keycloak: ensure zot oauth2 client redirect

vault: default oidc login and middleware fix
2025-12-09 18:38:31 -03:00 · 2025-12-09 18:38:21 -03:00
4 changed files with 98 additions and 3 deletions
--- a/services/keycloak/kustomization.yaml
+++ b/services/keycloak/kustomization.yaml
@ -8,3 +8,4 @@ resources:
  - deployment.yaml
  - service.yaml
  - ingress.yaml
+  - zot-client-bootstrap.yaml
--- a/services/keycloak/zot-client-bootstrap.yaml
+++ b/services/keycloak/zot-client-bootstrap.yaml
@ -0,0 +1,92 @@
+# services/keycloak/zot-client-bootstrap.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keycloak-zot-client-bootstrap
+  namespace: sso
+  labels:
+    app: keycloak-zot-client-bootstrap
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 86400
+  template:
+    metadata:
+      labels:
+        app: keycloak-zot-client-bootstrap
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: configure-zot-client
+          image: quay.io/keycloak/keycloak:26.0.7
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: KEYCLOAK_ADMIN
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-admin
+                  key: username
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-admin
+                  key: password
+            - name: CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-zot-oidc
+                  key: client_id
+            - name: CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-zot-oidc
+                  key: client_secret
+            - name: KC_SERVER
+              value: http://keycloak.sso.svc.cluster.local:8080
+            - name: REALM
+              value: atlas
+            - name: REDIRECT_URI
+              value: https://registry.bstein.dev/oauth2/callback
+            - name: WEB_ORIGIN
+              value: https://registry.bstein.dev
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -euo pipefail
+
+              if [ -z "${CLIENT_ID:-}" ] || [ -z "${CLIENT_SECRET:-}" ]; then
+                echo "CLIENT_ID or CLIENT_SECRET missing; check oauth2-proxy-zot-oidc secret" >&2
+                exit 1
+              fi
+
+              KCADM="/opt/keycloak/bin/kcadm.sh"
+
+              $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli
+
+              CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes)"
+
+              if [ -z "$CLIENT_UUID" ]; then
+                echo "Creating client $CLIENT_ID"
+                $KCADM create clients -r "$REALM" \
+                  -s clientId="$CLIENT_ID" \
+                  -s enabled=true \
+                  -s protocol=openid-connect \
+                  -s publicClient=false \
+                  -s standardFlowEnabled=true \
+                  -s directAccessGrantsEnabled=false \
+                  -s secret="$CLIENT_SECRET" \
+                  -s 'redirectUris=["'"$REDIRECT_URI"'"]' \
+                  -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
+                  -s 'attributes."pkce.code.challenge.method"="S256"'
+              else
+                echo "Updating client $CLIENT_ID ($CLIENT_UUID)"
+                $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \
+                  -s secret="$CLIENT_SECRET" \
+                  -s 'standardFlowEnabled=true' \
+                  -s 'directAccessGrantsEnabled=false' \
+                  -s 'redirectUris=["'"$REDIRECT_URI"'"]' \
+                  -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
+                  -s 'attributes."pkce.code.challenge.method"="S256"'
+              fi
+
+              echo "Keycloak zot client bootstrap complete"
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@ -7,10 +7,10 @@ metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: vault-vault-login-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: vault-login-redirect@kubernetescrd
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/service.serversscheme: https
-    traefik.ingress.kubernetes.io/service.serverstransport: vault-vault-to-https@kubernetescrd
+    traefik.ingress.kubernetes.io/service.serverstransport: vault-to-https@kubernetescrd
 spec:
  ingressClassName: traefik
  tls:
--- a/services/vault/oidc-bootstrap-job.yaml
+++ b/services/vault/oidc-bootstrap-job.yaml
@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: vault-oidc-bootstrap
+  name: vault-oidc-bootstrap-2
  namespace: vault
  labels:
    app: vault-oidc-bootstrap
@ -76,4 +76,6 @@ spec:
              }
              EOF
              vault write auth/oidc/role/admin @/tmp/role.json
+              # Make OIDC the default UI login method
+              vault write sys/config/ui default_auth_method="oidc"
              echo "vault OIDC bootstrap complete"
Author	SHA1	Message	Date
Brad Stein	9dfe1acfa0	keycloak: ensure zot oauth2 client redirect	2025-12-09 18:38:31 -03:00
Brad Stein	046c9dc17a	vault: default oidc login and middleware fix	2025-12-09 18:38:21 -03:00