titan-iac/services/keycloak/zot-client-bootstrap.yaml

# services/keycloak/zot-client-bootstrap.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-zot-client-bootstrap-4
  namespace: sso
  labels:
    app: keycloak-zot-client-bootstrap
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 86400
  template:
    metadata:
      labels:
        app: keycloak-zot-client-bootstrap
    spec:
      restartPolicy: Never
      containers:
        - name: configure-zot-client
          image: quay.io/keycloak/keycloak:26.0.7
          imagePullPolicy: IfNotPresent
          env:
            - name: KEYCLOAK_ADMIN
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
            - name: KC_SERVER
              value: http://keycloak.sso.svc.cluster.local
            - name: REALM
              value: atlas
            - name: CLIENT_IDS
              value: "oauth2-proxy oauth2-proxy-zot"
            - name: REDIRECT_URIS
              value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]'
            - name: WEB_ORIGINS
              value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]'
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail

              KCADM="/opt/keycloak/bin/kcadm.sh"
              $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli

              for CLIENT_ID in $CLIENT_IDS; do
                CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes || true)"
                if [ -z "$CLIENT_UUID" ]; then
                  echo "Client $CLIENT_ID not found; skipping"
                  continue
                fi

                echo "Updating client $CLIENT_ID ($CLIENT_UUID)"
                $KCADM update "clients/$CLIENT_UUID" -r "$REALM" \
                  -s 'redirectUris='"$REDIRECT_URIS" \
                  -s 'webOrigins='"$WEB_ORIGINS" \
                  -s 'standardFlowEnabled=true' \
                  -s 'directAccessGrantsEnabled=false'
              done

              echo "Keycloak zot client bootstrap complete"