bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak: switch jobs to vault injector

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 13:20:57 -03:00
parent 92fbde08eb
commit 58c880d9ce
19 changed files with 343 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
services/keycloak/deployment.yaml
View File

@ -20,6 +20,34 @@ spec:
metadata:
labels:
app: keycloak
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
serviceAccountName: sso-vault
affinity:
@ -73,7 +101,7 @@ spec:
command: ["/bin/sh", "-c"]
args:
- >-
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
&& exec /opt/keycloak/bin/kc.sh start
env:
- name: KC_DB
@ -132,25 +160,9 @@ spec:
mountPath: /opt/keycloak/data
- name: providers
mountPath: /opt/keycloak/providers
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: data
persistentVolumeClaim:
claimName: keycloak-data
- name: providers
emptyDir: {}
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

29
services/keycloak/harbor-oidc-secret-ensure-job.yaml
View File

@ -2,12 +2,23 @@
apiVersion: batch/v1
kind: Job
metadata:
name: harbor-oidc-secret-ensure-4
name: harbor-oidc-secret-ensure-5
namespace: sso
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 3600
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
spec:
serviceAccountName: mas-secrets-ensure
restartPolicy: Never
@ -16,16 +27,6 @@ spec:
configMap:
name: harbor-oidc-secret-ensure-script
defaultMode: 0555
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@ -44,9 +45,3 @@ spec:
- name: harbor-oidc-secret-ensure-script
mountPath: /scripts
readOnly: true
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true

3
services/keycloak/kustomization.yaml
View File

@ -28,9 +28,6 @@ resources:
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- name: sso-vault-env
files:
- keycloak_vault_env.sh=scripts/keycloak_vault_env.sh
- name: portal-e2e-tests
files:
- test_portal_token_exchange.py=scripts/tests/test_portal_token_exchange.py

50
services/keycloak/ldap-federation-job.yaml
View File

@ -2,11 +2,40 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-ldap-federation-6
name: keycloak-ldap-federation-7
namespace: sso
spec:
backoffLimit: 2
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
affinity:
nodeAffinity:
@ -41,7 +70,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
python - <<'PY'
import json
import os
@ -348,20 +377,3 @@ spec:
print(f"WARNING: LDAP cleanup failed (continuing): {e}")
PY
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

31
services/keycloak/logs-oidc-secret-ensure-job.yaml
View File

@ -2,12 +2,23 @@
apiVersion: batch/v1
kind: Job
metadata:
name: logs-oidc-secret-ensure-3
name: logs-oidc-secret-ensure-4
namespace: sso
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 3600
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
spec:
serviceAccountName: mas-secrets-ensure
restartPolicy: Never
@ -18,7 +29,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-admin-env.sh
apk add --no-cache curl jq kubectl openssl >/dev/null
KC_URL="http://keycloak.sso.svc.cluster.local"
@ -110,20 +121,4 @@ spec:
--from-literal=cookie_secret="${COOKIE_SECRET}" \
--dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

32
services/keycloak/mas-secrets-ensure-job.yaml
View File

@ -10,28 +10,30 @@ imagePullSecrets:
apiVersion: batch/v1
kind: Job
metadata:
name: mas-secrets-ensure-15
name: mas-secrets-ensure-16
namespace: sso
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 3600
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
spec:
serviceAccountName: mas-secrets-ensure
restartPolicy: Never
volumes:
- name: work
emptyDir: {}
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555
initContainers:
- name: generate
image: alpine:3.20
@ -39,7 +41,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-admin-env.sh
umask 077
apk add --no-cache curl openssl jq >/dev/null
@ -84,12 +86,6 @@ spec:
volumeMounts:
- name: work
mountPath: /work
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
containers:
- name: apply
image: registry.bstein.dev/bstein/kubectl:1.35.0

49
services/keycloak/portal-e2e-client-job.yaml
View File

@ -2,11 +2,40 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-portal-e2e-client-3
name: keycloak-portal-e2e-client-4
namespace: sso
spec:
backoffLimit: 0
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: sso-vault
@ -22,7 +51,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
python - <<'PY'
import json
import os
@ -228,20 +257,4 @@ spec:
raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}")
PY
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

