diff --git a/.changeset/fix-all-in-one-ingestion-api-key.md b/.changeset/fix-all-in-one-ingestion-api-key.md new file mode 100644 index 0000000000..a6ac6e73a0 --- /dev/null +++ b/.changeset/fix-all-in-one-ingestion-api-key.md @@ -0,0 +1,19 @@ +--- +'@hyperdx/api': patch +--- + +fix: honor INGESTION_API_KEY in the all-in-one auth image + +The all-in-one entrypoint set `HYPERDX_IMAGE` to values (`all-in-one` / +`all-in-one-noauth`) that did not match the strings `config.ts` compares against +(`all-in-one-auth` / `all-in-one-noauth`). As a result `IS_ALL_IN_ONE_IMAGE` was +never true in the auth image, so the `INGESTION_API_KEY` env var was silently +ignored and the OpAMP-delivered collector config only accepted the team's +UI-generated key. + +The entrypoint now reports `all-in-one-auth` for the auth variant and +`all-in-one-noauth` for the no-auth variant, so a pre-shared `INGESTION_API_KEY` +is added to the collector's accepted bearer tokens. This lets demo/bootstrap +stacks specify a known ingestion key up front instead of retrieving the +generated key from the UI — the all-in-one equivalent of the standalone +collector's `OTLP_AUTH_TOKEN`. diff --git a/docker/hyperdx/entry.local.base.sh b/docker/hyperdx/entry.local.base.sh index 3b612f9451..c0ad13b416 100644 --- a/docker/hyperdx/entry.local.base.sh +++ b/docker/hyperdx/entry.local.base.sh @@ -18,7 +18,10 @@ export MONGO_URI="mongodb://db:27017/hyperdx" export OPAMP_SERVER_URL="http://127.0.0.1:${OPAMP_PORT}" export CLICKHOUSE_PROMETHEUS_METRICS_ENDPOINT="${CLICKHOUSE_PROMETHEUS_METRICS_ENDPOINT:-ch-server:9363}" -export HYPERDX_IMAGE=$([[ "${IS_LOCAL_APP_MODE}" == "DANGEROUSLY_is_local_app_mode💀" ]] && echo "all-in-one" || echo "all-in-one-noauth") +# These values must match the strings compared against in packages/api/src/config.ts +# (IS_LOCAL_IMAGE / IS_ALL_IN_ONE_IMAGE). The auth variant must report +# "all-in-one-auth" so that the INGESTION_API_KEY bootstrap path is enabled. +export HYPERDX_IMAGE=$([[ "${IS_LOCAL_APP_MODE}" == "DANGEROUSLY_is_local_app_mode💀" ]] && echo "all-in-one-noauth" || echo "all-in-one-auth") export EXPRESS_SESSION_SECRET="hyperdx is cool 👋" # IS_LOCAL_APP_MODE should be set by the calling script # Default to dangerous mode if not set