143 lines
7.6 KiB
YAML
143 lines
7.6 KiB
YAML
# services/keycloak/harbor-oidc-secret-ensure-job.yaml
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: harbor-oidc-secret-ensure-1
|
|
namespace: sso
|
|
spec:
|
|
backoffLimit: 0
|
|
ttlSecondsAfterFinished: 3600
|
|
template:
|
|
spec:
|
|
serviceAccountName: mas-secrets-ensure
|
|
restartPolicy: Never
|
|
affinity:
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms:
|
|
- matchExpressions:
|
|
- key: kubernetes.io/arch
|
|
operator: In
|
|
values: ["arm64"]
|
|
- key: node-role.kubernetes.io/worker
|
|
operator: Exists
|
|
containers:
|
|
- name: apply
|
|
image: alpine:3.20
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
apk add --no-cache curl jq kubectl >/dev/null
|
|
|
|
KC_URL="http://keycloak.sso.svc.cluster.local"
|
|
ACCESS_TOKEN=""
|
|
for attempt in 1 2 3 4 5; do
|
|
TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
|
|
-H 'Content-Type: application/x-www-form-urlencoded' \
|
|
-d "grant_type=password" \
|
|
-d "client_id=admin-cli" \
|
|
-d "username=${KEYCLOAK_ADMIN}" \
|
|
-d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
|
|
ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
|
|
if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
|
|
break
|
|
fi
|
|
echo "Keycloak token request failed (attempt ${attempt})" >&2
|
|
sleep $((attempt * 2))
|
|
done
|
|
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
|
|
echo "Failed to fetch Keycloak admin token" >&2
|
|
exit 1
|
|
fi
|
|
|
|
CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)"
|
|
CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
|
|
|
|
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
|
|
create_payload='{"clientId":"harbor","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://registry.bstein.dev/c/oidc/callback"],"webOrigins":["https://registry.bstein.dev"],"rootUrl":"https://registry.bstein.dev","baseUrl":"/"}'
|
|
status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
-H 'Content-Type: application/json' \
|
|
-d "${create_payload}" \
|
|
"$KC_URL/admin/realms/atlas/clients")"
|
|
if [ "$status" != "201" ] && [ "$status" != "204" ]; then
|
|
echo "Keycloak client create failed (status ${status})" >&2
|
|
exit 1
|
|
fi
|
|
CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)"
|
|
CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
|
|
fi
|
|
|
|
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
|
|
echo "Keycloak client harbor not found" >&2
|
|
exit 1
|
|
fi
|
|
|
|
SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
|
|
if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
|
|
echo "Keycloak client scope groups not found" >&2
|
|
exit 1
|
|
fi
|
|
|
|
DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
|
|
OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"
|
|
|
|
if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
|
|
&& ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
|
|
status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
|
|
if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
|
|
status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
|
|
if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
|
|
echo "Failed to attach groups client scope to harbor (status ${status})" >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
|
|
if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
|
|
echo "Keycloak client secret not found" >&2
|
|
exit 1
|
|
fi
|
|
|
|
CONFIG_OVERWRITE_JSON="$(jq -nc \
|
|
--arg auth_mode "oidc_auth" \
|
|
--arg oidc_name "Keycloak" \
|
|
--arg oidc_client_id "harbor" \
|
|
--arg oidc_client_secret "${CLIENT_SECRET}" \
|
|
--arg oidc_endpoint "https://sso.bstein.dev/realms/atlas" \
|
|
--arg oidc_scope "openid,profile,email,groups" \
|
|
--arg oidc_user_claim "preferred_username" \
|
|
--arg oidc_groups_claim "groups" \
|
|
--arg oidc_admin_group "admin" \
|
|
--argjson oidc_auto_onboard true \
|
|
--argjson oidc_verify_cert true \
|
|
--argjson oidc_logout true \
|
|
'{\n auth_mode: $auth_mode,\n oidc_name: $oidc_name,\n oidc_client_id: $oidc_client_id,\n oidc_client_secret: $oidc_client_secret,\n oidc_endpoint: $oidc_endpoint,\n oidc_scope: $oidc_scope,\n oidc_user_claim: $oidc_user_claim,\n oidc_groups_claim: $oidc_groups_claim,\n oidc_admin_group: $oidc_admin_group,\n oidc_auto_onboard: $oidc_auto_onboard,\n oidc_verify_cert: $oidc_verify_cert,\n oidc_logout: $oidc_logout\n }')"
|
|
|
|
kubectl -n harbor create secret generic harbor-oidc \
|
|
--from-literal=CONFIG_OVERWRITE_JSON="${CONFIG_OVERWRITE_JSON}" \
|
|
--dry-run=client -o yaml | kubectl -n harbor apply -f - >/dev/null
|
|
env:
|
|
- name: KEYCLOAK_ADMIN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-admin
|
|
key: username
|
|
- name: KEYCLOAK_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-admin
|
|
key: password
|