keycloak: ensure harbor oidc scope

2026-01-14 01:21:08 -03:00 · 2026-01-14 01:21:08 -03:00 · e776f004c9
commit e776f004c9
parent 8fa38268d9
3 changed files with 117 additions and 105 deletions
--- a/services/keycloak/harbor-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/harbor-oidc-secret-ensure-job.yaml
@ -11,6 +11,11 @@ spec:
    spec:
      serviceAccountName: mas-secrets-ensure
      restartPolicy: Never
      volumes:
        - name: harbor-oidc-secret-ensure-script
          configMap:
            name: harbor-oidc-secret-ensure-script
            defaultMode: 0555
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
@ -24,111 +29,7 @@ spec:
      containers:
        - name: apply
          image: alpine:3.20
-          command: ["/bin/sh", "-c"]
+          command: ["/scripts/harbor_oidc_secret_ensure.sh"]
          args:
            - |
              set -euo pipefail
              apk add --no-cache curl jq kubectl >/dev/null
              KC_URL="http://keycloak.sso.svc.cluster.local"
              ACCESS_TOKEN=""
              for attempt in 1 2 3 4 5; do
                TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
                  -H 'Content-Type: application/x-www-form-urlencoded' \
                  -d "grant_type=password" \
                  -d "client_id=admin-cli" \
                  -d "username=${KEYCLOAK_ADMIN}" \
                  -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
                ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
                if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
                  break
                fi
                echo "Keycloak token request failed (attempt ${attempt})" >&2
                sleep $((attempt * 2))
              done
              if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
                echo "Failed to fetch Keycloak admin token" >&2
                exit 1
              fi
              CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)"
              CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
              if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                create_payload='{"clientId":"harbor","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://registry.bstein.dev/c/oidc/callback"],"webOrigins":["https://registry.bstein.dev"],"rootUrl":"https://registry.bstein.dev","baseUrl":"/"}'
                status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
                  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                  -H 'Content-Type: application/json' \
                  -d "${create_payload}" \
                  "$KC_URL/admin/realms/atlas/clients")"
                if [ "$status" != "201" ] && [ "$status" != "204" ]; then
                  echo "Keycloak client create failed (status ${status})" >&2
                  exit 1
                fi
                CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                  "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)"
                CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
              fi
              if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                echo "Keycloak client harbor not found" >&2
                exit 1
              fi
              SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
              if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
                echo "Keycloak client scope groups not found" >&2
                exit 1
              fi
              DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
              OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"
              if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
                && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
                status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
                  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
                if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
                  status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
                    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
                  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
                    echo "Failed to attach groups client scope to harbor (status ${status})" >&2
                    exit 1
                  fi
                fi
              fi
              CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
              if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
                echo "Keycloak client secret not found" >&2
                exit 1
              fi
              CONFIG_OVERWRITE_JSON="$(jq -nc \
                --arg auth_mode "oidc_auth" \
                --arg oidc_name "Keycloak" \
                --arg oidc_client_id "harbor" \
                --arg oidc_client_secret "${CLIENT_SECRET}" \
                --arg oidc_endpoint "https://sso.bstein.dev/realms/atlas" \
                --arg oidc_scope "openid,profile,email,groups" \
                --arg oidc_user_claim "preferred_username" \
                --arg oidc_groups_claim "groups" \
                --arg oidc_admin_group "admin" \
                --argjson oidc_auto_onboard true \
                --argjson oidc_verify_cert true \
                --argjson oidc_logout true \
