# services/keycloak/mas-secrets-ensure-job.yaml apiVersion: v1 kind: ServiceAccount metadata: name: mas-secrets-ensure namespace: sso --- apiVersion: batch/v1 kind: Job metadata: name: mas-secrets-ensure-13 namespace: sso spec: backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never volumes: - name: work emptyDir: {} initContainers: - name: generate image: alpine:3.20 command: ["/bin/sh", "-c"] args: - | set -euo pipefail umask 077 apk add --no-cache curl openssl jq >/dev/null KC_URL="http://keycloak.sso.svc.cluster.local" ACCESS_TOKEN="" for attempt in 1 2 3 4 5; do TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d "grant_type=password" \ -d "client_id=admin-cli" \ -d "username=${KEYCLOAK_ADMIN}" \ -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)" ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)" if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then break fi echo "Keycloak token request failed (attempt ${attempt})" >&2 sleep $((attempt * 2)) done if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then echo "Failed to fetch Keycloak admin token" >&2 exit 1 fi CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ "$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id' 2>/dev/null || true)" if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then echo "Keycloak client othrys-mas not found" >&2 exit 1 fi CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)" if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then echo "Keycloak client secret not found" >&2 exit 1 fi printf '%s' "$CLIENT_SECRET" > /work/keycloak_client_secret openssl rand -hex 32 | tr -d '\n' > /work/encryption openssl rand -hex 32 | tr -d '\n' > /work/matrix_shared_secret openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /work/rsa_key >/dev/null 2>&1 chmod 0644 /work/* env: - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: keycloak-admin key: username - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak-admin key: password volumeMounts: - name: work mountPath: /work containers: - name: apply image: bitnami/kubectl:latest command: ["/bin/sh", "-c"] args: - | set -euo pipefail if kubectl -n comms get secret mas-secrets-runtime >/dev/null 2>&1; then kubectl -n comms get secret mas-secrets-runtime -o jsonpath='{.data.encryption}' | base64 -d 2>/dev/null > /tmp/encryption.current || true current_len="$(wc -c < /tmp/encryption.current | tr -d ' ')" if [ "${current_len}" = "64" ] && grep -Eq '^[0-9a-fA-F]{64}$' /tmp/encryption.current; then exit 0 fi fi kubectl -n comms create secret generic mas-secrets-runtime \ --from-file=encryption=/work/encryption \ --from-file=matrix_shared_secret=/work/matrix_shared_secret \ --from-file=keycloak_client_secret=/work/keycloak_client_secret \ --from-file=rsa_key=/work/rsa_key \ --dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null volumeMounts: - name: work mountPath: /work