diff --git a/services/keycloak/harbor-oidc-secret-ensure-job.yaml b/services/keycloak/harbor-oidc-secret-ensure-job.yaml index 974f01a..946f0fe 100644 --- a/services/keycloak/harbor-oidc-secret-ensure-job.yaml +++ b/services/keycloak/harbor-oidc-secret-ensure-job.yaml @@ -11,6 +11,11 @@ spec: spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never + volumes: + - name: harbor-oidc-secret-ensure-script + configMap: + name: harbor-oidc-secret-ensure-script + defaultMode: 0555 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -24,111 +29,7 @@ spec: containers: - name: apply image: alpine:3.20 - command: ["/bin/sh", "-c"] - args: - - | - set -euo pipefail - apk add --no-cache curl jq kubectl >/dev/null - - KC_URL="http://keycloak.sso.svc.cluster.local" - ACCESS_TOKEN="" - for attempt in 1 2 3 4 5; do - TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \ - -H 'Content-Type: application/x-www-form-urlencoded' \ - -d "grant_type=password" \ - -d "client_id=admin-cli" \ - -d "username=${KEYCLOAK_ADMIN}" \ - -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)" - ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)" - if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then - break - fi - echo "Keycloak token request failed (attempt ${attempt})" >&2 - sleep $((attempt * 2)) - done - if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then - echo "Failed to fetch Keycloak admin token" >&2 - exit 1 - fi - - CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)" - CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" - - if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then - create_payload='{"clientId":"harbor","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://registry.bstein.dev/c/oidc/callback"],"webOrigins":["https://registry.bstein.dev"],"rootUrl":"https://registry.bstein.dev","baseUrl":"/"}' - status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \ - -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - -H 'Content-Type: application/json' \ - -d "${create_payload}" \ - "$KC_URL/admin/realms/atlas/clients")" - if [ "$status" != "201" ] && [ "$status" != "204" ]; then - echo "Keycloak client create failed (status ${status})" >&2 - exit 1 - fi - CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)" - CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" - fi - - if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then - echo "Keycloak client harbor not found" >&2 - exit 1 - fi - - SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)" - if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then - echo "Keycloak client scope groups not found" >&2 - exit 1 - fi - - DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)" - OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)" - - if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \ - && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then - status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \ - -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")" - if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then - status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \ - -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")" - if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then - echo "Failed to attach groups client scope to harbor (status ${status})" >&2 - exit 1 - fi - fi - fi - - CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ - "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)" - if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then - echo "Keycloak client secret not found" >&2 - exit 1 - fi - - CONFIG_OVERWRITE_JSON="$(jq -nc \ - --arg auth_mode "oidc_auth" \ - --arg oidc_name "Keycloak" \ - --arg oidc_client_id "harbor" \ - --arg oidc_client_secret "${CLIENT_SECRET}" \ - --arg oidc_endpoint "https://sso.bstein.dev/realms/atlas" \ - --arg oidc_scope "openid,profile,email,groups" \ - --arg oidc_user_claim "preferred_username" \ - --arg oidc_groups_claim "groups" \ - --arg oidc_admin_group "admin" \ - --argjson oidc_auto_onboard true \ - --argjson oidc_verify_cert true \ - --argjson oidc_logout true \ - '{\n auth_mode: $auth_mode,\n oidc_name: $oidc_name,\n oidc_client_id: $oidc_client_id,\n oidc_client_secret: $oidc_client_secret,\n oidc_endpoint: $oidc_endpoint,\n oidc_scope: $oidc_scope,\n oidc_user_claim: $oidc_user_claim,\n oidc_groups_claim: $oidc_groups_claim,\n oidc_admin_group: $oidc_admin_group,\n oidc_auto_onboard: $oidc_auto_onboard,\n oidc_verify_cert: $oidc_verify_cert,\n oidc_logout: $oidc_logout\n }')" - - kubectl -n harbor create secret generic harbor-oidc \ - --from-literal=CONFIG_OVERWRITE_JSON="${CONFIG_OVERWRITE_JSON}" \ - --dry-run=client -o yaml | kubectl -n harbor apply -f - >/dev/null + command: ["/scripts/harbor_oidc_secret_ensure.sh"] env: - name: KEYCLOAK_ADMIN valueFrom: @@ -140,3 +41,7 @@ spec: secretKeyRef: name: keycloak-admin key: password + volumeMounts: + - name: harbor-oidc-secret-ensure-script + mountPath: /scripts + readOnly: true diff --git a/services/keycloak/kustomization.yaml b/services/keycloak/kustomization.yaml index c334e5e..5222ee1 100644 --- a/services/keycloak/kustomization.yaml +++ b/services/keycloak/kustomization.yaml @@ -32,3 +32,6 @@ configMapGenerator: - name: portal-e2e-client-secret-sync-script files: - sso_portal_e2e_client_secret_sync.sh=scripts/sso_portal_e2e_client_secret_sync.sh + - name: harbor-oidc-secret-ensure-script + files: + - harbor_oidc_secret_ensure.sh=scripts/harbor_oidc_secret_ensure.sh diff --git a/services/keycloak/scripts/harbor_oidc_secret_ensure.sh b/services/keycloak/scripts/harbor_oidc_secret_ensure.sh new file mode 100755 index 0000000..da3dff0 --- /dev/null +++ b/services/keycloak/scripts/harbor_oidc_secret_ensure.sh @@ -0,0 +1,104 @@ +#!/usr/bin/env sh +set -euo pipefail + +apk add --no-cache curl jq kubectl >/dev/null + +KC_URL="http://keycloak.sso.svc.cluster.local" +ACCESS_TOKEN="" +for attempt in 1 2 3 4 5; do + TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \ + -H 'Content-Type: application/x-www-form-urlencoded' \ + -d "grant_type=password" \ + -d "client_id=admin-cli" \ + -d "username=${KEYCLOAK_ADMIN}" \ + -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)" + ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)" + if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then + break + fi + echo "Keycloak token request failed (attempt ${attempt})" >&2 + sleep $((attempt * 2)) +done +if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "Failed to fetch Keycloak admin token" >&2 + exit 1 +fi + +CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)" +CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" + +if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then + create_payload='{"clientId":"harbor","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://registry.bstein.dev/c/oidc/callback"],"webOrigins":["https://registry.bstein.dev"],"rootUrl":"https://registry.bstein.dev","baseUrl":"/"}' + status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + -H 'Content-Type: application/json' \ + -d "${create_payload}" \ + "$KC_URL/admin/realms/atlas/clients")" + if [ "$status" != "201" ] && [ "$status" != "204" ]; then + echo "Keycloak client create failed (status ${status})" >&2 + exit 1 + fi + CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)" + CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" +fi + +if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then + echo "Keycloak client harbor not found" >&2 + exit 1 +fi + +SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)" +if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then + echo "Keycloak client scope groups not found" >&2 + exit 1 +fi + +DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)" +OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)" + +if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \ + && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then + status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")" + if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then + status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")" + if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then + echo "Failed to attach groups client scope to harbor (status ${status})" >&2 + exit 1 + fi + fi +fi + +CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)" +if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then + echo "Keycloak client secret not found" >&2 + exit 1 +fi + +CONFIG_OVERWRITE_JSON="$(jq -nc \ + --arg auth_mode "oidc_auth" \ + --arg oidc_name "Keycloak" \ + --arg oidc_client_id "harbor" \ + --arg oidc_client_secret "${CLIENT_SECRET}" \ + --arg oidc_endpoint "https://sso.bstein.dev/realms/atlas" \ + --arg oidc_scope "openid,profile,email,groups" \ + --arg oidc_user_claim "preferred_username" \ + --arg oidc_groups_claim "groups" \ + --arg oidc_admin_group "admin" \ + --argjson oidc_auto_onboard true \ + --argjson oidc_verify_cert true \ + --argjson oidc_logout true \ + '{\n auth_mode: $auth_mode,\n oidc_name: $oidc_name,\n oidc_client_id: $oidc_client_id,\n oidc_client_secret: $oidc_client_secret,\n oidc_endpoint: $oidc_endpoint,\n oidc_scope: $oidc_scope,\n oidc_user_claim: $oidc_user_claim,\n oidc_groups_claim: $oidc_groups_claim,\n oidc_admin_group: $oidc_admin_group,\n oidc_auto_onboard: $oidc_auto_onboard,\n oidc_verify_cert: $oidc_verify_cert,\n oidc_logout: $oidc_logout\n }')" + +kubectl -n harbor create secret generic harbor-oidc \ + --from-literal=CONFIG_OVERWRITE_JSON="${CONFIG_OVERWRITE_JSON}" \ + --dry-run=client -o yaml | kubectl -n harbor apply -f - >/dev/null