diff --git a/services/keycloak/zot-client-bootstrap.yaml b/services/keycloak/zot-client-bootstrap.yaml index 07317f0..46d6d77 100644 --- a/services/keycloak/zot-client-bootstrap.yaml +++ b/services/keycloak/zot-client-bootstrap.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-zot-client-bootstrap + name: keycloak-zot-client-bootstrap-2 namespace: sso labels: app: keycloak-zot-client-bootstrap @@ -30,63 +30,38 @@ spec: secretKeyRef: name: keycloak-admin key: password - - name: CLIENT_ID - valueFrom: - secretKeyRef: - name: oauth2-proxy-zot-oidc - key: client_id - - name: CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy-zot-oidc - key: client_secret - name: KC_SERVER value: http://keycloak.sso.svc.cluster.local:8080 - name: REALM value: atlas - - name: REDIRECT_URI - value: https://registry.bstein.dev/oauth2/callback - - name: WEB_ORIGIN - value: https://registry.bstein.dev + - name: CLIENT_IDS + value: "oauth2-proxy oauth2-proxy-zot" + - name: REDIRECT_URIS + value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]' + - name: WEB_ORIGINS + value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]' command: - /bin/sh - -c - | set -euo pipefail - if [ -z "${CLIENT_ID:-}" ] || [ -z "${CLIENT_SECRET:-}" ]; then - echo "CLIENT_ID or CLIENT_SECRET missing; check oauth2-proxy-zot-oidc secret" >&2 - exit 1 - fi - KCADM="/opt/keycloak/bin/kcadm.sh" - $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli - CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes)" + for CLIENT_ID in $CLIENT_IDS; do + CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes || true)" + if [ -z "$CLIENT_UUID" ]; then + echo "Client $CLIENT_ID not found; skipping" + continue + fi - if [ -z "$CLIENT_UUID" ]; then - echo "Creating client $CLIENT_ID" - $KCADM create clients -r "$REALM" \ - -s clientId="$CLIENT_ID" \ - -s enabled=true \ - -s protocol=openid-connect \ - -s publicClient=false \ - -s standardFlowEnabled=true \ - -s directAccessGrantsEnabled=false \ - -s secret="$CLIENT_SECRET" \ - -s 'redirectUris=["'"$REDIRECT_URI"'"]' \ - -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \ - -s 'attributes."pkce.code.challenge.method"="S256"' - else echo "Updating client $CLIENT_ID ($CLIENT_UUID)" $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \ - -s secret="$CLIENT_SECRET" \ + -s 'redirectUris='"$REDIRECT_URIS" \ + -s 'webOrigins='"$WEB_ORIGINS" \ -s 'standardFlowEnabled=true' \ - -s 'directAccessGrantsEnabled=false' \ - -s 'redirectUris=["'"$REDIRECT_URI"'"]' \ - -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \ - -s 'attributes."pkce.code.challenge.method"="S256"' - fi + -s 'directAccessGrantsEnabled=false' + done echo "Keycloak zot client bootstrap complete"