                '{\n                  auth_mode: $auth_mode,\n                  oidc_name: $oidc_name,\n                  oidc_client_id: $oidc_client_id,\n                  oidc_client_secret: $oidc_client_secret,\n                  oidc_endpoint: $oidc_endpoint,\n                  oidc_scope: $oidc_scope,\n                  oidc_user_claim: $oidc_user_claim,\n                  oidc_groups_claim: $oidc_groups_claim,\n                  oidc_admin_group: $oidc_admin_group,\n                  oidc_auto_onboard: $oidc_auto_onboard,\n                  oidc_verify_cert: $oidc_verify_cert,\n                  oidc_logout: $oidc_logout\n                }')"
              kubectl -n harbor create secret generic harbor-oidc \
                --from-literal=CONFIG_OVERWRITE_JSON="${CONFIG_OVERWRITE_JSON}" \
                --dry-run=client -o yaml | kubectl -n harbor apply -f - >/dev/null
          env:
            - name: KEYCLOAK_ADMIN
              valueFrom:
@ -140,3 +41,7 @@ spec:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
          volumeMounts:
            - name: harbor-oidc-secret-ensure-script
              mountPath: /scripts
              readOnly: true
--- a/services/keycloak/kustomization.yaml
+++ b/services/keycloak/kustomization.yaml
@ -32,3 +32,6 @@ configMapGenerator:
  - name: portal-e2e-client-secret-sync-script
    files:
      - sso_portal_e2e_client_secret_sync.sh=scripts/sso_portal_e2e_client_secret_sync.sh
  - name: harbor-oidc-secret-ensure-script
    files:
      - harbor_oidc_secret_ensure.sh=scripts/harbor_oidc_secret_ensure.sh
--- a/services/keycloak/scripts/harbor_oidc_secret_ensure.sh
+++ b/services/keycloak/scripts/harbor_oidc_secret_ensure.sh
@ -0,0 +1,104 @@
 #!/usr/bin/env sh
 set -euo pipefail
 apk add --no-cache curl jq kubectl >/dev/null
 KC_URL="http://keycloak.sso.svc.cluster.local"
 ACCESS_TOKEN=""
 for attempt in 1 2 3 4 5; do
  TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d "grant_type=password" \
    -d "client_id=admin-cli" \
    -d "username=${KEYCLOAK_ADMIN}" \
    -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
  ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
  if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
    break
  fi
  echo "Keycloak token request failed (attempt ${attempt})" >&2
  sleep $((attempt * 2))
 done
 if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
  echo "Failed to fetch Keycloak admin token" >&2
  exit 1
 fi
 CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)"
 CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
 if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
  create_payload='{"clientId":"harbor","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://registry.bstein.dev/c/oidc/callback"],"webOrigins":["https://registry.bstein.dev"],"rootUrl":"https://registry.bstein.dev","baseUrl":"/"}'
  status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "${create_payload}" \
    "$KC_URL/admin/realms/atlas/clients")"
  if [ "$status" != "201" ] && [ "$status" != "204" ]; then
    echo "Keycloak client create failed (status ${status})" >&2
    exit 1
  fi
  CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)"
  CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
 fi
 if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
  echo "Keycloak client harbor not found" >&2
  exit 1
 fi
 SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
 if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
  echo "Keycloak client scope groups not found" >&2
  exit 1
 fi
 DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
 OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"
 if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
  && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
  status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
    status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
    if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
      echo "Failed to attach groups client scope to harbor (status ${status})" >&2
      exit 1
    fi
  fi
 fi
 CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
 if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
  echo "Keycloak client secret not found" >&2
  exit 1
 fi
 CONFIG_OVERWRITE_JSON="$(jq -nc \
  --arg auth_mode "oidc_auth" \
  --arg oidc_name "Keycloak" \
  --arg oidc_client_id "harbor" \
  --arg oidc_client_secret "${CLIENT_SECRET}" \
  --arg oidc_endpoint "https://sso.bstein.dev/realms/atlas" \
  --arg oidc_scope "openid,profile,email,groups" \
  --arg oidc_user_claim "preferred_username" \
  --arg oidc_groups_claim "groups" \
  --arg oidc_admin_group "admin" \
  --argjson oidc_auto_onboard true \
  --argjson oidc_verify_cert true \
  --argjson oidc_logout true \
  '{\n    auth_mode: $auth_mode,\n    oidc_name: $oidc_name,\n    oidc_client_id: $oidc_client_id,\n    oidc_client_secret: $oidc_client_secret,\n    oidc_endpoint: $oidc_endpoint,\n    oidc_scope: $oidc_scope,\n    oidc_user_claim: $oidc_user_claim,\n    oidc_groups_claim: $oidc_groups_claim,\n    oidc_admin_group: $oidc_admin_group,\n    oidc_auto_onboard: $oidc_auto_onboard,\n    oidc_verify_cert: $oidc_verify_cert,\n    oidc_logout: $oidc_logout\n  }')"
 kubectl -n harbor create secret generic harbor-oidc \
  --from-literal=CONFIG_OVERWRITE_JSON="${CONFIG_OVERWRITE_JSON}" \
  --dry-run=client -o yaml | kubectl -n harbor apply -f - >/dev/null