49
services/keycloak/portal-e2e-execute-actions-email-test-job.yaml
View File

@ -2,11 +2,40 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-portal-e2e-execute-actions-email-6
name: keycloak-portal-e2e-execute-actions-email-7
namespace: sso
spec:
backoffLimit: 3
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: sso-vault
@ -30,30 +59,14 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
python /scripts/test_keycloak_execute_actions_email.py
volumeMounts:
- name: tests
mountPath: /scripts
readOnly: true
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: tests
configMap:
name: portal-e2e-tests
defaultMode: 0555
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

49
services/keycloak/portal-e2e-target-client-job.yaml
View File

@ -2,11 +2,40 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-portal-e2e-target-2
name: keycloak-portal-e2e-target-3
namespace: sso
spec:
backoffLimit: 0
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: sso-vault
@ -24,7 +53,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
python - <<'PY'
import json
import os
@ -129,20 +158,4 @@ spec:
print(f"OK: ensured token exchange enabled on client {target_client_id}")
PY
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

50
services/keycloak/portal-e2e-token-exchange-permissions-job.yaml
View File

@ -2,11 +2,40 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-portal-e2e-token-exchange-permissions-6
name: keycloak-portal-e2e-token-exchange-permissions-7
namespace: sso
spec:
backoffLimit: 6
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: sso-vault
@ -26,7 +55,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
python - <<'PY'
import json
import os
@ -262,20 +291,3 @@ spec:
print("OK: configured token exchange permissions for portal E2E client")
PY
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

49
services/keycloak/portal-e2e-token-exchange-test-job.yaml
View File

@ -2,12 +2,41 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-portal-e2e-token-exchange-test-2
name: keycloak-portal-e2e-token-exchange-test-3
namespace: sso
spec:
backoffLimit: 6
ttlSecondsAfterFinished: 3600
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: sso-vault
@ -31,30 +60,14 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
python /scripts/test_portal_token_exchange.py
volumeMounts:
- name: tests
mountPath: /scripts
readOnly: true
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: tests
configMap:
name: portal-e2e-tests
defaultMode: 0555
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

50
services/keycloak/realm-settings-job.yaml
View File

@ -2,11 +2,40 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-realm-settings-18
name: keycloak-realm-settings-19
namespace: sso
spec:
backoffLimit: 0
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
affinity:
nodeAffinity:
@ -44,7 +73,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
python - <<'PY'
import json
import os
@ -439,20 +468,3 @@ spec:
)
PY
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

2
services/keycloak/scripts/harbor_oidc_secret_ensure.sh
View File

@ -3,7 +3,7 @@ set -euo pipefail
apk add --no-cache curl jq kubectl >/dev/null
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-admin-env.sh
KC_URL="http://keycloak.sso.svc.cluster.local"
ACCESS_TOKEN=""

29
services/keycloak/scripts/keycloak_vault_env.sh
View File

@ -1,29 +0,0 @@
#!/usr/bin/env sh
set -eu
vault_dir="/vault/secrets"
read_secret() {
cat "${vault_dir}/$1"
}
admin_user="$(read_secret keycloak-admin__username)"
admin_password="$(read_secret keycloak-admin__password)"
export KEYCLOAK_ADMIN="${admin_user}"
export KEYCLOAK_ADMIN_USER="${admin_user}"
export KEYCLOAK_ADMIN_PASSWORD="${admin_password}"
export KC_DB_URL_DATABASE="$(read_secret keycloak-db__POSTGRES_DATABASE)"
export KC_DB_USERNAME="$(read_secret keycloak-db__POSTGRES_USER)"
export KC_DB_PASSWORD="$(read_secret keycloak-db__POSTGRES_PASSWORD)"
export PORTAL_E2E_CLIENT_ID="$(read_secret portal-e2e-client__client_id)"
export PORTAL_E2E_CLIENT_SECRET="$(read_secret portal-e2e-client__client_secret)"
export LDAP_ADMIN_PASSWORD="$(read_secret openldap-admin__LDAP_ADMIN_PASSWORD)"
export LDAP_CONFIG_PASSWORD="$(read_secret openldap-admin__LDAP_CONFIG_PASSWORD)"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
export KEYCLOAK_SMTP_USER="$(read_secret postmark-relay__relay-username)"
export KEYCLOAK_SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)"

