#!/usr/bin/env bash set -euo pipefail . /vault/secrets/keycloak-admin-env.sh KC_URL="http://keycloak.sso.svc.cluster.local" REALM="atlas" CLIENT_ID="endurain" ROOT_URL="https://endurain.bstein.dev" REDIRECT_URI="https://endurain.bstein.dev/api/v1/public/idp/callback/keycloak" ISSUER_URL="https://sso.bstein.dev/realms/atlas" ACCESS_TOKEN="" for attempt in 1 2 3 4 5; do TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d "grant_type=password" \ -d "client_id=admin-cli" \ -d "username=${KEYCLOAK_ADMIN}" \ -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)" ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)" if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then break fi echo "Keycloak token request failed (attempt ${attempt})" >&2 sleep $((attempt * 2)) done if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then echo "Failed to fetch Keycloak admin token" >&2 exit 1 fi CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ "$KC_URL/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)" CLIENT_UUID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" if [ -z "$CLIENT_UUID" ] || [ "$CLIENT_UUID" = "null" ]; then create_payload="$(jq -nc \ --arg client_id "${CLIENT_ID}" \ --arg root_url "${ROOT_URL}" \ --arg redirect_uri "${REDIRECT_URI}" \ --arg web_origin "${ROOT_URL}" \ '{clientId:$client_id,name:"Endurain",enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$redirect_uri],webOrigins:[$web_origin],rootUrl:$root_url,baseUrl:"/"}')" status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \ -H "Authorization: Bearer ${ACCESS_TOKEN}" \ -H 'Content-Type: application/json' \ -d "${create_payload}" \ "$KC_URL/admin/realms/${REALM}/clients")" if [ "$status" != "201" ] && [ "$status" != "204" ]; then echo "Keycloak client create failed (status ${status})" >&2 exit 1 fi CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ "$KC_URL/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)" CLIENT_UUID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" fi if [ -z "$CLIENT_UUID" ] || [ "$CLIENT_UUID" = "null" ]; then echo "Keycloak client ${CLIENT_ID} not found" >&2 exit 1 fi CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ "$KC_URL/admin/realms/${REALM}/clients/${CLIENT_UUID}/client-secret" | jq -r '.value' 2>/dev/null || true)" if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then echo "Keycloak client secret not found" >&2 exit 1 fi vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}" vault_role="${VAULT_ROLE:-sso-secrets}" jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')" vault_token="$(curl -sS --request POST --data "${login_payload}" \ "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then echo "vault login failed" >&2 exit 1 fi payload="$(jq -nc \ --arg client_id "${CLIENT_ID}" \ --arg client_secret "${CLIENT_SECRET}" \ --arg issuer_url "${ISSUER_URL}" \ '{data:{client_id:$client_id,client_secret:$client_secret,issuer_url:$issuer_url}}')" curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ -d "${payload}" "${vault_addr}/v1/kv/data/atlas/health/endurain-oidc" >/dev/null