This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/lifecycle/ak
Jens L 38bf0ee740
lifecycle: re-add exec to ak wrapper (#5253)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-04-14 13:52:11 +02:00

99 lines
3.2 KiB
Bash
Executable file

#!/bin/bash -e
MODE_FILE="${TMPDIR}/authentik-mode"
WORKER_HEARTBEAT="${TMPDIR}/authentik-worker"
function log {
printf '{"event": "%s", "level": "info", "logger": "bootstrap"}\n' "$@" > /dev/stderr
}
function wait_for_db {
python -m lifecycle.wait_for_db
python -m lifecycle.migrate
log "Bootstrap completed"
}
function check_if_root {
if [[ $EUID -ne 0 ]]; then
log "Not running as root, disabling permission fixes"
exec $1
return
fi
SOCKET="/var/run/docker.sock"
GROUP="authentik"
if [[ -e "$SOCKET" ]]; then
# Get group ID of the docker socket, so we can create a matching group and
# add ourselves to it
DOCKER_GID=$(stat -c '%g' $SOCKET)
# Ensure group for the id exists
getent group $DOCKER_GID || groupadd -f -g $DOCKER_GID docker
usermod -a -G $DOCKER_GID authentik
# since the name of the group might not be docker, we need to lookup the group id
GROUP_NAME=$(getent group $DOCKER_GID | sed 's/:/\n/g' | head -1)
GROUP="authentik:${GROUP_NAME}"
fi
# Fix permissions of certs and media
chown -R authentik:authentik /media /certs
chmod ug+rwx /media
chmod ug+rx /certs
exec chpst -u authentik:$GROUP env HOME=/authentik $1
}
function set_mode {
echo $1 > $MODE_FILE
trap cleanup EXIT
}
function cleanup {
rm -f ${MODE_FILE}
}
if [[ "$1" == "server" ]]; then
wait_for_db
set_mode "server"
# If we have bootstrap credentials set, run bootstrap tasks outside of main server
# sync, so that we can sure the first start actually has working bootstrap
# credentials
if [[ ! -z "${AUTHENTIK_BOOTSTRAP_PASSWORD}" || ! -z "${AUTHENTIK_BOOTSTRAP_TOKEN}" ]]; then
python -m manage bootstrap_tasks
fi
if [[ -x "$(command -v authentik)" ]]; then
exec authentik
else
exec go run -v ./cmd/server/
fi
elif [[ "$1" == "worker" ]]; then
wait_for_db
set_mode "worker"
check_if_root "celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"
elif [[ "$1" == "worker-status" ]]; then
wait_for_db
celery -A authentik.root.celery flower \
--port=9000
elif [[ "$1" == "bash" ]]; then
/bin/bash
elif [[ "$1" == "test-all" ]]; then
pip install --no-cache-dir -r /requirements-dev.txt
touch /unittest.xml
chown authentik:authentik /unittest.xml
check_if_root "python -m manage test authentik"
elif [[ "$1" == "healthcheck" ]]; then
mode=$(cat $MODE_FILE)
if [[ $mode == "server" ]]; then
exec curl --user-agent "goauthentik.io lifecycle Healthcheck" -I http://localhost:9000/-/health/ready/
elif [[ $mode == "worker" ]]; then
mtime=$(stat -f %m $WORKER_HEARTBEAT)
time=$(date +"%s")
if [ "$(( $time - $mtime ))" -gt "30" ]; then
log "Worker hasn't updated heartbeat in 30 seconds"
exit 1
fi
exit 0
fi
elif [[ "$1" == "dump_config" ]]; then
exec python -m authentik.lib.config
elif [[ "$1" == "debug" ]]; then
exec sleep infinity
else
exec python -m manage "$@"
fi