keycloak: switch jobs to vault injector

services/keycloak/deployment.yaml

@@ -20,6 +20,34 @@ spec:
     metadata:
       labels:
         app: keycloak
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       serviceAccountName: sso-vault
       affinity:
@@ -73,7 +101,7 @@ spec:
           command: ["/bin/sh", "-c"]
           args:
             - >-
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               && exec /opt/keycloak/bin/kc.sh start
           env:
             - name: KC_DB
@@ -132,25 +160,9 @@ spec:
               mountPath: /opt/keycloak/data
             - name: providers
               mountPath: /opt/keycloak/providers
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
       volumes:
         - name: data
           persistentVolumeClaim:
             claimName: keycloak-data
         - name: providers
           emptyDir: {}
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/harbor-oidc-secret-ensure-job.yaml

@@ -2,12 +2,23 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: harbor-oidc-secret-ensure-4
+  name: harbor-oidc-secret-ensure-5
   namespace: sso
 spec:
   backoffLimit: 0
   ttlSecondsAfterFinished: 3600
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso-secrets"
+        vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
     spec:
       serviceAccountName: mas-secrets-ensure
       restartPolicy: Never
@@ -16,16 +27,6 @@ spec:
           configMap:
             name: harbor-oidc-secret-ensure-script
             defaultMode: 0555
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -44,9 +45,3 @@ spec:
             - name: harbor-oidc-secret-ensure-script
               mountPath: /scripts
               readOnly: true
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true

services/keycloak/kustomization.yaml

@@ -28,9 +28,6 @@ resources:
 generatorOptions:
   disableNameSuffixHash: true
 configMapGenerator:
-  - name: sso-vault-env
-    files:
-      - keycloak_vault_env.sh=scripts/keycloak_vault_env.sh
   - name: portal-e2e-tests
     files:
       - test_portal_token_exchange.py=scripts/tests/test_portal_token_exchange.py

services/keycloak/ldap-federation-job.yaml

@@ -2,11 +2,40 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-ldap-federation-6
+  name: keycloak-ldap-federation-7
   namespace: sso
 spec:
   backoffLimit: 2
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       affinity:
         nodeAffinity:
@@ -41,7 +70,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               python - <<'PY'
               import json
               import os
@@ -348,20 +377,3 @@ spec:
                   print(f"WARNING: LDAP cleanup failed (continuing): {e}")
               PY
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
-      volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/logs-oidc-secret-ensure-job.yaml

@@ -2,12 +2,23 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: logs-oidc-secret-ensure-3
+  name: logs-oidc-secret-ensure-4
   namespace: sso
 spec:
   backoffLimit: 0
   ttlSecondsAfterFinished: 3600
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso-secrets"
+        vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
     spec:
       serviceAccountName: mas-secrets-ensure
       restartPolicy: Never
@@ -18,7 +29,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-admin-env.sh
               apk add --no-cache curl jq kubectl openssl >/dev/null
 
               KC_URL="http://keycloak.sso.svc.cluster.local"
@@ -110,20 +121,4 @@ spec:
                 --from-literal=cookie_secret="${COOKIE_SECRET}" \
                 --dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/mas-secrets-ensure-job.yaml

@@ -10,28 +10,30 @@ imagePullSecrets:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-secrets-ensure-15
+  name: mas-secrets-ensure-16
   namespace: sso
 spec:
   backoffLimit: 0
   ttlSecondsAfterFinished: 3600
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/role: "sso-secrets"
+        vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
     spec:
       serviceAccountName: mas-secrets-ensure
       restartPolicy: Never
       volumes:
         - name: work
           emptyDir: {}
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555
       initContainers:
         - name: generate
           image: alpine:3.20
@@ -39,7 +41,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-admin-env.sh
               umask 077
               apk add --no-cache curl openssl jq >/dev/null
 
@@ -84,12 +86,6 @@ spec:
           volumeMounts:
             - name: work
               mountPath: /work
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
       containers:
         - name: apply
           image: registry.bstein.dev/bstein/kubectl:1.35.0

services/keycloak/portal-e2e-client-job.yaml

@@ -2,11 +2,40 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-e2e-client-3
+  name: keycloak-portal-e2e-client-4
   namespace: sso
 spec:
   backoffLimit: 0
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       restartPolicy: Never
       serviceAccountName: sso-vault
@@ -22,7 +51,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               python - <<'PY'
               import json
               import os
@@ -228,20 +257,4 @@ spec:
                       raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}")
               PY
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/portal-e2e-execute-actions-email-test-job.yaml

