# services/keycloak/zot-client-bootstrap.yaml apiVersion: batch/v1 kind: Job metadata: name: keycloak-zot-client-bootstrap-2 namespace: sso labels: app: keycloak-zot-client-bootstrap spec: backoffLimit: 0 ttlSecondsAfterFinished: 86400 template: metadata: labels: app: keycloak-zot-client-bootstrap spec: restartPolicy: Never containers: - name: configure-zot-client image: quay.io/keycloak/keycloak:26.0.7 imagePullPolicy: IfNotPresent env: - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: keycloak-admin key: username - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak-admin key: password - name: KC_SERVER value: http://keycloak.sso.svc.cluster.local:8080 - name: REALM value: atlas - name: CLIENT_IDS value: "oauth2-proxy oauth2-proxy-zot" - name: REDIRECT_URIS value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]' - name: WEB_ORIGINS value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]' command: - /bin/sh - -c - | set -euo pipefail KCADM="/opt/keycloak/bin/kcadm.sh" $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli for CLIENT_ID in $CLIENT_IDS; do CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes || true)" if [ -z "$CLIENT_UUID" ]; then echo "Client $CLIENT_ID not found; skipping" continue fi echo "Updating client $CLIENT_ID ($CLIENT_UUID)" $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \ -s 'redirectUris='"$REDIRECT_URIS" \ -s 'webOrigins='"$WEB_ORIGINS" \ -s 'standardFlowEnabled=true' \ -s 'directAccessGrantsEnabled=false' done echo "Keycloak zot client bootstrap complete"