bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak: bootstrap oauth2-proxy redirect URIs

Browse Source
This commit is contained in:
Brad Stein 2025-12-09 18:53:21 -03:00
parent ecf21d95b2
commit 59ee37a3b5
1 changed files with 17 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
services/keycloak/zot-client-bootstrap.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-zot-client-bootstrap
name: keycloak-zot-client-bootstrap-2
namespace: sso
labels:
app: keycloak-zot-client-bootstrap
@ -30,63 +30,38 @@ spec:
secretKeyRef:
name: keycloak-admin
key: password
- name: CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-zot-oidc
key: client_id
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-zot-oidc
key: client_secret
- name: KC_SERVER
value: http://keycloak.sso.svc.cluster.local:8080
- name: REALM
value: atlas
- name: REDIRECT_URI
value: https://registry.bstein.dev/oauth2/callback
- name: WEB_ORIGIN
value: https://registry.bstein.dev
- name: CLIENT_IDS
value: "oauth2-proxy oauth2-proxy-zot"
- name: REDIRECT_URIS
value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]'
- name: WEB_ORIGINS
value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]'
command:
- /bin/sh
- -c
- |
set -euo pipefail
if [ -z "${CLIENT_ID:-}" ] || [ -z "${CLIENT_SECRET:-}" ]; then
echo "CLIENT_ID or CLIENT_SECRET missing; check oauth2-proxy-zot-oidc secret" >&2
exit 1
fi
KCADM="/opt/keycloak/bin/kcadm.sh"
$KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli
CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes)"
for CLIENT_ID in $CLIENT_IDS; do
CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes || true)"
if [ -z "$CLIENT_UUID" ]; then
echo "Client $CLIENT_ID not found; skipping"
continue
fi
if [ -z "$CLIENT_UUID" ]; then
echo "Creating client $CLIENT_ID"
$KCADM create clients -r "$REALM" \
-s clientId="$CLIENT_ID" \
-s enabled=true \
-s protocol=openid-connect \
-s publicClient=false \
-s standardFlowEnabled=true \
-s directAccessGrantsEnabled=false \
-s secret="$CLIENT_SECRET" \
-s 'redirectUris=["'"$REDIRECT_URI"'"]' \
-s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
-s 'attributes."pkce.code.challenge.method"="S256"'
else
echo "Updating client $CLIENT_ID ($CLIENT_UUID)"
$KCADM update "clients/$CLIENT_UUID" -r "$REALM" \
-s secret="$CLIENT_SECRET" \
-s 'redirectUris='"$REDIRECT_URIS" \
-s 'webOrigins='"$WEB_ORIGINS" \
-s 'standardFlowEnabled=true' \
-s 'directAccessGrantsEnabled=false' \
-s 'redirectUris=["'"$REDIRECT_URI"'"]' \
-s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
-s 'attributes."pkce.code.challenge.method"="S256"'
fi
-s 'directAccessGrantsEnabled=false'
done
echo "Keycloak zot client bootstrap complete"