test(portal): sync e2e client secret

2026-01-04 03:35:26 -03:00 · 2026-01-04 03:35:26 -03:00 · 17a9a7e245
commit 17a9a7e245
parent c53d310c59
6 changed files with 113 additions and 0 deletions
--- a/scripts/sso_portal_e2e_client_secret_sync.sh
+++ b/scripts/sso_portal_e2e_client_secret_sync.sh
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SOURCE_NAMESPACE="${SOURCE_NAMESPACE:-sso}"
+DEST_NAMESPACE="${DEST_NAMESPACE:-bstein-dev-home}"
+SECRET_NAME="${SECRET_NAME:-portal-e2e-client}"
+
+client_id="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_id}')"
+client_secret="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_secret}')"
+
+cat <<EOF | kubectl -n "${DEST_NAMESPACE}" apply -f - >/dev/null
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${SECRET_NAME}
+type: Opaque
+data:
+  client_id: ${client_id}
+  client_secret: ${client_secret}
+EOF
--- a/services/bstein-dev-home/kustomization.yaml
+++ b/services/bstein-dev-home/kustomization.yaml
@ -6,6 +6,7 @@ resources:
  - namespace.yaml
  - image.yaml
  - rbac.yaml
+  - portal-e2e-client-secret-sync-rbac.yaml
  - chat-ai-gateway-configmap.yaml
  - chat-ai-gateway-deployment.yaml
  - chat-ai-gateway-service.yaml
--- a/services/bstein-dev-home/portal-e2e-client-secret-sync-rbac.yaml
+++ b/services/bstein-dev-home/portal-e2e-client-secret-sync-rbac.yaml
@ -0,0 +1,24 @@
+# services/bstein-dev-home/portal-e2e-client-secret-sync-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: portal-e2e-client-secret-sync-target
+  namespace: bstein-dev-home
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: portal-e2e-client-secret-sync-target
+  namespace: bstein-dev-home
+subjects:
+  - kind: ServiceAccount
+    name: portal-e2e-client-secret-sync
+    namespace: sso
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: portal-e2e-client-secret-sync-target
--- a/services/keycloak/kustomization.yaml
+++ b/services/keycloak/kustomization.yaml
@ -8,6 +8,8 @@ resources:
  - deployment.yaml
  - realm-settings-job.yaml
  - portal-e2e-client-job.yaml
+  - portal-e2e-client-secret-sync-rbac.yaml
+  - portal-e2e-client-secret-sync-cronjob.yaml
  - portal-e2e-target-client-job.yaml
  - portal-e2e-token-exchange-permissions-job.yaml
  - portal-e2e-token-exchange-test-job.yaml
@ -23,3 +25,6 @@ configMapGenerator:
    files:
      - test_portal_token_exchange.py=../../scripts/tests/test_portal_token_exchange.py
      - test_keycloak_execute_actions_email.py=../../scripts/tests/test_keycloak_execute_actions_email.py
+  - name: portal-e2e-client-secret-sync-script
+    files:
+      - sso_portal_e2e_client_secret_sync.sh=../../scripts/sso_portal_e2e_client_secret_sync.sh
--- a/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
+++ b/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
@ -0,0 +1,32 @@
+# services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: portal-e2e-client-secret-sync
+  namespace: sso
+spec:
+  schedule: "*/10 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: portal-e2e-client-secret-sync
+          restartPolicy: Never
+          containers:
+            - name: sync
+              image: bitnami/kubectl:1.33.1
+              command: ["/usr/bin/env", "bash"]
+              args: ["/scripts/sso_portal_e2e_client_secret_sync.sh"]
+              volumeMounts:
+                - name: script
+                  mountPath: /scripts
+                  readOnly: true
+          volumes:
+            - name: script
+              configMap:
+                name: portal-e2e-client-secret-sync-script
+                defaultMode: 0555
--- a/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
+++ b/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
@ -0,0 +1,31 @@
+# services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portal-e2e-client-secret-sync
+  namespace: sso
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: portal-e2e-client-secret-sync-source
+  namespace: sso
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["portal-e2e-client"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: portal-e2e-client-secret-sync-source
+  namespace: sso
+subjects:
+  - kind: ServiceAccount
+    name: portal-e2e-client-secret-sync
+    namespace: sso
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: portal-e2e-client-secret-sync-source