2026-03-31 17:32:19 -03:00
|
|
|
# services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
|
2026-03-31 17:37:56 -03:00
|
|
|
# One-off job for sso/metis-oidc-secret-ensure-2.
|
2026-03-31 17:32:19 -03:00
|
|
|
# Purpose: ensure the Metis oauth2-proxy OIDC client and Vault secret exist.
|
|
|
|
|
# Keep this completed Job around; bump the suffix if it ever needs to be rerun.
|
|
|
|
|
apiVersion: batch/v1
|
|
|
|
|
kind: Job
|
|
|
|
|
metadata:
|
2026-03-31 17:48:15 -03:00
|
|
|
name: metis-oidc-secret-ensure-3
|
2026-03-31 17:32:19 -03:00
|
|
|
namespace: sso
|
|
|
|
|
spec:
|
|
|
|
|
backoffLimit: 0
|
|
|
|
|
template:
|
|
|
|
|
metadata:
|
|
|
|
|
annotations:
|
|
|
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
|
|
|
vault.hashicorp.com/agent-pre-populate-only: "true"
|
|
|
|
|
vault.hashicorp.com/role: "sso-secrets"
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
|
|
|
|
|
{{ with secret "kv/data/atlas/shared/keycloak-admin" }}
|
|
|
|
|
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
|
|
|
|
|
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
|
|
|
|
|
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
|
|
|
|
|
{{ end }}
|
|
|
|
|
spec:
|
|
|
|
|
serviceAccountName: mas-secrets-ensure
|
|
|
|
|
restartPolicy: Never
|
|
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
|
|
|
|
- key: node-role.kubernetes.io/worker
|
|
|
|
|
operator: Exists
|
|
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 100
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: kubernetes.io/arch
|
|
|
|
|
operator: In
|
|
|
|
|
values: ["arm64"]
|
|
|
|
|
containers:
|
|
|
|
|
- name: apply
|
|
|
|
|
image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
|
|
|
|
|
command: ["/bin/sh", "-c"]
|
|
|
|
|
args:
|
|
|
|
|
- |
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
. /vault/secrets/keycloak-admin-env.sh
|
|
|
|
|
KC_URL="http://keycloak.sso.svc.cluster.local"
|
|
|
|
|
ACCESS_TOKEN=""
|
|
|
|
|
for attempt in 1 2 3 4 5; do
|
|
|
|
|
TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
|
|
|
|
|
-H 'Content-Type: application/x-www-form-urlencoded' \
|
|
|
|
|
-d "grant_type=password" \
|
|
|
|
|
-d "client_id=admin-cli" \
|
|
|
|
|
-d "username=${KEYCLOAK_ADMIN}" \
|
|
|
|
|
-d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
|
|
|
|
|
ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
|
|
|
|
|
if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
|
|
|
|
|
break
|
|
|
|
|
fi
|
|
|
|
|
echo "Keycloak token request failed (attempt ${attempt})" >&2
|
|
|
|
|
sleep $((attempt * 2))
|
|
|
|
|
done
|
|
|
|
|
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
|
|
|
|
|
echo "Failed to fetch Keycloak admin token" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients?clientId=metis" || true)"
|
|
|
|
|
CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
|
|
|
|
|
|
|
|
|
|
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
|
|
|
|
|
create_payload='{"clientId":"metis","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://sentinel.bstein.dev/oauth2/callback"],"webOrigins":["https://sentinel.bstein.dev"],"rootUrl":"https://sentinel.bstein.dev","baseUrl":"/"}'
|
|
|
|
|
status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
|
|
|
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
-H 'Content-Type: application/json' \
|
|
|
|
|
-d "${create_payload}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients")"
|
2026-03-31 17:48:15 -03:00
|
|
|
if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
|
2026-03-31 17:32:19 -03:00
|
|
|
echo "Keycloak client create failed (status ${status})" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients?clientId=metis" || true)"
|
|
|
|
|
CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
|
|
|
|
|
echo "Keycloak client metis not found" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
2026-03-31 17:48:15 -03:00
|
|
|
SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
|
|
|
|
|
if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
|
|
|
|
|
echo "Keycloak client scope groups not found" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
|
|
|
|
|
OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"
|
|
|
|
|
|
|
|
|
|
if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
|
|
|
|
|
&& ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
|
|
|
|
|
status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
|
|
|
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
|
|
|
|
|
if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
|
|
|
|
|
status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
|
|
|
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
|
|
|
|
|
if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
|
|
|
|
|
echo "Failed to attach groups client scope to metis (status ${status})" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
2026-03-31 17:32:19 -03:00
|
|
|
update_payload='{"enabled":true,"clientId":"metis","protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://sentinel.bstein.dev/oauth2/callback"],"webOrigins":["https://sentinel.bstein.dev"],"rootUrl":"https://sentinel.bstein.dev","baseUrl":"/"}'
|
|
|
|
|
status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
|
|
|
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
-H 'Content-Type: application/json' \
|
|
|
|
|
-d "${update_payload}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}")"
|
|
|
|
|
if [ "$status" != "204" ]; then
|
|
|
|
|
echo "Keycloak client update failed (status ${status})" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
|
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
|
|
|
|
|
if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
|
|
|
|
|
echo "Keycloak client secret not found" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
|
|
|
|
|
vault_role="${VAULT_ROLE:-sso-secrets}"
|
|
|
|
|
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
|
|
|
|
|
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
|
|
|
|
|
vault_token="$(curl -sS --request POST --data "${login_payload}" \
|
|
|
|
|
"${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
|
|
|
|
|
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
|
|
|
|
|
echo "vault login failed" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
2026-03-31 17:37:56 -03:00
|
|
|
read_status="$(curl -sS -o /tmp/metis-oidc-read.json -w "%{http_code}" \
|
|
|
|
|
-H "X-Vault-Token: ${vault_token}" \
|
|
|
|
|
"${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" || true)"
|
|
|
|
|
COOKIE_SECRET=""
|
|
|
|
|
if [ "${read_status}" = "200" ]; then
|
|
|
|
|
COOKIE_SECRET="$(jq -r '.data.data.cookie_secret // empty' /tmp/metis-oidc-read.json)"
|
|
|
|
|
elif [ "${read_status}" != "404" ]; then
|
|
|
|
|
echo "Vault read failed (status ${read_status})" >&2
|
|
|
|
|
cat /tmp/metis-oidc-read.json >&2 || true
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
2026-03-31 17:32:19 -03:00
|
|
|
if [ -n "${COOKIE_SECRET}" ]; then
|
|
|
|
|
length="$(printf '%s' "${COOKIE_SECRET}" | wc -c | tr -d ' ')"
|
|
|
|
|
if [ "${length}" != "16" ] && [ "${length}" != "24" ] && [ "${length}" != "32" ]; then
|
|
|
|
|
COOKIE_SECRET=""
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
if [ -z "${COOKIE_SECRET}" ]; then
|
|
|
|
|
COOKIE_SECRET="$(openssl rand -hex 16 | tr -d '\n')"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
payload="$(jq -nc \
|
|
|
|
|
--arg client_id "metis" \
|
|
|
|
|
--arg client_secret "${CLIENT_SECRET}" \
|
|
|
|
|
--arg cookie_secret "${COOKIE_SECRET}" \
|
|
|
|
|
'{data:{client_id:$client_id,client_secret:$client_secret,cookie_secret:$cookie_secret}}')"
|
2026-03-31 17:37:56 -03:00
|
|
|
write_status="$(curl -sS -o /tmp/metis-oidc-write.json -w "%{http_code}" -X POST \
|
|
|
|
|
-H "X-Vault-Token: ${vault_token}" \
|
|
|
|
|
-H 'Content-Type: application/json' \
|
|
|
|
|
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc")"
|
|
|
|
|
if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
|
|
|
|
|
echo "Vault write failed (status ${write_status})" >&2
|
|
|
|
|
cat /tmp/metis-oidc-write.json >&2 || true
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
verify_status="$(curl -sS -o /tmp/metis-oidc-verify.json -w "%{http_code}" \
|
|
|
|
|
-H "X-Vault-Token: ${vault_token}" \
|
|
|
|
|
"${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" || true)"
|
|
|
|
|
if [ "${verify_status}" != "200" ]; then
|
|
|
|
|
echo "Vault verify failed (status ${verify_status})" >&2
|
|
|
|
|
cat /tmp/metis-oidc-verify.json >&2 || true
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "Metis OIDC secret ready in Vault"
|
