# services/keycloak/zot-client-bootstrap.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-zot-client-bootstrap
  namespace: sso
  labels:
    app: keycloak-zot-client-bootstrap
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 86400
  template:
    metadata:
      labels:
        app: keycloak-zot-client-bootstrap
    spec:
      restartPolicy: Never
      containers:
        - name: configure-zot-client
          image: quay.io/keycloak/keycloak:26.0.7
          imagePullPolicy: IfNotPresent
          env:
            - name: KEYCLOAK_ADMIN
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
            - name: CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oauth2-proxy-zot-oidc
                  key: client_id
            - name: CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oauth2-proxy-zot-oidc
                  key: client_secret
            - name: KC_SERVER
              value: http://keycloak.sso.svc.cluster.local:8080
            - name: REALM
              value: atlas
            - name: REDIRECT_URI
              value: https://registry.bstein.dev/oauth2/callback
            - name: WEB_ORIGIN
              value: https://registry.bstein.dev
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail

              if [ -z "${CLIENT_ID:-}" ] || [ -z "${CLIENT_SECRET:-}" ]; then
                echo "CLIENT_ID or CLIENT_SECRET missing; check oauth2-proxy-zot-oidc secret" >&2
                exit 1
              fi

              KCADM="/opt/keycloak/bin/kcadm.sh"

              $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli

              CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes)"

              if [ -z "$CLIENT_UUID" ]; then
                echo "Creating client $CLIENT_ID"
                $KCADM create clients -r "$REALM" \
                  -s clientId="$CLIENT_ID" \
                  -s enabled=true \
                  -s protocol=openid-connect \
                  -s publicClient=false \
                  -s standardFlowEnabled=true \
                  -s directAccessGrantsEnabled=false \
                  -s secret="$CLIENT_SECRET" \
                  -s 'redirectUris=["'"$REDIRECT_URI"'"]' \
                  -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
                  -s 'attributes."pkce.code.challenge.method"="S256"'
              else
                echo "Updating client $CLIENT_ID ($CLIENT_UUID)"
                $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \
                  -s secret="$CLIENT_SECRET" \
                  -s 'standardFlowEnabled=true' \
                  -s 'directAccessGrantsEnabled=false' \
                  -s 'redirectUris=["'"$REDIRECT_URI"'"]' \
                  -s 'webOrigins=["'"$WEB_ORIGIN"'"]' \
                  -s 'attributes."pkce.code.challenge.method"="S256"'
              fi

              echo "Keycloak zot client bootstrap complete"