fix: use alpine image and download hydra binary for init-rp to fix distroless shell issue

2026-03-19 09:22:35 +09:00
parent 57702fc672
commit ff37ad918a
1 changed files with 11 additions and 6 deletions
--- a/docker/staging_pull_compose.template.yaml
+++ b/docker/staging_pull_compose.template.yaml
@@ -263,13 +263,18 @@ services:
      - ory-net

  init-rp:
-    image: oryd/hydra:v25.4.0
+    image: alpine:latest
    env_file:
      - .env
-    entrypoint: ["/bin/sh"]
    command:
+      - /bin/sh
      - -ec
      - |
+        apk add --no-cache curl tar
+        curl -sLo /tmp/hydra.tar.gz https://github.com/ory/hydra/releases/download/v25.4.0/hydra_25.4.0-linux_64bit.tar.gz
+        tar -xzf /tmp/hydra.tar.gz -C /usr/local/bin hydra
+        rm /tmp/hydra.tar.gz
+
        hydra delete oauth2-client --endpoint http://hydra:4445 adminfront >/dev/null 2>&1 || true
        hydra delete oauth2-client --endpoint http://hydra:4445 devfront >/dev/null 2>&1 || true
        hydra delete oauth2-client --endpoint http://hydra:4445 $${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect} >/dev/null 2>&1 || true
@@ -281,7 +286,7 @@ services:
          --response-type code \
          --scope openid,offline_access,profile,email \
          --token-endpoint-auth-method none \
-          --redirect-uri $${ADMINFRONT_CALLBACK_URLS:-http://localhost:5173/auth/callback}
+          --redirect-uri "$${ADMINFRONT_CALLBACK_URLS:-http://localhost:5173/auth/callback}"

        hydra create oauth2-client \
          --endpoint http://hydra:4445 \
@@ -290,12 +295,12 @@ services:
          --response-type code \
          --scope openid,offline_access,profile,email \
          --token-endpoint-auth-method none \
-          --redirect-uri $${DEVFRONT_CALLBACK_URLS:-http://localhost:5174/auth/callback}
+          --redirect-uri "$${DEVFRONT_CALLBACK_URLS:-http://localhost:5174/auth/callback}"

        hydra create oauth2-client \
          --endpoint http://hydra:4445 \
-          --id $${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect} \
-          --secret $${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret} \
+          --id "$${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}" \
+          --secret "$${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}" \
          --grant-type client_credentials \
          --response-type token \
          --scope openid,offline_access,profile,email