# services/keycloak/zot-client-bootstrap.yaml apiVersion: batch/v1 kind: Job metadata: name: keycloak-zot-client-bootstrap-4 namespace: sso labels: app: keycloak-zot-client-bootstrap spec: backoffLimit: 0 ttlSecondsAfterFinished: 86400 template: metadata: labels: app: keycloak-zot-client-bootstrap spec: restartPolicy: Never containers: - name: configure-zot-client image: quay.io/keycloak/keycloak:26.0.7 imagePullPolicy: IfNotPresent env: - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: keycloak-admin key: username - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak-admin key: password - name: KC_SERVER value: http://keycloak.sso.svc.cluster.local - name: REALM value: atlas - name: CLIENT_IDS value: "oauth2-proxy oauth2-proxy-zot" - name: REDIRECT_URIS value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]' - name: WEB_ORIGINS value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]' - name: AUDIENCE_SCOPE value: oauth2-proxy-audience command: - /bin/sh - -c - | set -euo pipefail KCADM="/opt/keycloak/bin/kcadm.sh" $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli # Ensure audience client scope exists and injects oauth2-proxy as audience SCOPE_ID="$($KCADM get client-scopes -r "$REALM" -q name="$AUDIENCE_SCOPE" --fields id --format csv --noquotes || true)" if [ -z "$SCOPE_ID" ]; then echo "Creating audience client scope $AUDIENCE_SCOPE" SCOPE_ID="$($KCADM create client-scopes -r "$REALM" -s name="$AUDIENCE_SCOPE" -s protocol=openid-connect -i)" fi MAPPER_ID="$($KCADM get client-scopes/$SCOPE_ID/protocol-mappers/models -r "$REALM" -q name=aud-$AUDIENCE_SCOPE --fields id --format csv --noquotes || true)" if [ -z "$MAPPER_ID" ]; then echo "Creating audience mapper on scope $AUDIENCE_SCOPE" $KCADM create client-scopes/$SCOPE_ID/protocol-mappers/models -r "$REALM" -s name=aud-$AUDIENCE_SCOPE -s protocol=openid-connect -s protocolMapper=oidc-audience-mapper -s 'config."included.client.audience"="oauth2-proxy"' -s 'config."id.token.claim"="true"' -s 'config."access.token.claim"="true"' -s 'config."included.custom.audience"=""' fi for CLIENT_ID in $CLIENT_IDS; do CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes || true)" if [ -z "$CLIENT_UUID" ]; then echo "Client $CLIENT_ID not found; skipping" continue fi echo "Updating client $CLIENT_ID ($CLIENT_UUID)" $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \ -s 'redirectUris='"$REDIRECT_URIS" \ -s 'webOrigins='"$WEB_ORIGINS" \ -s 'standardFlowEnabled=true' \ -s 'directAccessGrantsEnabled=false' # Attach audience scope so access tokens carry aud=oauth2-proxy $KCADM update "clients/$CLIENT_UUID/optional-client-scopes/$SCOPE_ID" -r "$REALM" >/dev/null 2>&1 || \ $KCADM add-optional-client-scopes -r "$REALM" --clientid "$CLIENT_ID" --scopes "$AUDIENCE_SCOPE" done echo "Keycloak zot client bootstrap complete"