titan-iac/services/keycloak/synapse-oidc-secret-ensure-job.yaml

# services/keycloak/synapse-oidc-secret-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: synapse-oidc-secret-ensure-10
  namespace: sso
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 3600
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/role: "sso-secrets"
        vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
        vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
          {{ with secret "kv/data/atlas/shared/keycloak-admin" }}
          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
          {{ end }}
    spec:
      serviceAccountName: mas-secrets-ensure
      restartPolicy: Never
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
      containers:
        - name: apply
          image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              . /vault/secrets/keycloak-admin-env.sh
              KC_URL="http://keycloak.sso.svc.cluster.local"
              ACCESS_TOKEN=""
              for attempt in 1 2 3 4 5; do
                TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
                  -H 'Content-Type: application/x-www-form-urlencoded' \
                  -d "grant_type=password" \
                  -d "client_id=admin-cli" \
                  -d "username=${KEYCLOAK_ADMIN}" \
                  -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
                ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
                if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
                  break
                fi
                echo "Keycloak token request failed (attempt ${attempt})" >&2
                sleep $((attempt * 2))
              done
              if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
                echo "Failed to fetch Keycloak admin token" >&2
                exit 1
              fi

              CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients?clientId=synapse" | jq -r '.[0].id' 2>/dev/null || true)"
              if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                echo "Keycloak client synapse not found" >&2
                exit 1
              fi
              CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
              if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
                echo "Keycloak client secret not found" >&2
                exit 1
              fi

              vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
              vault_role="${VAULT_ROLE:-sso-secrets}"
              jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
              login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
              vault_token="$(curl -sS --request POST --data "${login_payload}" \
                "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
              if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
                echo "vault login failed" >&2
                exit 1
              fi

              payload="$(jq -nc --arg value "${CLIENT_SECRET}" '{data:{"client-secret":$value}}')"
              curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
                -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null
          volumeMounts:
      volumes:
comms: ensure core secrets and synapse oidc 2026-01-08 03:53:49 -03:00			`# services/keycloak/synapse-oidc-secret-ensure-job.yaml`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
jobs: bump names after affinity update 2026-01-17 01:52:16 -03:00			`name: synapse-oidc-secret-ensure-10`
comms: ensure core secrets and synapse oidc 2026-01-08 03:53:49 -03:00			`namespace: sso`
			`spec:`
			`backoffLimit: 0`
			`ttlSecondsAfterFinished: 3600`
			`template:`
keycloak: switch jobs to vault injector 2026-01-14 13:20:57 -03:00			`metadata:`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
vault: prepopulate injector for jobs 2026-01-14 14:29:29 -03:00			`vault.hashicorp.com/agent-pre-populate-only: "true"`
keycloak: switch jobs to vault injector 2026-01-14 13:20:57 -03:00			`vault.hashicorp.com/role: "sso-secrets"`
			`vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"`
			`vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: \|`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`{{ with secret "kv/data/atlas/shared/keycloak-admin" }}`
keycloak: switch jobs to vault injector 2026-01-14 13:20:57 -03:00			`export KEYCLOAK_ADMIN="{{ .Data.data.username }}"`
			`export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"`
			`export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`{{ end }}`
comms: ensure core secrets and synapse oidc 2026-01-08 03:53:49 -03:00			`spec:`
			`serviceAccountName: mas-secrets-ensure`
			`restartPolicy: Never`
jobs: prefer arm64 workers 2026-01-17 01:47:53 -03:00			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: node-role.kubernetes.io/worker`
			`operator: Exists`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 100`
			`preference:`
			`matchExpressions:`
			`- key: kubernetes.io/arch`
			`operator: In`
			`values: ["arm64"]`
comms: ensure core secrets and synapse oidc 2026-01-08 03:53:49 -03:00			`containers:`
			`- name: apply`
jobs: drop apk installs and prefer arm64 2026-01-17 01:02:58 -03:00			`image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131`
comms: ensure core secrets and synapse oidc 2026-01-08 03:53:49 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -euo pipefail`
keycloak: switch jobs to vault injector 2026-01-14 13:20:57 -03:00			`. /vault/secrets/keycloak-admin-env.sh`
comms: ensure core secrets and synapse oidc 2026-01-08 03:53:49 -03:00			`KC_URL="http://keycloak.sso.svc.cluster.local"`
			`ACCESS_TOKEN=""`
			`for attempt in 1 2 3 4 5; do`
			`TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \`
			`-H 'Content-Type: application/x-www-form-urlencoded' \`
			`-d "grant_type=password" \`
			`-d "client_id=admin-cli" \`
			`-d "username=${KEYCLOAK_ADMIN}" \`
			`-d "password=${KEYCLOAK_ADMIN_PASSWORD}" \|\| true)"`
			`ACCESS_TOKEN="$(echo "$TOKEN_JSON" \| jq -r '.access_token' 2>/dev/null \|\| true)"`
			`if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then`
			`break`
			`fi`
			`echo "Keycloak token request failed (attempt ${attempt})" >&2`
			`sleep $((attempt * 2))`
			`done`
			`if [ -z "$ACCESS_TOKEN" ] \|\| [ "$ACCESS_TOKEN" = "null" ]; then`
			`echo "Failed to fetch Keycloak admin token" >&2`
			`exit 1`
			`fi`

			`CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients?clientId=synapse" \| jq -r '.[0].id' 2>/dev/null \|\| true)"`
			`if [ -z "$CLIENT_ID" ] \|\| [ "$CLIENT_ID" = "null" ]; then`
			`echo "Keycloak client synapse not found" >&2`
			`exit 1`
			`fi`
			`CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" \| jq -r '.value' 2>/dev/null \|\| true)"`
			`if [ -z "$CLIENT_SECRET" ] \|\| [ "$CLIENT_SECRET" = "null" ]; then`
			`echo "Keycloak client secret not found" >&2`
			`exit 1`
			`fi`

vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"`
			`vault_role="${VAULT_ROLE:-sso-secrets}"`
			`jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"`
			`login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"`
			`vault_token="$(curl -sS --request POST --data "${login_payload}" \`
			`"${vault_addr}/v1/auth/kubernetes/login" \| jq -r '.auth.client_token')"`
			`if [ -z "${vault_token}" ] \|\| [ "${vault_token}" = "null" ]; then`
			`echo "vault login failed" >&2`
			`exit 1`
comms: ensure core secrets and synapse oidc 2026-01-08 03:53:49 -03:00			`fi`

vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`payload="$(jq -nc --arg value "${CLIENT_SECRET}" '{data:{"client-secret":$value}}')"`
			`curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \`
			`-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null`
			`volumeMounts:`
jobs: drop apk installs and prefer arm64 2026-01-17 01:02:58 -03:00			`volumes:`