2
services/keycloak/scripts/vault_oidc_secret_ensure.sh
View File

@ -3,7 +3,7 @@ set -euo pipefail
apk add --no-cache curl jq kubectl >/dev/null
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-admin-env.sh
KC_URL="http://keycloak.sso.svc.cluster.local"
ACCESS_TOKEN=""

27
services/keycloak/secretproviderclass.yaml
View File

@ -10,27 +10,6 @@ spec:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "sso"
objects: |
- objectName: "keycloak-db__POSTGRES_DATABASE"
secretPath: "kv/data/atlas/sso/keycloak-db"
secretKey: "POSTGRES_DATABASE"
- objectName: "keycloak-db__POSTGRES_USER"
secretPath: "kv/data/atlas/sso/keycloak-db"
secretKey: "POSTGRES_USER"
- objectName: "keycloak-db__POSTGRES_PASSWORD"
secretPath: "kv/data/atlas/sso/keycloak-db"
secretKey: "POSTGRES_PASSWORD"
- objectName: "keycloak-admin__username"
secretPath: "kv/data/atlas/shared/keycloak-admin"
secretKey: "username"
- objectName: "keycloak-admin__password"
secretPath: "kv/data/atlas/shared/keycloak-admin"
secretKey: "password"
- objectName: "portal-e2e-client__client_id"
secretPath: "kv/data/atlas/shared/portal-e2e-client"
secretKey: "client_id"
- objectName: "portal-e2e-client__client_secret"
secretPath: "kv/data/atlas/shared/portal-e2e-client"
secretKey: "client_secret"
- objectName: "openldap-admin__LDAP_ADMIN_PASSWORD"
secretPath: "kv/data/atlas/sso/openldap-admin"
secretKey: "LDAP_ADMIN_PASSWORD"
@ -46,12 +25,6 @@ spec:
- objectName: "oauth2-proxy-oidc__cookie_secret"
secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
secretKey: "cookie_secret"
- objectName: "postmark-relay__relay-username"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "postmark-relay__relay-password"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/sso"
secretKey: "dockerconfigjson"

31
services/keycloak/synapse-oidc-secret-ensure-job.yaml
View File

@ -2,12 +2,23 @@
apiVersion: batch/v1
kind: Job
metadata:
name: synapse-oidc-secret-ensure-5
name: synapse-oidc-secret-ensure-6
namespace: sso
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 3600
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
spec:
serviceAccountName: mas-secrets-ensure
restartPolicy: Never
@ -18,7 +29,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-admin-env.sh
apk add --no-cache curl jq >/dev/null
KC_URL="http://keycloak.sso.svc.cluster.local"
@ -70,20 +81,4 @@ spec:
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

50
services/keycloak/user-overrides-job.yaml
View File

@ -2,11 +2,40 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-user-overrides-2
name: keycloak-user-overrides-3
namespace: sso
spec:
backoffLimit: 0
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/keycloak-db" -}}
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/sso/openldap-admin" -}}
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export KEYCLOAK_SMTP_USER="{{ index .Data.data "relay-username" }}"
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec:
affinity:
nodeAffinity:
@ -36,7 +65,7 @@ spec:
args:
- |
set -euo pipefail
. /vault/scripts/keycloak_vault_env.sh
. /vault/secrets/keycloak-env.sh
python - <<'PY'
import json
import os
@ -136,20 +165,3 @@ spec:
raise SystemExit(f"Unexpected user update response: {status}")
PY
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555

29
services/keycloak/vault-oidc-secret-ensure-job.yaml
View File

@ -2,12 +2,23 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-oidc-secret-ensure-2
name: vault-oidc-secret-ensure-3
namespace: sso
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 3600
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
spec:
serviceAccountName: mas-secrets-ensure
restartPolicy: Never
@ -16,16 +27,6 @@ spec:
configMap:
name: vault-oidc-secret-ensure-script
defaultMode: 0555
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault
- name: vault-scripts
configMap:
name: sso-vault-env
defaultMode: 0555
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@ -44,9 +45,3 @@ spec:
- name: vault-oidc-secret-ensure-script
mountPath: /scripts
readOnly: true
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true