titan-iac/services/keycloak/mas-secrets-ensure-job.yaml

# services/keycloak/mas-secrets-ensure-job.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mas-secrets-ensure
  namespace: sso
imagePullSecrets:
  - name: harbor-regcred
---
apiVersion: batch/v1
kind: Job
metadata:
  name: mas-secrets-ensure-15
  namespace: sso
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 3600
  template:
    spec:
      serviceAccountName: mas-secrets-ensure
      restartPolicy: Never
      volumes:
        - name: work
          emptyDir: {}
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: sso-vault
        - name: vault-scripts
          configMap:
            name: sso-vault-env
            defaultMode: 0555
      initContainers:
        - name: generate
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              . /vault/scripts/keycloak_vault_env.sh
              umask 077
              apk add --no-cache curl openssl jq >/dev/null

              KC_URL="http://keycloak.sso.svc.cluster.local"
              ACCESS_TOKEN=""
              for attempt in 1 2 3 4 5; do
                TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
                  -H 'Content-Type: application/x-www-form-urlencoded' \
                  -d "grant_type=password" \
                  -d "client_id=admin-cli" \
                  -d "username=${KEYCLOAK_ADMIN}" \
                  -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
                ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
                if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
                  break
                fi
                echo "Keycloak token request failed (attempt ${attempt})" >&2
                sleep $((attempt * 2))
              done
              if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
                echo "Failed to fetch Keycloak admin token" >&2
                exit 1
              fi
              CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id' 2>/dev/null || true)"
              if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                echo "Keycloak client othrys-mas not found" >&2
                exit 1
              fi
              CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
              if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
                echo "Keycloak client secret not found" >&2
                exit 1
              fi

              printf '%s' "$CLIENT_SECRET" > /work/keycloak_client_secret
              openssl rand -hex 32 | tr -d '\n' > /work/encryption
              openssl rand -hex 32 | tr -d '\n' > /work/matrix_shared_secret
              openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /work/rsa_key >/dev/null 2>&1
              chmod 0644 /work/*
          volumeMounts:
            - name: work
              mountPath: /work
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
      containers:
        - name: apply
          image: registry.bstein.dev/bstein/kubectl:1.35.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
              vault_role="${VAULT_ROLE:-sso-secrets}"
              jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
              login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
              vault_token="$(curl -sS --request POST --data "${login_payload}" \
                "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
              if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
                echo "vault login failed" >&2
                exit 1
              fi

              existing="$(curl -sS -H "X-Vault-Token: ${vault_token}" \
                "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" | jq -r '.data.data.encryption // empty')"
              if [ -n "${existing}" ]; then
                current_len="$(printf '%s' "${existing}" | wc -c | tr -d ' ')"
                if [ "${current_len}" = "64" ] && printf '%s' "${existing}" | grep -Eq '^[0-9a-fA-F]{64}$'; then
                  exit 0
                fi
              fi

              payload="$(jq -nc \
                --arg encryption "$(cat /work/encryption)" \
                --arg matrix_shared_secret "$(cat /work/matrix_shared_secret)" \
                --arg keycloak_client_secret "$(cat /work/keycloak_client_secret)" \
                --arg rsa_key "$(cat /work/rsa_key)" \
                '{data:{encryption:$encryption, matrix_shared_secret:$matrix_shared_secret, keycloak_client_secret:$keycloak_client_secret, rsa_key:$rsa_key}}')"
              curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
                -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null
          volumeMounts:
            - name: work
              mountPath: /work
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`# services/keycloak/mas-secrets-ensure-job.yaml`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: mas-secrets-ensure`
			`namespace: sso`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`imagePullSecrets:`
			`- name: harbor-regcred`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`---`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
jobs: bump names after vault tweaks 2026-01-14 05:47:21 -03:00			`name: mas-secrets-ensure-15`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`namespace: sso`
			`spec:`
keycloak: make MAS secret job idempotent 2026-01-08 02:21:37 -03:00			`backoffLimit: 0`
			`ttlSecondsAfterFinished: 3600`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`template:`
			`spec:`
			`serviceAccountName: mas-secrets-ensure`
keycloak: make MAS secret job idempotent 2026-01-08 02:21:37 -03:00			`restartPolicy: Never`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`volumes:`
			`- name: work`
			`emptyDir: {}`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`- name: vault-secrets`
			`csi:`
			`driver: secrets-store.csi.k8s.io`
			`readOnly: true`
			`volumeAttributes:`
			`secretProviderClass: sso-vault`
			`- name: vault-scripts`
			`configMap:`
			`name: sso-vault-env`
			`defaultMode: 0555`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`initContainers:`
			`- name: generate`
			`image: alpine:3.20`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -euo pipefail`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`. /vault/scripts/keycloak_vault_env.sh`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`umask 077`
			`apk add --no-cache curl openssl jq >/dev/null`

