From 58c880d9cefa70478cf73c12be7c4bbab5f26fd5 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Wed, 14 Jan 2026 13:20:57 -0300 Subject: [PATCH] keycloak: switch jobs to vault injector --- services/keycloak/deployment.yaml | 46 ++++++++++------- .../harbor-oidc-secret-ensure-job.yaml | 29 +++++------ services/keycloak/kustomization.yaml | 3 -- services/keycloak/ldap-federation-job.yaml | 50 ++++++++++++------- .../keycloak/logs-oidc-secret-ensure-job.yaml | 31 +++++------- services/keycloak/mas-secrets-ensure-job.yaml | 32 ++++++------ services/keycloak/portal-e2e-client-job.yaml | 49 +++++++++++------- ...al-e2e-execute-actions-email-test-job.yaml | 49 +++++++++++------- .../portal-e2e-target-client-job.yaml | 49 +++++++++++------- ...al-e2e-token-exchange-permissions-job.yaml | 50 ++++++++++++------- .../portal-e2e-token-exchange-test-job.yaml | 49 +++++++++++------- services/keycloak/realm-settings-job.yaml | 50 ++++++++++++------- .../scripts/harbor_oidc_secret_ensure.sh | 2 +- .../keycloak/scripts/keycloak_vault_env.sh | 29 ----------- .../scripts/vault_oidc_secret_ensure.sh | 2 +- services/keycloak/secretproviderclass.yaml | 27 ---------- .../synapse-oidc-secret-ensure-job.yaml | 31 +++++------- services/keycloak/user-overrides-job.yaml | 50 ++++++++++++------- .../vault-oidc-secret-ensure-job.yaml | 29 +++++------ 19 files changed, 343 insertions(+), 314 deletions(-) delete mode 100644 services/keycloak/scripts/keycloak_vault_env.sh diff --git a/services/keycloak/deployment.yaml b/services/keycloak/deployment.yaml index 3c116f6..b2842b1 100644 --- a/services/keycloak/deployment.yaml +++ b/services/keycloak/deployment.yaml @@ -20,6 +20,34 @@ spec: metadata: labels: app: keycloak + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: serviceAccountName: sso-vault affinity: @@ -73,7 +101,7 @@ spec: command: ["/bin/sh", "-c"] args: - >- - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh && exec /opt/keycloak/bin/kc.sh start env: - name: KC_DB @@ -132,25 +160,9 @@ spec: mountPath: /opt/keycloak/data - name: providers mountPath: /opt/keycloak/providers - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - name: data persistentVolumeClaim: claimName: keycloak-data - name: providers emptyDir: {} - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/harbor-oidc-secret-ensure-job.yaml b/services/keycloak/harbor-oidc-secret-ensure-job.yaml index 4566e26..aa51f4a 100644 --- a/services/keycloak/harbor-oidc-secret-ensure-job.yaml +++ b/services/keycloak/harbor-oidc-secret-ensure-job.yaml @@ -2,12 +2,23 @@ apiVersion: batch/v1 kind: Job metadata: - name: harbor-oidc-secret-ensure-4 + name: harbor-oidc-secret-ensure-5 namespace: sso spec: backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso-secrets" + vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never @@ -16,16 +27,6 @@ spec: configMap: name: harbor-oidc-secret-ensure-script defaultMode: 0555 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -44,9 +45,3 @@ spec: - name: harbor-oidc-secret-ensure-script mountPath: /scripts readOnly: true - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true diff --git a/services/keycloak/kustomization.yaml b/services/keycloak/kustomization.yaml index c34aad4..e141467 100644 --- a/services/keycloak/kustomization.yaml +++ b/services/keycloak/kustomization.yaml @@ -28,9 +28,6 @@ resources: generatorOptions: disableNameSuffixHash: true configMapGenerator: - - name: sso-vault-env - files: - - keycloak_vault_env.sh=scripts/keycloak_vault_env.sh - name: portal-e2e-tests files: - test_portal_token_exchange.py=scripts/tests/test_portal_token_exchange.py diff --git a/services/keycloak/ldap-federation-job.yaml b/services/keycloak/ldap-federation-job.yaml index 06e7a82..68ce057 100644 --- a/services/keycloak/ldap-federation-job.yaml +++ b/services/keycloak/ldap-federation-job.yaml @@ -2,11 +2,40 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-ldap-federation-6 + name: keycloak-ldap-federation-7 namespace: sso spec: backoffLimit: 2 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: affinity: nodeAffinity: @@ -41,7 +70,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh python - <<'PY' import json import os @@ -348,20 +377,3 @@ spec: print(f"WARNING: LDAP cleanup failed (continuing): {e}") PY volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true - volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/logs-oidc-secret-ensure-job.yaml b/services/keycloak/logs-oidc-secret-ensure-job.yaml index ae5a8aa..7fc3097 100644 --- a/services/keycloak/logs-oidc-secret-ensure-job.yaml +++ b/services/keycloak/logs-oidc-secret-ensure-job.yaml @@ -2,12 +2,23 @@ apiVersion: batch/v1 kind: Job metadata: - name: logs-oidc-secret-ensure-3 + name: logs-oidc-secret-ensure-4 namespace: sso spec: backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso-secrets" + vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never @@ -18,7 +29,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-admin-env.sh apk add --no-cache curl jq kubectl openssl >/dev/null KC_URL="http://keycloak.sso.svc.cluster.local" @@ -110,20 +121,4 @@ spec: --from-literal=cookie_secret="${COOKIE_SECRET}" \ --dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml index 75d8300..3b6e15e 100644 --- a/services/keycloak/mas-secrets-ensure-job.yaml +++ b/services/keycloak/mas-secrets-ensure-job.yaml @@ -10,28 +10,30 @@ imagePullSecrets: apiVersion: batch/v1 kind: Job metadata: - name: mas-secrets-ensure-15 + name: mas-secrets-ensure-16 namespace: sso spec: backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/role: "sso-secrets" + vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never volumes: - name: work emptyDir: {} - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 initContainers: - name: generate image: alpine:3.20 @@ -39,7 +41,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-admin-env.sh umask 077 apk add --no-cache curl openssl jq >/dev/null @@ -84,12 +86,6 @@ spec: volumeMounts: - name: work mountPath: /work - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true containers: - name: apply image: registry.bstein.dev/bstein/kubectl:1.35.0 diff --git a/services/keycloak/portal-e2e-client-job.yaml b/services/keycloak/portal-e2e-client-job.yaml index 1653656..2cb50ca 100644 --- a/services/keycloak/portal-e2e-client-job.yaml +++ b/services/keycloak/portal-e2e-client-job.yaml @@ -2,11 +2,40 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-portal-e2e-client-3 + name: keycloak-portal-e2e-client-4 namespace: sso spec: backoffLimit: 0 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: restartPolicy: Never serviceAccountName: sso-vault @@ -22,7 +51,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh python - <<'PY' import json import os @@ -228,20 +257,4 @@ spec: raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}") PY volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml b/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml index 9bba6a4..c80e3eb 100644 --- a/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml +++ b/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml @@ -2,11 +2,40 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-portal-e2e-execute-actions-email-6 + name: keycloak-portal-e2e-execute-actions-email-7 namespace: sso spec: backoffLimit: 3 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: restartPolicy: Never serviceAccountName: sso-vault @@ -30,30 +59,14 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh python /scripts/test_keycloak_execute_actions_email.py volumeMounts: - name: tests mountPath: /scripts readOnly: true - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - name: tests configMap: name: portal-e2e-tests defaultMode: 0555 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/portal-e2e-target-client-job.yaml b/services/keycloak/portal-e2e-target-client-job.yaml index a608b40..c4dcd0f 100644 --- a/services/keycloak/portal-e2e-target-client-job.yaml +++ b/services/keycloak/portal-e2e-target-client-job.yaml @@ -2,11 +2,40 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-portal-e2e-target-2 + name: keycloak-portal-e2e-target-3 namespace: sso spec: backoffLimit: 0 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: restartPolicy: Never serviceAccountName: sso-vault @@ -24,7 +53,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh python - <<'PY' import json import os @@ -129,20 +158,4 @@ spec: print(f"OK: ensured token exchange enabled on client {target_client_id}") PY volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml b/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml index c34e889..cbd21ac 100644 --- a/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml +++ b/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml @@ -2,11 +2,40 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-portal-e2e-token-exchange-permissions-6 + name: keycloak-portal-e2e-token-exchange-permissions-7 namespace: sso spec: backoffLimit: 6 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: restartPolicy: Never serviceAccountName: sso-vault @@ -26,7 +55,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh python - <<'PY' import json import os @@ -262,20 +291,3 @@ spec: print("OK: configured token exchange permissions for portal E2E