158 lines
6.5 KiB
YAML
158 lines
6.5 KiB
YAML
# services/keycloak/realm-settings-job.yaml
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: keycloak-realm-settings-7
|
|
namespace: sso
|
|
spec:
|
|
backoffLimit: 2
|
|
template:
|
|
spec:
|
|
affinity:
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms:
|
|
- matchExpressions:
|
|
- key: hardware
|
|
operator: In
|
|
values: ["rpi5","rpi4"]
|
|
- key: node-role.kubernetes.io/worker
|
|
operator: Exists
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: configure
|
|
image: python:3.11-alpine
|
|
env:
|
|
- name: KEYCLOAK_SERVER
|
|
value: http://keycloak.sso.svc.cluster.local
|
|
- name: KEYCLOAK_REALM
|
|
value: atlas
|
|
- name: KEYCLOAK_ADMIN_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-admin
|
|
key: username
|
|
- name: KEYCLOAK_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-admin
|
|
key: password
|
|
- name: KEYCLOAK_SMTP_HOST
|
|
value: mailu-front.mailu-mailserver.svc.cluster.local
|
|
- name: KEYCLOAK_SMTP_PORT
|
|
value: "25"
|
|
- name: KEYCLOAK_SMTP_FROM
|
|
value: no-reply@bstein.dev
|
|
- name: KEYCLOAK_SMTP_FROM_NAME
|
|
value: Atlas SSO
|
|
- name: KEYCLOAK_SMTP_REPLY_TO
|
|
value: no-reply@bstein.dev
|
|
- name: KEYCLOAK_SMTP_REPLY_TO_NAME
|
|
value: Atlas SSO
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
python - <<'PY'
|
|
import json
|
|
import os
|
|
import urllib.parse
|
|
import urllib.request
|
|
|
|
base_url = os.environ["KEYCLOAK_SERVER"].rstrip("/")
|
|
realm = os.environ["KEYCLOAK_REALM"]
|
|
admin_user = os.environ["KEYCLOAK_ADMIN_USER"]
|
|
admin_password = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
|
|
|
|
def http_json(method: str, url: str, token: str, payload=None):
|
|
data = None
|
|
headers = {"Authorization": f"Bearer {token}"}
|
|
if payload is not None:
|
|
data = json.dumps(payload).encode()
|
|
headers["Content-Type"] = "application/json"
|
|
req = urllib.request.Request(url, data=data, headers=headers, method=method)
|
|
with urllib.request.urlopen(req, timeout=30) as resp:
|
|
body = resp.read()
|
|
if not body:
|
|
return resp.status, None
|
|
return resp.status, json.loads(body.decode())
|
|
|
|
token_data = urllib.parse.urlencode(
|
|
{
|
|
"grant_type": "password",
|
|
"client_id": "admin-cli",
|
|
"username": admin_user,
|
|
"password": admin_password,
|
|
}
|
|
).encode()
|
|
token_req = urllib.request.Request(
|
|
f"{base_url}/realms/master/protocol/openid-connect/token",
|
|
data=token_data,
|
|
headers={"Content-Type": "application/x-www-form-urlencoded"},
|
|
method="POST",
|
|
)
|
|
with urllib.request.urlopen(token_req, timeout=10) as resp:
|
|
token_body = json.loads(resp.read().decode())
|
|
access_token = token_body["access_token"]
|
|
|
|
# Update realm settings safely by fetching the full realm representation first.
|
|
realm_url = f"{base_url}/admin/realms/{realm}"
|
|
status, realm_rep = http_json("GET", realm_url, access_token)
|
|
if status != 200 or not realm_rep:
|
|
raise SystemExit(f"Unable to fetch realm {realm} (status={status})")
|
|
|
|
realm_rep["resetPasswordAllowed"] = True
|
|
|
|
smtp = realm_rep.get("smtpServer") or {}
|
|
smtp.update(
|
|
{
|
|
"host": os.environ["KEYCLOAK_SMTP_HOST"],
|
|
"port": os.environ["KEYCLOAK_SMTP_PORT"],
|
|
"from": os.environ["KEYCLOAK_SMTP_FROM"],
|
|
"fromDisplayName": os.environ["KEYCLOAK_SMTP_FROM_NAME"],
|
|
"replyTo": os.environ["KEYCLOAK_SMTP_REPLY_TO"],
|
|
"replyToDisplayName": os.environ["KEYCLOAK_SMTP_REPLY_TO_NAME"],
|
|
"auth": "false",
|
|
"starttls": "false",
|
|
"ssl": "false",
|
|
}
|
|
)
|
|
realm_rep["smtpServer"] = smtp
|
|
|
|
status, _ = http_json("PUT", realm_url, access_token, realm_rep)
|
|
if status not in (200, 204):
|
|
raise SystemExit(f"Unexpected realm update response: {status}")
|
|
|
|
# Disable Identity Provider Redirector in the browser flow for this realm.
|
|
status, executions = http_json(
|
|
"GET",
|
|
f"{base_url}/admin/realms/{realm}/authentication/flows/browser/executions",
|
|
access_token,
|
|
)
|
|
if status == 200 and executions:
|
|
for ex in executions:
|
|
if ex.get("providerId") != "identity-provider-redirector":
|
|
continue
|
|
ex_id = ex.get("id")
|
|
if not ex_id:
|
|
continue
|
|
status, ex_rep = http_json(
|
|
"GET",
|
|
f"{base_url}/admin/realms/{realm}/authentication/executions/{ex_id}",
|
|
access_token,
|
|
)
|
|
if status != 200 or not ex_rep:
|
|
raise SystemExit(f"Unable to fetch browser execution {ex_id} (status={status})")
|
|
if ex_rep.get("requirement") == "DISABLED":
|
|
continue
|
|
ex_rep["requirement"] = "DISABLED"
|
|
status, _ = http_json(
|
|
"PUT",
|
|
f"{base_url}/admin/realms/{realm}/authentication/executions/{ex_id}",
|
|
access_token,
|
|
ex_rep,
|
|
)
|
|
if status not in (200, 204):
|
|
raise SystemExit(f"Unexpected execution update response for {ex_id}: {status}")
|
|
PY
|