titan-iac/services/keycloak/zot-client-bootstrap.yaml

# services/keycloak/zot-client-bootstrap.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-zot-client-bootstrap-4
  namespace: sso
  labels:
    app: keycloak-zot-client-bootstrap
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 86400
  template:
    metadata:
      labels:
        app: keycloak-zot-client-bootstrap
    spec:
      restartPolicy: Never
      containers:
        - name: configure-zot-client
          image: quay.io/keycloak/keycloak:26.0.7
          imagePullPolicy: IfNotPresent
          env:
            - name: KEYCLOAK_ADMIN
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
            - name: KC_SERVER
              value: http://keycloak.sso.svc.cluster.local
            - name: REALM
              value: atlas
            - name: CLIENT_IDS
              value: "oauth2-proxy oauth2-proxy-zot"
            - name: REDIRECT_URIS
              value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]'
            - name: WEB_ORIGINS
              value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]'
            - name: AUDIENCE_SCOPE
              value: oauth2-proxy-audience
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail

              KCADM="/opt/keycloak/bin/kcadm.sh"
              $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli

              # Ensure audience client scope exists and injects oauth2-proxy as audience
              SCOPE_ID="$($KCADM get client-scopes -r "$REALM" -q name="$AUDIENCE_SCOPE" --fields id --format csv --noquotes || true)"
              if [ -z "$SCOPE_ID" ]; then
                echo "Creating audience client scope $AUDIENCE_SCOPE"
                SCOPE_ID="$($KCADM create client-scopes -r "$REALM" -s name="$AUDIENCE_SCOPE" -s protocol=openid-connect -i)"
              fi
              MAPPER_ID="$($KCADM get client-scopes/$SCOPE_ID/protocol-mappers/models -r "$REALM" -q name=aud-$AUDIENCE_SCOPE --fields id --format csv --noquotes || true)"
              if [ -z "$MAPPER_ID" ]; then
                echo "Creating audience mapper on scope $AUDIENCE_SCOPE"
                $KCADM create client-scopes/$SCOPE_ID/protocol-mappers/models -r "$REALM" -s name=aud-$AUDIENCE_SCOPE -s protocol=openid-connect -s protocolMapper=oidc-audience-mapper -s 'config."included.client.audience"="oauth2-proxy"' -s 'config."id.token.claim"="true"' -s 'config."access.token.claim"="true"' -s 'config."included.custom.audience"=""'
              fi

              for CLIENT_ID in $CLIENT_IDS; do
                CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes || true)"
                if [ -z "$CLIENT_UUID" ]; then
                  echo "Client $CLIENT_ID not found; skipping"
                  continue
                fi

                echo "Updating client $CLIENT_ID ($CLIENT_UUID)"
                $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \
                  -s 'redirectUris='"$REDIRECT_URIS" \
                  -s 'webOrigins='"$WEB_ORIGINS" \
                  -s 'standardFlowEnabled=true' \
                  -s 'directAccessGrantsEnabled=false'

                # Attach audience scope so access tokens carry aud=oauth2-proxy
                $KCADM update "clients/$CLIENT_UUID/optional-client-scopes/$SCOPE_ID" -r "$REALM" >/dev/null 2>&1 || \
                  $KCADM add-optional-client-scopes -r "$REALM" --clientid "$CLIENT_ID" --scopes "$AUDIENCE_SCOPE"
              done

              echo "Keycloak zot client bootstrap complete"
keycloak: ensure zot oauth2 client redirect 2025-12-09 18:38:31 -03:00			`# services/keycloak/zot-client-bootstrap.yaml`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
zot: align oidc client to oauth2-proxy; add vault redirect 2025-12-09 20:49:25 -03:00			`name: keycloak-zot-client-bootstrap-4`
keycloak: ensure zot oauth2 client redirect 2025-12-09 18:38:31 -03:00			`namespace: sso`
			`labels:`
			`app: keycloak-zot-client-bootstrap`
			`spec:`
			`backoffLimit: 0`
			`ttlSecondsAfterFinished: 86400`
			`template:`
			`metadata:`
			`labels:`
			`app: keycloak-zot-client-bootstrap`
			`spec:`
			`restartPolicy: Never`
			`containers:`
			`- name: configure-zot-client`
			`image: quay.io/keycloak/keycloak:26.0.7`
			`imagePullPolicy: IfNotPresent`
			`env:`
			`- name: KEYCLOAK_ADMIN`
			`valueFrom:`
			`secretKeyRef:`
			`name: keycloak-admin`
			`key: username`
			`- name: KEYCLOAK_ADMIN_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: keycloak-admin`
			`key: password`
			`- name: KC_SERVER`
keycloak: fix oauth2-proxy redirect bootstrap job 2025-12-09 19:00:51 -03:00			`value: http://keycloak.sso.svc.cluster.local`
keycloak: ensure zot oauth2 client redirect 2025-12-09 18:38:31 -03:00			`- name: REALM`
			`value: atlas`
keycloak: bootstrap oauth2-proxy redirect URIs 2025-12-09 18:53:21 -03:00			`- name: CLIENT_IDS`
			`value: "oauth2-proxy oauth2-proxy-zot"`
			`- name: REDIRECT_URIS`
zot: align oidc client to oauth2-proxy; add vault redirect 2025-12-09 20:49:25 -03:00			`value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]'`
keycloak: bootstrap oauth2-proxy redirect URIs 2025-12-09 18:53:21 -03:00			`- name: WEB_ORIGINS`
			`value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]'`
keycloak: add audience scope for oauth2-proxy clients 2025-12-10 03:03:40 -03:00			`- name: AUDIENCE_SCOPE`
			`value: oauth2-proxy-audience`
keycloak: ensure zot oauth2 client redirect 2025-12-09 18:38:31 -03:00			`command:`
			`- /bin/sh`
			`- -c`
			`- \|`
			`set -euo pipefail`

