keycloak: ensure zot oauth2 client redirect

services/keycloak/zot-client-bootstrap.yaml

@@ -0,0 +1,92 @@
+# services/keycloak/zot-client-bootstrap.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keycloak-zot-client-bootstrap
+  namespace: sso
+  labels:
+    app: keycloak-zot-client-bootstrap
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 86400
+  template:
+    metadata:
+      labels:
+        app: keycloak-zot-client-bootstrap
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: configure-zot-client
+          image: quay.io/keycloak/keycloak:26.0.7
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: KEYCLOAK_ADMIN
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-admin
+                  key: username
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-admin
+                  key: password
+            - name: CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-zot-oidc
+                  key: client_id
+            - name: CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-zot-oidc
+                  key: client_secret
+            - name: KC_SERVER
+              value: http://keycloak.sso.svc.cluster.local:8080
+            - name: REALM
+              value: atlas
+            - name: REDIRECT_URI
+              value: https://registry.bstein.dev/oauth2/callback
+            - name: WEB_ORIGIN
+              value: https://registry.bstein.dev
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -euo pipefail
+
+              if [ -z "${CLIENT_ID:-}" ] || [ -z "${CLIENT_SECRET:-}" ]; then
+                echo "CLIENT_ID or CLIENT_SECRET missing; check oauth2-proxy-zot-oidc secret" >&2
+                exit 1
+              fi
+
+              KCADM="/opt/keycloak/bin/kcadm.sh"
+
+              $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli
+
+              CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes)"
+
+              if [ -z "$CLIENT_UUID" ]; then
+                echo "Creating client $CLIENT_ID"
+                $KCADM create clients -r "$REALM" \
+                  -s clientId="$CLIENT_ID" \
+                  -s enabled=true \
+                  -s protocol=openid-connect \
+                  -s publicClient=false \
+                  -s standardFlowEnabled=true \
+                  -s directAccessGrantsEnabled=false \
+                  -s secret="$CLIENT_SECRET" \
+                  -s 'redirectUris=["'"$REDIRECT_URI"'"]' \
+                  -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
+                  -s 'attributes."pkce.code.challenge.method"="S256"'
+              else
+                echo "Updating client $CLIENT_ID ($CLIENT_UUID)"
+                $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \
+                  -s secret="$CLIENT_SECRET" \
+                  -s 'standardFlowEnabled=true' \
+                  -s 'directAccessGrantsEnabled=false' \
+                  -s 'redirectUris=["'"$REDIRECT_URI"'"]' \
+                  -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
+                  -s 'attributes."pkce.code.challenge.method"="S256"'
+              fi
+
+              echo "Keycloak zot client bootstrap complete"