# services/keycloak/logs-oidc-secret-ensure-job.yaml apiVersion: batch/v1 kind: Job metadata: name: logs-oidc-secret-ensure-2 namespace: sso spec: backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never containers: - name: apply image: alpine:3.20 command: ["/bin/sh", "-c"] args: - | set -euo pipefail apk add --no-cache curl jq kubectl openssl >/dev/null KC_URL="http://keycloak.sso.svc.cluster.local" ACCESS_TOKEN="" for attempt in 1 2 3 4 5; do TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d "grant_type=password" \ -d "client_id=admin-cli" \ -d "username=${KEYCLOAK_ADMIN}" \ -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)" ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)" if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then break fi echo "Keycloak token request failed (attempt ${attempt})" >&2 sleep $((attempt * 2)) done if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then echo "Failed to fetch Keycloak admin token" >&2 exit 1 fi CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ "$KC_URL/admin/realms/atlas/clients?clientId=logs" || true)" CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then create_payload='{"clientId":"logs","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://logs.bstein.dev/oauth2/callback"],"webOrigins":["https://logs.bstein.dev"],"rootUrl":"https://logs.bstein.dev","baseUrl":"/"}' status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \ -H "Authorization: Bearer ${ACCESS_TOKEN}" \ -H 'Content-Type: application/json' \ -d "${create_payload}" \ "$KC_URL/admin/realms/atlas/clients")" if [ "$status" != "201" ] && [ "$status" != "204" ]; then echo "Keycloak client create failed (status ${status})" >&2 exit 1 fi CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ "$KC_URL/admin/realms/atlas/clients?clientId=logs" || true)" CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" fi if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then echo "Keycloak client logs not found" >&2 exit 1 fi CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)" if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then echo "Keycloak client secret not found" >&2 exit 1 fi if kubectl -n logging get secret oauth2-proxy-logs-oidc >/dev/null 2>&1; then current_cookie="$(kubectl -n logging get secret oauth2-proxy-logs-oidc -o jsonpath='{.data.cookie_secret}' 2>/dev/null || true)" if [ -n "${current_cookie}" ]; then decoded="$(printf '%s' "${current_cookie}" | base64 -d 2>/dev/null || true)" length="$(printf '%s' "${decoded}" | wc -c | tr -d ' ')" if [ "${length}" = "16" ] || [ "${length}" = "24" ] || [ "${length}" = "32" ]; then exit 0 fi fi fi COOKIE_SECRET="$(openssl rand -hex 16 | tr -d '\n')" kubectl -n logging create secret generic oauth2-proxy-logs-oidc \ --from-literal=client_id="logs" \ --from-literal=client_secret="${CLIENT_SECRET}" \ --from-literal=cookie_secret="${COOKIE_SECRET}" \ --dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null env: - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: keycloak-admin key: username - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak-admin key: password