-callback url: http://auth:9999/callback routes: - name: auth-v1-open-callback strip_path: true paths: - /auth/v1/callback plugins: - name: cors - name: auth-v1-open-authorize url: http://auth:9999/authorize routes: - name: auth-v1-open-authorize strip_path: true paths: - /auth/v1/authorize plugins: - name: cors - name: auth-v1 url: http://auth:9999/ routes: - name: auth-v1 strip_path: true paths: - /auth/v1/ plugins: - name: cors - name: key-auth config: hide_credentials: false - name: acl config: hide_groups_header: true allow: - admin - anon ## REST Service (PostgREST) - name: rest-v1 url: http://rest:3000/ routes: - name: rest-v1 strip_path: true paths: - /rest/v1/ plugins: - name: cors - name: key-auth config: hide_credentials: false - name: acl config: hide_groups_header: true allow: - admin - anon ## Realtime Service - name: realtime-v1-ws url: http://realtime:4000/socket routes: - name: realtime-v1-ws strip_path: true paths: - /realtime/v1/websocket plugins: - name: cors - name: key-auth config: hide_credentials: false - name: acl config: hide_groups_header: true allow: - admin - anon - name: realtime-v1 url: http://realtime:4000/ routes: - name: realtime-v1 strip_path: true paths: - /realtime/v1/ plugins: - name: cors - name: key-auth config: hide_credentials: false - name: acl config: hide_groups_header: true allow: - admin - anon ## Storage Service - Public objects (no auth required) - name: storage-v1-public url: http://storage:5000/object/public routes: - name: storage-v1-public strip_path: true paths: - /storage/v1/object/public plugins: - name: cors ## Storage Service - All other operations (auth required) - name: storage-v1 url: http://storage:5000/ routes: - name: storage-v1 strip_path: true paths: - /storage/v1/ plugins: - name: cors - name: key-auth config: hide_credentials: false - name: acl config: hide_groups_header: true allow: - admin - anon ## PostgreSQL Meta (for Studio) - name: meta url: http://meta:8080/ routes: - name: meta strip_path: true paths: - /pg/ plugins: - name: key-auth config: hide_credentials: false - name: acl config: hide_groups_header: true allow: - admin EOF echo "Kong configuration updated successfully!" echo "Restart Kong to apply changes: docker compose restart kong"