@@ -2,11 +2,40 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-e2e-execute-actions-email-6
+  name: keycloak-portal-e2e-execute-actions-email-7
   namespace: sso
 spec:
   backoffLimit: 3
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       restartPolicy: Never
       serviceAccountName: sso-vault
@@ -30,30 +59,14 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               python /scripts/test_keycloak_execute_actions_email.py
           volumeMounts:
             - name: tests
               mountPath: /scripts
               readOnly: true
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
       volumes:
         - name: tests
           configMap:
             name: portal-e2e-tests
             defaultMode: 0555
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/portal-e2e-target-client-job.yaml

@@ -2,11 +2,40 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-e2e-target-2
+  name: keycloak-portal-e2e-target-3
   namespace: sso
 spec:
   backoffLimit: 0
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       restartPolicy: Never
       serviceAccountName: sso-vault
@@ -24,7 +53,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               python - <<'PY'
               import json
               import os
@@ -129,20 +158,4 @@ spec:
               print(f"OK: ensured token exchange enabled on client {target_client_id}")
               PY
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/portal-e2e-token-exchange-permissions-job.yaml

@@ -2,11 +2,40 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-e2e-token-exchange-permissions-6
+  name: keycloak-portal-e2e-token-exchange-permissions-7
   namespace: sso
 spec:
   backoffLimit: 6
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       restartPolicy: Never
       serviceAccountName: sso-vault
@@ -26,7 +55,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               python - <<'PY'
               import json
               import os
@@ -262,20 +291,3 @@ spec:
               print("OK: configured token exchange permissions for portal E2E client")
               PY
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
-      volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/portal-e2e-token-exchange-test-job.yaml

@@ -2,12 +2,41 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-e2e-token-exchange-test-2
+  name: keycloak-portal-e2e-token-exchange-test-3
   namespace: sso
 spec:
   backoffLimit: 6
   ttlSecondsAfterFinished: 3600
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       restartPolicy: Never
       serviceAccountName: sso-vault
@@ -31,30 +60,14 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               python /scripts/test_portal_token_exchange.py
           volumeMounts:
             - name: tests
               mountPath: /scripts
               readOnly: true
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
       volumes:
         - name: tests
           configMap:
             name: portal-e2e-tests
             defaultMode: 0555
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/realm-settings-job.yaml

@@ -2,11 +2,40 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-18
+  name: keycloak-realm-settings-19
   namespace: sso
 spec:
   backoffLimit: 0
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       affinity:
         nodeAffinity:
@@ -44,7 +73,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               python - <<'PY'
               import json
               import os
@@ -439,20 +468,3 @@ spec:
                           )
               PY
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
-      volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/scripts/harbor_oidc_secret_ensure.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 apk add --no-cache curl jq kubectl >/dev/null
 
-. /vault/scripts/keycloak_vault_env.sh
+. /vault/secrets/keycloak-admin-env.sh
 
 KC_URL="http://keycloak.sso.svc.cluster.local"
 ACCESS_TOKEN=""

services/keycloak/scripts/keycloak_vault_env.sh

@@ -1,29 +0,0 @@
-#!/usr/bin/env sh
-set -eu
-
-vault_dir="/vault/secrets"
-
-read_secret() {
-  cat "${vault_dir}/$1"
-}
-
-admin_user="$(read_secret keycloak-admin__username)"
-admin_password="$(read_secret keycloak-admin__password)"
-
-export KEYCLOAK_ADMIN="${admin_user}"
-export KEYCLOAK_ADMIN_USER="${admin_user}"
-export KEYCLOAK_ADMIN_PASSWORD="${admin_password}"
-
-export KC_DB_URL_DATABASE="$(read_secret keycloak-db__POSTGRES_DATABASE)"
-export KC_DB_USERNAME="$(read_secret keycloak-db__POSTGRES_USER)"
-export KC_DB_PASSWORD="$(read_secret keycloak-db__POSTGRES_PASSWORD)"
-
-export PORTAL_E2E_CLIENT_ID="$(read_secret portal-e2e-client__client_id)"
-export PORTAL_E2E_CLIENT_SECRET="$(read_secret portal-e2e-client__client_secret)"
-
-export LDAP_ADMIN_PASSWORD="$(read_secret openldap-admin__LDAP_ADMIN_PASSWORD)"
-export LDAP_CONFIG_PASSWORD="$(read_secret openldap-admin__LDAP_CONFIG_PASSWORD)"
-export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
-
-export KEYCLOAK_SMTP_USER="$(read_secret postmark-relay__relay-username)"
-export KEYCLOAK_SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)"

services/keycloak/scripts/vault_oidc_secret_ensure.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 apk add --no-cache curl jq kubectl >/dev/null
 
