Compare commits
No commits in common. "9dfe1acfa04c2c1989da07499edc2d956b25cf07" and "93d2354e72913187628876159dc0eb289c60d4c0" have entirely different histories.
9dfe1acfa0
...
93d2354e72
@ -8,4 +8,3 @@ resources:
|
|||||||
- deployment.yaml
|
- deployment.yaml
|
||||||
- service.yaml
|
- service.yaml
|
||||||
- ingress.yaml
|
- ingress.yaml
|
||||||
- zot-client-bootstrap.yaml
|
|
||||||
|
|||||||
@ -1,92 +0,0 @@
|
|||||||
# services/keycloak/zot-client-bootstrap.yaml
|
|
||||||
apiVersion: batch/v1
|
|
||||||
kind: Job
|
|
||||||
metadata:
|
|
||||||
name: keycloak-zot-client-bootstrap
|
|
||||||
namespace: sso
|
|
||||||
labels:
|
|
||||||
app: keycloak-zot-client-bootstrap
|
|
||||||
spec:
|
|
||||||
backoffLimit: 0
|
|
||||||
ttlSecondsAfterFinished: 86400
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: keycloak-zot-client-bootstrap
|
|
||||||
spec:
|
|
||||||
restartPolicy: Never
|
|
||||||
containers:
|
|
||||||
- name: configure-zot-client
|
|
||||||
image: quay.io/keycloak/keycloak:26.0.7
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
env:
|
|
||||||
- name: KEYCLOAK_ADMIN
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: keycloak-admin
|
|
||||||
key: username
|
|
||||||
- name: KEYCLOAK_ADMIN_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: keycloak-admin
|
|
||||||
key: password
|
|
||||||
- name: CLIENT_ID
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: oauth2-proxy-zot-oidc
|
|
||||||
key: client_id
|
|
||||||
- name: CLIENT_SECRET
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: oauth2-proxy-zot-oidc
|
|
||||||
key: client_secret
|
|
||||||
- name: KC_SERVER
|
|
||||||
value: http://keycloak.sso.svc.cluster.local:8080
|
|
||||||
- name: REALM
|
|
||||||
value: atlas
|
|
||||||
- name: REDIRECT_URI
|
|
||||||
value: https://registry.bstein.dev/oauth2/callback
|
|
||||||
- name: WEB_ORIGIN
|
|
||||||
value: https://registry.bstein.dev
|
|
||||||
command:
|
|
||||||
- /bin/sh
|
|
||||||
- -c
|
|
||||||
- |
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
if [ -z "${CLIENT_ID:-}" ] || [ -z "${CLIENT_SECRET:-}" ]; then
|
|
||||||
echo "CLIENT_ID or CLIENT_SECRET missing; check oauth2-proxy-zot-oidc secret" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
KCADM="/opt/keycloak/bin/kcadm.sh"
|
|
||||||
|
|
||||||
$KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli
|
|
||||||
|
|
||||||
CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes)"
|
|
||||||
|
|
||||||
if [ -z "$CLIENT_UUID" ]; then
|
|
||||||
echo "Creating client $CLIENT_ID"
|
|
||||||
$KCADM create clients -r "$REALM" \
|
|
||||||
-s clientId="$CLIENT_ID" \
|
|
||||||
-s enabled=true \
|
|
||||||
-s protocol=openid-connect \
|
|
||||||
-s publicClient=false \
|
|
||||||
-s standardFlowEnabled=true \
|
|
||||||
-s directAccessGrantsEnabled=false \
|
|
||||||
-s secret="$CLIENT_SECRET" \
|
|
||||||
-s 'redirectUris=["'"$REDIRECT_URI"'"]' \
|
|
||||||
-s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
|
|
||||||
-s 'attributes."pkce.code.challenge.method"="S256"'
|
|
||||||
else
|
|
||||||
echo "Updating client $CLIENT_ID ($CLIENT_UUID)"
|
|
||||||
$KCADM update "clients/$CLIENT_UUID" -r "$REALM" \
|
|
||||||
-s secret="$CLIENT_SECRET" \
|
|
||||||
-s 'standardFlowEnabled=true' \
|
|
||||||
-s 'directAccessGrantsEnabled=false' \
|
|
||||||
-s 'redirectUris=["'"$REDIRECT_URI"'"]' \
|
|
||||||
-s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
|
|
||||||
-s 'attributes."pkce.code.challenge.method"="S256"'
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Keycloak zot client bootstrap complete"
|
|
||||||
@ -7,10 +7,10 @@ metadata:
|
|||||||
annotations:
|
annotations:
|
||||||
kubernetes.io/ingress.class: traefik
|
kubernetes.io/ingress.class: traefik
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: vault-login-redirect@kubernetescrd
|
traefik.ingress.kubernetes.io/router.middlewares: vault-vault-login-redirect@kubernetescrd
|
||||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||||
traefik.ingress.kubernetes.io/service.serversscheme: https
|
traefik.ingress.kubernetes.io/service.serversscheme: https
|
||||||
traefik.ingress.kubernetes.io/service.serverstransport: vault-to-https@kubernetescrd
|
traefik.ingress.kubernetes.io/service.serverstransport: vault-vault-to-https@kubernetescrd
|
||||||
spec:
|
spec:
|
||||||
ingressClassName: traefik
|
ingressClassName: traefik
|
||||||
tls:
|
tls:
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
name: vault-oidc-bootstrap-2
|
name: vault-oidc-bootstrap
|
||||||
namespace: vault
|
namespace: vault
|
||||||
labels:
|
labels:
|
||||||
app: vault-oidc-bootstrap
|
app: vault-oidc-bootstrap
|
||||||
@ -76,6 +76,4 @@ spec:
|
|||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
vault write auth/oidc/role/admin @/tmp/role.json
|
vault write auth/oidc/role/admin @/tmp/role.json
|
||||||
# Make OIDC the default UI login method
|
|
||||||
vault write sys/config/ui default_auth_method="oidc"
|
|
||||||
echo "vault OIDC bootstrap complete"
|
echo "vault OIDC bootstrap complete"
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user