7ea721c487
* root: move database calls from ready() to dedicated startup signal Signed-off-by: Jens Langhammer <jens@goauthentik.io> * optimise gunicorn startup to only do DB code in one worker Signed-off-by: Jens Langhammer <jens@goauthentik.io> * always use 2 workers in compose Signed-off-by: Jens Langhammer <jens@goauthentik.io> * send startup signals for test runner Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove k8s import that isn't really needed Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ci: bump nested actions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix @reconcile_app not triggering reconcile due to changed functions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * connect startup with uid Signed-off-by: Jens Langhammer <jens@goauthentik.io> * adjust some log levels Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove internal healthcheck we didn't really use it to do anything, and we shouldn't have to since the live/ready probes are handled by django anyways and so the container runtime will restart the server if needed Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add setproctitle for gunicorn and celery process titles Signed-off-by: Jens Langhammer <jens@goauthentik.io> * configure structlog early to use it Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Revert "configure structlog early to use it" This reverts commit 16778fdbbca0f5c474d376c2f85c6f8032c06044. * Revert "adjust some log levels" This reverts commit a129f7ab6aecf27f1206aea1ad8384ce897b74ad. Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # authentik/root/settings.py * optimize startup to not spawn a bunch of one-off processes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * idk why this shows up Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
97 lines
2.7 KiB
Bash
Executable File
97 lines
2.7 KiB
Bash
Executable File
#!/usr/bin/env -S bash -e
|
|
MODE_FILE="${TMPDIR}/authentik-mode"
|
|
|
|
function log {
|
|
printf '{"event": "%s", "level": "info", "logger": "bootstrap"}\n' "$@" > /dev/stderr
|
|
}
|
|
|
|
function wait_for_db {
|
|
python -m lifecycle.wait_for_db
|
|
log "Bootstrap completed"
|
|
}
|
|
|
|
function check_if_root {
|
|
if [[ $EUID -ne 0 ]]; then
|
|
log "Not running as root, disabling permission fixes"
|
|
exec $1
|
|
return
|
|
fi
|
|
SOCKET="/var/run/docker.sock"
|
|
GROUP="authentik"
|
|
if [[ -e "$SOCKET" ]]; then
|
|
# Get group ID of the docker socket, so we can create a matching group and
|
|
# add ourselves to it
|
|
DOCKER_GID=$(stat -c '%g' $SOCKET)
|
|
# Ensure group for the id exists
|
|
getent group $DOCKER_GID || groupadd -f -g $DOCKER_GID docker
|
|
usermod -a -G $DOCKER_GID authentik
|
|
# since the name of the group might not be docker, we need to lookup the group id
|
|
GROUP_NAME=$(getent group $DOCKER_GID | sed 's/:/\n/g' | head -1)
|
|
GROUP="authentik:${GROUP_NAME}"
|
|
fi
|
|
# Fix permissions of certs and media
|
|
chown -R authentik:authentik /media /certs
|
|
chmod ug+rwx /media
|
|
chmod ug+rx /certs
|
|
exec chpst -u authentik:$GROUP env HOME=/authentik $1
|
|
}
|
|
|
|
function run_authentik {
|
|
if [[ -x "$(command -v authentik)" ]]; then
|
|
exec authentik $@
|
|
else
|
|
exec go run -v ./cmd/server/ $@
|
|
fi
|
|
}
|
|
|
|
function set_mode {
|
|
echo $1 > $MODE_FILE
|
|
trap cleanup EXIT
|
|
}
|
|
|
|
function cleanup {
|
|
rm -f ${MODE_FILE}
|
|
}
|
|
|
|
function prepare_debug {
|
|
poetry install --no-ansi --no-interaction
|
|
touch /unittest.xml
|
|
chown authentik:authentik /unittest.xml
|
|
}
|
|
|
|
if [[ "${AUTHENTIK_REMOTE_DEBUG}" == "true" ]]; then
|
|
prepare_debug
|
|
fi
|
|
|
|
if [[ "$1" == "server" ]]; then
|
|
set_mode "server"
|
|
# If we have bootstrap credentials set, run bootstrap tasks outside of main server
|
|
# sync, so that we can sure the first start actually has working bootstrap
|
|
# credentials
|
|
if [[ ! -z "${AUTHENTIK_BOOTSTRAP_PASSWORD}" || ! -z "${AUTHENTIK_BOOTSTRAP_TOKEN}" ]]; then
|
|
python -m manage bootstrap_tasks
|
|
fi
|
|
run_authentik
|
|
elif [[ "$1" == "worker" ]]; then
|
|
set_mode "worker"
|
|
check_if_root "python -m manage worker"
|
|
elif [[ "$1" == "worker-status" ]]; then
|
|
wait_for_db
|
|
celery -A authentik.root.celery flower \
|
|
--port=9000
|
|
elif [[ "$1" == "bash" ]]; then
|
|
/bin/bash
|
|
elif [[ "$1" == "test-all" ]]; then
|
|
prepare_debug
|
|
chmod 777 /root
|
|
check_if_root "python -m manage test authentik"
|
|
elif [[ "$1" == "healthcheck" ]]; then
|
|
run_authentik healthcheck $(cat $MODE_FILE)
|
|
elif [[ "$1" == "dump_config" ]]; then
|
|
exec python -m authentik.lib.config
|
|
elif [[ "$1" == "debug" ]]; then
|
|
exec sleep infinity
|
|
else
|
|
exec python -m manage "$@"
|
|
fi
|