bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak: retry MAS secret bootstrap

Browse Source
This commit is contained in:
Brad Stein 2026-01-08 02:12:40 -03:00
parent 05848223eb
commit 2aea7e3601
1 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
services/keycloak/mas-secrets-ensure-job.yaml
View File

@ -8,7 +8,7 @@ metadata:
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: mas-secrets-ensure-1 name: mas-secrets-ensure-2
namespace: sso namespace: sso
spec: spec:
backoffLimit: 2 backoffLimit: 2
@ -30,27 +30,33 @@ spec:
apk add --no-cache curl openssl jq >/dev/null apk add --no-cache curl openssl jq >/dev/null
KC_URL="http://keycloak.sso.svc.cluster.local" KC_URL="http://keycloak.sso.svc.cluster.local"
TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \ ACCESS_TOKEN=""
-H 'Content-Type: application/x-www-form-urlencoded' \ for attempt in 1 2 3 4 5; do
-d "grant_type=password" \ TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
-d "client_id=admin-cli" \ -H 'Content-Type: application/x-www-form-urlencoded' \
-d "username=${KEYCLOAK_ADMIN}" \ -d "grant_type=password" \
-d "password=${KEYCLOAK_ADMIN_PASSWORD}")" -d "client_id=admin-cli" \
ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token')" -d "username=${KEYCLOAK_ADMIN}" \
-d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
break
fi
echo "Keycloak token request failed (attempt ${attempt})" >&2
sleep $((attempt * 2))
done
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "Failed to fetch Keycloak admin token" >&2 echo "Failed to fetch Keycloak admin token" >&2
exit 1 exit 1
fi fi
CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
"$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id')" "$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id' 2>/dev/null || true)"
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
echo "Keycloak client othrys-mas not found" >&2 echo "Keycloak client othrys-mas not found" >&2
exit 1 exit 1
fi fi
CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value')" "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
echo "Keycloak client secret not found" >&2 echo "Keycloak client secret not found" >&2
exit 1 exit 1