From 9dfe1acfa04c2c1989da07499edc2d956b25cf07 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Tue, 9 Dec 2025 18:38:31 -0300 Subject: [PATCH] keycloak: ensure zot oauth2 client redirect --- services/keycloak/zot-client-bootstrap.yaml | 92 +++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 services/keycloak/zot-client-bootstrap.yaml diff --git a/services/keycloak/zot-client-bootstrap.yaml b/services/keycloak/zot-client-bootstrap.yaml new file mode 100644 index 0000000..07317f0 --- /dev/null +++ b/services/keycloak/zot-client-bootstrap.yaml @@ -0,0 +1,92 @@ +# services/keycloak/zot-client-bootstrap.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: keycloak-zot-client-bootstrap + namespace: sso + labels: + app: keycloak-zot-client-bootstrap +spec: + backoffLimit: 0 + ttlSecondsAfterFinished: 86400 + template: + metadata: + labels: + app: keycloak-zot-client-bootstrap + spec: + restartPolicy: Never + containers: + - name: configure-zot-client + image: quay.io/keycloak/keycloak:26.0.7 + imagePullPolicy: IfNotPresent + env: + - name: KEYCLOAK_ADMIN + valueFrom: + secretKeyRef: + name: keycloak-admin + key: username + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-admin + key: password + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy-zot-oidc + key: client_id + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-zot-oidc + key: client_secret + - name: KC_SERVER + value: http://keycloak.sso.svc.cluster.local:8080 + - name: REALM + value: atlas + - name: REDIRECT_URI + value: https://registry.bstein.dev/oauth2/callback + - name: WEB_ORIGIN + value: https://registry.bstein.dev + command: + - /bin/sh + - -c + - | + set -euo pipefail + + if [ -z "${CLIENT_ID:-}" ] || [ -z "${CLIENT_SECRET:-}" ]; then + echo "CLIENT_ID or CLIENT_SECRET missing; check oauth2-proxy-zot-oidc secret" >&2 + exit 1 + fi + + KCADM="/opt/keycloak/bin/kcadm.sh" + + $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli + + CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes)" + + if [ -z "$CLIENT_UUID" ]; then + echo "Creating client $CLIENT_ID" + $KCADM create clients -r "$REALM" \ + -s clientId="$CLIENT_ID" \ + -s enabled=true \ + -s protocol=openid-connect \ + -s publicClient=false \ + -s standardFlowEnabled=true \ + -s directAccessGrantsEnabled=false \ + -s secret="$CLIENT_SECRET" \ + -s 'redirectUris=["'"$REDIRECT_URI"'"]' \ + -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \ + -s 'attributes."pkce.code.challenge.method"="S256"' + else + echo "Updating client $CLIENT_ID ($CLIENT_UUID)" + $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \ + -s secret="$CLIENT_SECRET" \ + -s 'standardFlowEnabled=true' \ + -s 'directAccessGrantsEnabled=false' \ + -s 'redirectUris=["'"$REDIRECT_URI"'"]' \ + -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \ + -s 'attributes."pkce.code.challenge.method"="S256"' + fi + + echo "Keycloak zot client bootstrap complete"