129 lines
5.5 KiB
YAML
129 lines
5.5 KiB
YAML
# services/keycloak/mas-secrets-ensure-job.yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: mas-secrets-ensure
|
|
namespace: sso
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: mas-secrets-ensure-14
|
|
namespace: sso
|
|
spec:
|
|
backoffLimit: 0
|
|
ttlSecondsAfterFinished: 3600
|
|
template:
|
|
spec:
|
|
serviceAccountName: mas-secrets-ensure
|
|
restartPolicy: Never
|
|
volumes:
|
|
- name: work
|
|
emptyDir: {}
|
|
- name: vault-secrets
|
|
csi:
|
|
driver: secrets-store.csi.k8s.io
|
|
readOnly: true
|
|
volumeAttributes:
|
|
secretProviderClass: sso-vault
|
|
- name: vault-scripts
|
|
configMap:
|
|
name: sso-vault-env
|
|
defaultMode: 0555
|
|
initContainers:
|
|
- name: generate
|
|
image: alpine:3.20
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
. /vault/scripts/keycloak_vault_env.sh
|
|
umask 077
|
|
apk add --no-cache curl openssl jq >/dev/null
|
|
|
|
KC_URL="http://keycloak.sso.svc.cluster.local"
|
|
ACCESS_TOKEN=""
|
|
for attempt in 1 2 3 4 5; do
|
|
TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
|
|
-H 'Content-Type: application/x-www-form-urlencoded' \
|
|
-d "grant_type=password" \
|
|
-d "client_id=admin-cli" \
|
|
-d "username=${KEYCLOAK_ADMIN}" \
|
|
-d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
|
|
ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
|
|
if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
|
|
break
|
|
fi
|
|
echo "Keycloak token request failed (attempt ${attempt})" >&2
|
|
sleep $((attempt * 2))
|
|
done
|
|
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
|
|
echo "Failed to fetch Keycloak admin token" >&2
|
|
exit 1
|
|
fi
|
|
CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id' 2>/dev/null || true)"
|
|
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
|
|
echo "Keycloak client othrys-mas not found" >&2
|
|
exit 1
|
|
fi
|
|
CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
|
|
if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
|
|
echo "Keycloak client secret not found" >&2
|
|
exit 1
|
|
fi
|
|
|
|
printf '%s' "$CLIENT_SECRET" > /work/keycloak_client_secret
|
|
openssl rand -hex 32 | tr -d '\n' > /work/encryption
|
|
openssl rand -hex 32 | tr -d '\n' > /work/matrix_shared_secret
|
|
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /work/rsa_key >/dev/null 2>&1
|
|
chmod 0644 /work/*
|
|
volumeMounts:
|
|
- name: work
|
|
mountPath: /work
|
|
- name: vault-secrets
|
|
mountPath: /vault/secrets
|
|
readOnly: true
|
|
- name: vault-scripts
|
|
mountPath: /vault/scripts
|
|
readOnly: true
|
|
containers:
|
|
- name: apply
|
|
image: registry.bstein.dev/bstein/kubectl:1.35.0
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
|
|
vault_role="${VAULT_ROLE:-sso-secrets}"
|
|
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
|
|
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
|
|
vault_token="$(curl -sS --request POST --data "${login_payload}" \
|
|
"${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
|
|
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
|
|
echo "vault login failed" >&2
|
|
exit 1
|
|
fi
|
|
|
|
existing="$(curl -sS -H "X-Vault-Token: ${vault_token}" \
|
|
"${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" | jq -r '.data.data.encryption // empty')"
|
|
if [ -n "${existing}" ]; then
|
|
current_len="$(printf '%s' "${existing}" | wc -c | tr -d ' ')"
|
|
if [ "${current_len}" = "64" ] && printf '%s' "${existing}" | grep -Eq '^[0-9a-fA-F]{64}$'; then
|
|
exit 0
|
|
fi
|
|
fi
|
|
|
|
payload="$(jq -nc \
|
|
--arg encryption "$(cat /work/encryption)" \
|
|
--arg matrix_shared_secret "$(cat /work/matrix_shared_secret)" \
|
|
--arg keycloak_client_secret "$(cat /work/keycloak_client_secret)" \
|
|
--arg rsa_key "$(cat /work/rsa_key)" \
|
|
'{data:{encryption:$encryption, matrix_shared_secret:$matrix_shared_secret, keycloak_client_secret:$keycloak_client_secret, rsa_key:$rsa_key}}')"
|
|
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
|
|
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null
|
|
volumeMounts:
|
|
- name: work
|
|
mountPath: /work
|