			`KC_URL="http://keycloak.sso.svc.cluster.local"`
keycloak: retry MAS secret bootstrap 2026-01-08 02:12:40 -03:00			`ACCESS_TOKEN=""`
			`for attempt in 1 2 3 4 5; do`
			`TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \`
			`-H 'Content-Type: application/x-www-form-urlencoded' \`
			`-d "grant_type=password" \`
			`-d "client_id=admin-cli" \`
			`-d "username=${KEYCLOAK_ADMIN}" \`
			`-d "password=${KEYCLOAK_ADMIN_PASSWORD}" \|\| true)"`
			`ACCESS_TOKEN="$(echo "$TOKEN_JSON" \| jq -r '.access_token' 2>/dev/null \|\| true)"`
			`if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then`
			`break`
			`fi`
			`echo "Keycloak token request failed (attempt ${attempt})" >&2`
			`sleep $((attempt * 2))`
			`done`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`if [ -z "$ACCESS_TOKEN" ] \|\| [ "$ACCESS_TOKEN" = "null" ]; then`
			`echo "Failed to fetch Keycloak admin token" >&2`
			`exit 1`
			`fi`
			`CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
keycloak: retry MAS secret bootstrap 2026-01-08 02:12:40 -03:00			`"$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" \| jq -r '.[0].id' 2>/dev/null \|\| true)"`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`if [ -z "$CLIENT_ID" ] \|\| [ "$CLIENT_ID" = "null" ]; then`
			`echo "Keycloak client othrys-mas not found" >&2`
			`exit 1`
			`fi`
			`CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
keycloak: retry MAS secret bootstrap 2026-01-08 02:12:40 -03:00			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" \| jq -r '.value' 2>/dev/null \|\| true)"`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`if [ -z "$CLIENT_SECRET" ] \|\| [ "$CLIENT_SECRET" = "null" ]; then`
			`echo "Keycloak client secret not found" >&2`
			`exit 1`
			`fi`

			`printf '%s' "$CLIENT_SECRET" > /work/keycloak_client_secret`
sso: strip mas secret newlines 2026-01-08 03:38:51 -03:00			`openssl rand -hex 32 \| tr -d '\n' > /work/encryption`
			`openssl rand -hex 32 \| tr -d '\n' > /work/matrix_shared_secret`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /work/rsa_key >/dev/null 2>&1`
keycloak: allow MAS secret apply read access 2026-01-08 02:19:21 -03:00			`chmod 0644 /work/*`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`volumeMounts:`
			`- name: work`
			`mountPath: /work`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`- name: vault-secrets`
			`mountPath: /vault/secrets`
			`readOnly: true`
			`- name: vault-scripts`
			`mountPath: /vault/scripts`
			`readOnly: true`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`containers:`
			`- name: apply`
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`image: registry.bstein.dev/bstein/kubectl:1.35.0`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -euo pipefail`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"`
			`vault_role="${VAULT_ROLE:-sso-secrets}"`
			`jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"`
			`login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"`
			`vault_token="$(curl -sS --request POST --data "${login_payload}" \`
			`"${vault_addr}/v1/auth/kubernetes/login" \| jq -r '.auth.client_token')"`
			`if [ -z "${vault_token}" ] \|\| [ "${vault_token}" = "null" ]; then`
			`echo "vault login failed" >&2`
			`exit 1`
			`fi`

			`existing="$(curl -sS -H "X-Vault-Token: ${vault_token}" \`
			`"${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" \| jq -r '.data.data.encryption // empty')"`
			`if [ -n "${existing}" ]; then`
			`current_len="$(printf '%s' "${existing}" \| wc -c \| tr -d ' ')"`
			`if [ "${current_len}" = "64" ] && printf '%s' "${existing}" \| grep -Eq '^[0-9a-fA-F]{64}$'; then`
sso: fix mas encryption secret 2026-01-08 03:35:40 -03:00			`exit 0`
			`fi`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`fi`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00
			`payload="$(jq -nc \`
			`--arg encryption "$(cat /work/encryption)" \`
			`--arg matrix_shared_secret "$(cat /work/matrix_shared_secret)" \`
			`--arg keycloak_client_secret "$(cat /work/keycloak_client_secret)" \`
			`--arg rsa_key "$(cat /work/rsa_key)" \`
			`'{data:{encryption:$encryption, matrix_shared_secret:$matrix_shared_secret, keycloak_client_secret:$keycloak_client_secret, rsa_key:$rsa_key}}')"`
			`curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \`
			`-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null`
comms: ensure MAS secrets via keycloak admin job 2026-01-08 02:09:23 -03:00			`volumeMounts:`
			`- name: work`
			`mountPath: /work`