102 lines
3.9 KiB
YAML
102 lines
3.9 KiB
YAML
# services/keycloak/mas-secrets-ensure-job.yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: mas-secrets-ensure
|
|
namespace: sso
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: mas-secrets-ensure-3
|
|
namespace: sso
|
|
spec:
|
|
backoffLimit: 2
|
|
template:
|
|
spec:
|
|
serviceAccountName: mas-secrets-ensure
|
|
restartPolicy: OnFailure
|
|
volumes:
|
|
- name: work
|
|
emptyDir: {}
|
|
initContainers:
|
|
- name: generate
|
|
image: alpine:3.20
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
umask 077
|
|
apk add --no-cache curl openssl jq >/dev/null
|
|
|
|
KC_URL="http://keycloak.sso.svc.cluster.local"
|
|
ACCESS_TOKEN=""
|
|
for attempt in 1 2 3 4 5; do
|
|
TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
|
|
-H 'Content-Type: application/x-www-form-urlencoded' \
|
|
-d "grant_type=password" \
|
|
-d "client_id=admin-cli" \
|
|
-d "username=${KEYCLOAK_ADMIN}" \
|
|
-d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
|
|
ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
|
|
if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
|
|
break
|
|
fi
|
|
echo "Keycloak token request failed (attempt ${attempt})" >&2
|
|
sleep $((attempt * 2))
|
|
done
|
|
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
|
|
echo "Failed to fetch Keycloak admin token" >&2
|
|
exit 1
|
|
fi
|
|
CLIENT_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients?clientId=othrys-mas" | jq -r '.[0].id' 2>/dev/null || true)"
|
|
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
|
|
echo "Keycloak client othrys-mas not found" >&2
|
|
exit 1
|
|
fi
|
|
CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
|
|
if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
|
|
echo "Keycloak client secret not found" >&2
|
|
exit 1
|
|
fi
|
|
|
|
printf '%s' "$CLIENT_SECRET" > /work/keycloak_client_secret
|
|
openssl rand -base64 32 > /work/encryption
|
|
openssl rand -hex 32 > /work/matrix_shared_secret
|
|
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /work/rsa_key >/dev/null 2>&1
|
|
chmod 0600 /work/*
|
|
env:
|
|
- name: KEYCLOAK_ADMIN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-admin
|
|
key: username
|
|
- name: KEYCLOAK_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-admin
|
|
key: password
|
|
volumeMounts:
|
|
- name: work
|
|
mountPath: /work
|
|
containers:
|
|
- name: apply
|
|
image: bitnami/kubectl:latest
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
if kubectl -n comms get secret mas-secrets-runtime >/dev/null 2>&1; then
|
|
exit 0
|
|
fi
|
|
kubectl -n comms create secret generic mas-secrets-runtime \
|
|
--from-file=encryption=/work/encryption \
|
|
--from-file=matrix_shared_secret=/work/matrix_shared_secret \
|
|
--from-file=keycloak_client_secret=/work/keycloak_client_secret \
|
|
--from-file=rsa_key=/work/rsa_key >/dev/null
|
|
volumeMounts:
|
|
- name: work
|
|
mountPath: /work
|