-. /vault/scripts/keycloak_vault_env.sh
+. /vault/secrets/keycloak-admin-env.sh
 
 KC_URL="http://keycloak.sso.svc.cluster.local"
 ACCESS_TOKEN=""

services/keycloak/secretproviderclass.yaml

@@ -10,27 +10,6 @@ spec:
     vaultAddress: "http://vault.vault.svc.cluster.local:8200"
     roleName: "sso"
     objects: |
-      - objectName: "keycloak-db__POSTGRES_DATABASE"
-        secretPath: "kv/data/atlas/sso/keycloak-db"
-        secretKey: "POSTGRES_DATABASE"
-      - objectName: "keycloak-db__POSTGRES_USER"
-        secretPath: "kv/data/atlas/sso/keycloak-db"
-        secretKey: "POSTGRES_USER"
-      - objectName: "keycloak-db__POSTGRES_PASSWORD"
-        secretPath: "kv/data/atlas/sso/keycloak-db"
-        secretKey: "POSTGRES_PASSWORD"
-      - objectName: "keycloak-admin__username"
-        secretPath: "kv/data/atlas/shared/keycloak-admin"
-        secretKey: "username"
-      - objectName: "keycloak-admin__password"
-        secretPath: "kv/data/atlas/shared/keycloak-admin"
-        secretKey: "password"
-      - objectName: "portal-e2e-client__client_id"
-        secretPath: "kv/data/atlas/shared/portal-e2e-client"
-        secretKey: "client_id"
-      - objectName: "portal-e2e-client__client_secret"
-        secretPath: "kv/data/atlas/shared/portal-e2e-client"
-        secretKey: "client_secret"
       - objectName: "openldap-admin__LDAP_ADMIN_PASSWORD"
         secretPath: "kv/data/atlas/sso/openldap-admin"
         secretKey: "LDAP_ADMIN_PASSWORD"
@@ -46,12 +25,6 @@ spec:
       - objectName: "oauth2-proxy-oidc__cookie_secret"
         secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
         secretKey: "cookie_secret"
-      - objectName: "postmark-relay__relay-username"
-        secretPath: "kv/data/atlas/shared/postmark-relay"
-        secretKey: "relay-username"
-      - objectName: "postmark-relay__relay-password"
-        secretPath: "kv/data/atlas/shared/postmark-relay"
-        secretKey: "relay-password"
       - objectName: "harbor-pull__dockerconfigjson"
         secretPath: "kv/data/atlas/harbor-pull/sso"
         secretKey: "dockerconfigjson"

services/keycloak/synapse-oidc-secret-ensure-job.yaml

@@ -2,12 +2,23 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: synapse-oidc-secret-ensure-5
+  name: synapse-oidc-secret-ensure-6
   namespace: sso
 spec:
   backoffLimit: 0
   ttlSecondsAfterFinished: 3600
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso-secrets"
+        vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
     spec:
       serviceAccountName: mas-secrets-ensure
       restartPolicy: Never
@@ -18,7 +29,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-admin-env.sh
               apk add --no-cache curl jq >/dev/null
 
               KC_URL="http://keycloak.sso.svc.cluster.local"
@@ -70,20 +81,4 @@ spec:
               curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
                 -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/user-overrides-job.yaml

@@ -2,11 +2,40 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-user-overrides-2
+  name: keycloak-user-overrides-3
   namespace: sso
 spec:
   backoffLimit: 0
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso"
+        vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/keycloak-db" -}}
+          export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
+          export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
+          export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
+          export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
+          export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
+          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
+          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
+          export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
+          {{- end }}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
+          export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
+          export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
+          {{- end }}
     spec:
       affinity:
         nodeAffinity:
@@ -36,7 +65,7 @@ spec:
           args:
             - |
               set -euo pipefail
-              . /vault/scripts/keycloak_vault_env.sh
+              . /vault/secrets/keycloak-env.sh
               python - <<'PY'
               import json
               import os
@@ -136,20 +165,3 @@ spec:
                   raise SystemExit(f"Unexpected user update response: {status}")
               PY
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true
-      volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555

services/keycloak/vault-oidc-secret-ensure-job.yaml

@@ -2,12 +2,23 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: vault-oidc-secret-ensure-2
+  name: vault-oidc-secret-ensure-3
   namespace: sso
 spec:
   backoffLimit: 0
   ttlSecondsAfterFinished: 3600
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "sso-secrets"
+        vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
+        vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
+          {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
+          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
+          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
+          {{- end }}
     spec:
       serviceAccountName: mas-secrets-ensure
       restartPolicy: Never
@@ -16,16 +27,6 @@ spec:
           configMap:
             name: vault-oidc-secret-ensure-script
             defaultMode: 0555
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: sso-vault
-        - name: vault-scripts
-          configMap:
-            name: sso-vault-env
-            defaultMode: 0555
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -44,9 +45,3 @@ spec:
             - name: vault-oidc-secret-ensure-script
               mountPath: /scripts
               readOnly: true
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
-            - name: vault-scripts
-              mountPath: /vault/scripts
-              readOnly: true