			`KCADM="/opt/keycloak/bin/kcadm.sh"`
			`$KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli`

keycloak: add audience scope for oauth2-proxy clients 2025-12-10 03:03:40 -03:00			`# Ensure audience client scope exists and injects oauth2-proxy as audience`
			`SCOPE_ID="$($KCADM get client-scopes -r "$REALM" -q name="$AUDIENCE_SCOPE" --fields id --format csv --noquotes \|\| true)"`
			`if [ -z "$SCOPE_ID" ]; then`
			`echo "Creating audience client scope $AUDIENCE_SCOPE"`
			`SCOPE_ID="$($KCADM create client-scopes -r "$REALM" -s name="$AUDIENCE_SCOPE" -s protocol=openid-connect -i)"`
			`fi`
			`MAPPER_ID="$($KCADM get client-scopes/$SCOPE_ID/protocol-mappers/models -r "$REALM" -q name=aud-$AUDIENCE_SCOPE --fields id --format csv --noquotes \|\| true)"`
			`if [ -z "$MAPPER_ID" ]; then`
			`echo "Creating audience mapper on scope $AUDIENCE_SCOPE"`
			`$KCADM create client-scopes/$SCOPE_ID/protocol-mappers/models -r "$REALM" -s name=aud-$AUDIENCE_SCOPE -s protocol=openid-connect -s protocolMapper=oidc-audience-mapper -s 'config."included.client.audience"="oauth2-proxy"' -s 'config."id.token.claim"="true"' -s 'config."access.token.claim"="true"' -s 'config."included.custom.audience"=""'`
			`fi`

keycloak: bootstrap oauth2-proxy redirect URIs 2025-12-09 18:53:21 -03:00			`for CLIENT_ID in $CLIENT_IDS; do`
			`CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes \|\| true)"`
			`if [ -z "$CLIENT_UUID" ]; then`
			`echo "Client $CLIENT_ID not found; skipping"`
			`continue`
			`fi`
keycloak: ensure zot oauth2 client redirect 2025-12-09 18:38:31 -03:00
			`echo "Updating client $CLIENT_ID ($CLIENT_UUID)"`
			`$KCADM update "clients/$CLIENT_UUID" -r "$REALM" \`
keycloak: bootstrap oauth2-proxy redirect URIs 2025-12-09 18:53:21 -03:00			`-s 'redirectUris='"$REDIRECT_URIS" \`
			`-s 'webOrigins='"$WEB_ORIGINS" \`
keycloak: ensure zot oauth2 client redirect 2025-12-09 18:38:31 -03:00			`-s 'standardFlowEnabled=true' \`
keycloak: bootstrap oauth2-proxy redirect URIs 2025-12-09 18:53:21 -03:00			`-s 'directAccessGrantsEnabled=false'`
keycloak: add audience scope for oauth2-proxy clients 2025-12-10 03:03:40 -03:00
			`# Attach audience scope so access tokens carry aud=oauth2-proxy`
			`$KCADM update "clients/$CLIENT_UUID/optional-client-scopes/$SCOPE_ID" -r "$REALM" >/dev/null 2>&1 \|\| \`
			`$KCADM add-optional-client-scopes -r "$REALM" --clientid "$CLIENT_ID" --scopes "$AUDIENCE_SCOPE"`
keycloak: bootstrap oauth2-proxy redirect URIs 2025-12-09 18:53:21 -03:00			`done`
keycloak: ensure zot oauth2 client redirect 2025-12-09 18:38:31 -03:00
			`echo "Keycloak zot client bootstrap complete"`