From 21355802102e75f69023d21f332903f73c78c206 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 29 Apr 2026 14:42:27 +0200 Subject: [PATCH] kc script --- infra/values/base/keycloak-values.yaml | 32 +++++++++++++++----------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index fbef335..48b381a 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -259,7 +259,7 @@ extraDeploy: ADMIN_PASS=$(cat /secrets/admin-password) echo "Authenticating to Keycloak..." - TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \ + TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \ -d "client_id=admin-cli" \ -d "username=${ADMIN_USER}" \ -d "password=${ADMIN_PASS}" \ @@ -276,7 +276,7 @@ extraDeploy: upsert_secret() { local ns="$1" name="$2" manifest="$3" local code - code=$(curl -sf -o /dev/null -w "%{http_code}" \ + code=$(curl -s -o /dev/null -w "%{http_code}" \ --cacert "$CA_CERT" \ -H "Authorization: Bearer ${SA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -285,7 +285,7 @@ extraDeploy: if [ "$code" = "200" ]; then echo " Updated secret '${ns}/${name}'" elif [ "$code" = "404" ]; then - code=$(curl -sf -o /dev/null -w "%{http_code}" \ + code=$(curl -s -o /dev/null -w "%{http_code}" \ --cacert "$CA_CERT" \ -H "Authorization: Bearer ${SA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -332,7 +332,7 @@ extraDeploy: # Get the client secret from Keycloak local secret_value - secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ + secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \ | jq -r '.value') @@ -347,7 +347,7 @@ extraDeploy: # Write to target namespace (if it exists) local ns_status - ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \ + ns_status=$(curl -s -o /dev/null -w "%{http_code}" \ --cacert "$CA_CERT" \ -H "Authorization: Bearer ${SA_TOKEN}" \ "${K8S_API}/api/v1/namespaces/${target_ns}") @@ -371,12 +371,12 @@ extraDeploy: local ns="$1" name="$2" key="$3" value="$4" local patch patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value") - curl -sf -o /dev/null \ + curl -s -o /dev/null \ --cacert "$CA_CERT" \ -H "Authorization: Bearer ${SA_TOKEN}" \ -H "Content-Type: application/strategic-merge-patch+json" \ -X PATCH -d "$patch" \ - "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" + "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true } # ============================================= @@ -384,7 +384,7 @@ extraDeploy: # ============================================= echo "=== Legacy sync: clients with k8s.secret.sync=true ===" - CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ + CLIENTS=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients") SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]') @@ -409,7 +409,7 @@ extraDeploy: echo "" echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ===" - CONFIG_SECRETS=$(curl -sf \ + CONFIG_SECRETS=$(curl -s \ --cacert "$CA_CERT" \ -H "Authorization: Bearer ${SA_TOKEN}" \ "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true") @@ -430,6 +430,10 @@ extraDeploy: CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d) CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId') + if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then + echo "ERROR: Could not extract clientId from config '${CONFIG_NAME}', skipping" + continue + fi echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'" # Compute config hash for change detection @@ -443,7 +447,7 @@ extraDeploy: CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"') # Check if credential Secret already exists in target namespace - CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \ + CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \ --cacert "$CA_CERT" \ -H "Authorization: Bearer ${SA_TOKEN}" \ "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}") @@ -471,13 +475,13 @@ extraDeploy: }') # Check if client already exists - EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ + EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \ | jq -r '.[0].id // empty') if [ -n "$EXISTING" ]; then echo " Updating existing Keycloak client (uuid: ${EXISTING})" - HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \ + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -X PUT -d "$KC_CLIENT" \ @@ -490,7 +494,7 @@ extraDeploy: CLIENT_UUID="$EXISTING" else echo " Creating new Keycloak client '${CLIENT_ID}'" - HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \ + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -X POST -d "$KC_CLIENT" \ @@ -501,7 +505,7 @@ extraDeploy: continue fi # Fetch the newly created client's UUID - CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ + CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \ | jq -r '.[0].id') fi