client") PY volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true - volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/portal-e2e-token-exchange-test-job.yaml b/services/keycloak/portal-e2e-token-exchange-test-job.yaml index 69f5d2e..56c7ce5 100644 --- a/services/keycloak/portal-e2e-token-exchange-test-job.yaml +++ b/services/keycloak/portal-e2e-token-exchange-test-job.yaml @@ -2,12 +2,41 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-portal-e2e-token-exchange-test-2 + name: keycloak-portal-e2e-token-exchange-test-3 namespace: sso spec: backoffLimit: 6 ttlSecondsAfterFinished: 3600 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: restartPolicy: Never serviceAccountName: sso-vault @@ -31,30 +60,14 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh python /scripts/test_portal_token_exchange.py volumeMounts: - name: tests mountPath: /scripts readOnly: true - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - name: tests configMap: name: portal-e2e-tests defaultMode: 0555 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/realm-settings-job.yaml b/services/keycloak/realm-settings-job.yaml index 5cabe3c..f44dcd4 100644 --- a/services/keycloak/realm-settings-job.yaml +++ b/services/keycloak/realm-settings-job.yaml @@ -2,11 +2,40 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-realm-settings-18 + name: keycloak-realm-settings-19 namespace: sso spec: backoffLimit: 0 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: affinity: nodeAffinity: @@ -44,7 +73,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh python - <<'PY' import json import os @@ -439,20 +468,3 @@ spec: ) PY volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true - volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/scripts/harbor_oidc_secret_ensure.sh b/services/keycloak/scripts/harbor_oidc_secret_ensure.sh index f2dafc6..beef591 100755 --- a/services/keycloak/scripts/harbor_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/harbor_oidc_secret_ensure.sh @@ -3,7 +3,7 @@ set -euo pipefail apk add --no-cache curl jq kubectl >/dev/null -. /vault/scripts/keycloak_vault_env.sh +. /vault/secrets/keycloak-admin-env.sh KC_URL="http://keycloak.sso.svc.cluster.local" ACCESS_TOKEN="" diff --git a/services/keycloak/scripts/keycloak_vault_env.sh b/services/keycloak/scripts/keycloak_vault_env.sh deleted file mode 100644 index dd68fc7..0000000 --- a/services/keycloak/scripts/keycloak_vault_env.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env sh -set -eu - -vault_dir="/vault/secrets" - -read_secret() { - cat "${vault_dir}/$1" -} - -admin_user="$(read_secret keycloak-admin__username)" -admin_password="$(read_secret keycloak-admin__password)" - -export KEYCLOAK_ADMIN="${admin_user}" -export KEYCLOAK_ADMIN_USER="${admin_user}" -export KEYCLOAK_ADMIN_PASSWORD="${admin_password}" - -export KC_DB_URL_DATABASE="$(read_secret keycloak-db__POSTGRES_DATABASE)" -export KC_DB_USERNAME="$(read_secret keycloak-db__POSTGRES_USER)" -export KC_DB_PASSWORD="$(read_secret keycloak-db__POSTGRES_PASSWORD)" - -export PORTAL_E2E_CLIENT_ID="$(read_secret portal-e2e-client__client_id)" -export PORTAL_E2E_CLIENT_SECRET="$(read_secret portal-e2e-client__client_secret)" - -export LDAP_ADMIN_PASSWORD="$(read_secret openldap-admin__LDAP_ADMIN_PASSWORD)" -export LDAP_CONFIG_PASSWORD="$(read_secret openldap-admin__LDAP_CONFIG_PASSWORD)" -export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" - -export KEYCLOAK_SMTP_USER="$(read_secret postmark-relay__relay-username)" -export KEYCLOAK_SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)" diff --git a/services/keycloak/scripts/vault_oidc_secret_ensure.sh b/services/keycloak/scripts/vault_oidc_secret_ensure.sh index 680057f..20d39c1 100755 --- a/services/keycloak/scripts/vault_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/vault_oidc_secret_ensure.sh @@ -3,7 +3,7 @@ set -euo pipefail apk add --no-cache curl jq kubectl >/dev/null -. /vault/scripts/keycloak_vault_env.sh +. /vault/secrets/keycloak-admin-env.sh KC_URL="http://keycloak.sso.svc.cluster.local" ACCESS_TOKEN="" diff --git a/services/keycloak/secretproviderclass.yaml b/services/keycloak/secretproviderclass.yaml index e78e57e..95e28be 100644 --- a/services/keycloak/secretproviderclass.yaml +++ b/services/keycloak/secretproviderclass.yaml @@ -10,27 +10,6 @@ spec: vaultAddress: "http://vault.vault.svc.cluster.local:8200" roleName: "sso" objects: | - - objectName: "keycloak-db__POSTGRES_DATABASE" - secretPath: "kv/data/atlas/sso/keycloak-db" - secretKey: "POSTGRES_DATABASE" - - objectName: "keycloak-db__POSTGRES_USER" - secretPath: "kv/data/atlas/sso/keycloak-db" - secretKey: "POSTGRES_USER" - - objectName: "keycloak-db__POSTGRES_PASSWORD" - secretPath: "kv/data/atlas/sso/keycloak-db" - secretKey: "POSTGRES_PASSWORD" - - objectName: "keycloak-admin__username" - secretPath: "kv/data/atlas/shared/keycloak-admin" - secretKey: "username" - - objectName: "keycloak-admin__password" - secretPath: "kv/data/atlas/shared/keycloak-admin" - secretKey: "password" - - objectName: "portal-e2e-client__client_id" - secretPath: "kv/data/atlas/shared/portal-e2e-client" - secretKey: "client_id" - - objectName: "portal-e2e-client__client_secret" - secretPath: "kv/data/atlas/shared/portal-e2e-client" - secretKey: "client_secret" - objectName: "openldap-admin__LDAP_ADMIN_PASSWORD" secretPath: "kv/data/atlas/sso/openldap-admin" secretKey: "LDAP_ADMIN_PASSWORD" @@ -46,12 +25,6 @@ spec: - objectName: "oauth2-proxy-oidc__cookie_secret" secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc" secretKey: "cookie_secret" - - objectName: "postmark-relay__relay-username" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-username" - - objectName: "postmark-relay__relay-password" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-password" - objectName: "harbor-pull__dockerconfigjson" secretPath: "kv/data/atlas/harbor-pull/sso" secretKey: "dockerconfigjson" diff --git a/services/keycloak/synapse-oidc-secret-ensure-job.yaml b/services/keycloak/synapse-oidc-secret-ensure-job.yaml index 5f96cb1..1e4878d 100644 --- a/services/keycloak/synapse-oidc-secret-ensure-job.yaml +++ b/services/keycloak/synapse-oidc-secret-ensure-job.yaml @@ -2,12 +2,23 @@ apiVersion: batch/v1 kind: Job metadata: - name: synapse-oidc-secret-ensure-5 + name: synapse-oidc-secret-ensure-6 namespace: sso spec: backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso-secrets" + vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never @@ -18,7 +29,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-admin-env.sh apk add --no-cache curl jq >/dev/null KC_URL="http://keycloak.sso.svc.cluster.local" @@ -70,20 +81,4 @@ spec: curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/user-overrides-job.yaml b/services/keycloak/user-overrides-job.yaml index 0ea4f1f..495af18 100644 --- a/services/keycloak/user-overrides-job.yaml +++ b/services/keycloak/user-overrides-job.yaml @@ -2,11 +2,40 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-user-overrides-2 + name: keycloak-user-overrides-3 namespace: sso spec: backoffLimit: 0 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso" + vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/keycloak-db" -}} + export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}" + export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}" + export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/sso/openldap-admin" -}} + export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}" + export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}" + export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}" + export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: affinity: nodeAffinity: @@ -36,7 +65,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/keycloak_vault_env.sh + . /vault/secrets/keycloak-env.sh python - <<'PY' import json import os @@ -136,20 +165,3 @@ spec: raise SystemExit(f"Unexpected user update response: {status}") PY volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true - volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 diff --git a/services/keycloak/vault-oidc-secret-ensure-job.yaml b/services/keycloak/vault-oidc-secret-ensure-job.yaml index f27335a..797cada 100644 --- a/services/keycloak/vault-oidc-secret-ensure-job.yaml +++ b/services/keycloak/vault-oidc-secret-ensure-job.yaml @@ -2,12 +2,23 @@ apiVersion: batch/v1 kind: Job metadata: - name: vault-oidc-secret-ensure-2 + name: vault-oidc-secret-ensure-3 namespace: sso spec: backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "sso-secrets" + vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" + vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KEYCLOAK_ADMIN="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" + export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never @@ -16,16 +27,6 @@ spec: configMap: name: vault-oidc-secret-ensure-script defaultMode: 0555 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: sso-vault - - name: vault-scripts - configMap: - name: sso-vault-env - defaultMode: 0555 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -44,9 +45,3 @@ spec: - name: vault-oidc-secret-ensure-script mountPath: /scripts readOnly: true - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true