Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

kc script

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-04-29 14:42:27 +02:00
parent 37a38a1179
commit 2135580210
1 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
infra/values/base/keycloak-values.yaml
View File

@@ -259,7 +259,7 @@ extraDeploy:
ADMIN_PASS=$(cat /secrets/admin-password) ADMIN_PASS=$(cat /secrets/admin-password)
echo "Authenticating to Keycloak..." echo "Authenticating to Keycloak..."
TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \ TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
-d "client_id=admin-cli" \ -d "client_id=admin-cli" \
-d "username=${ADMIN_USER}" \ -d "username=${ADMIN_USER}" \
-d "password=${ADMIN_PASS}" \ -d "password=${ADMIN_PASS}" \
@@ -276,7 +276,7 @@ extraDeploy:
upsert_secret() { upsert_secret() {
local ns="$1" name="$2" manifest="$3" local ns="$1" name="$2" manifest="$3"
local code local code
code=$(curl -sf -o /dev/null -w "%{http_code}" \ code=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
@@ -285,7 +285,7 @@ extraDeploy:
if [ "$code" = "200" ]; then if [ "$code" = "200" ]; then
echo " Updated secret '${ns}/${name}'" echo " Updated secret '${ns}/${name}'"
elif [ "$code" = "404" ]; then elif [ "$code" = "404" ]; then
code=$(curl -sf -o /dev/null -w "%{http_code}" \ code=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
@@ -332,7 +332,7 @@ extraDeploy:
# Get the client secret from Keycloak # Get the client secret from Keycloak
local secret_value local secret_value
secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
| jq -r '.value') | jq -r '.value')
@@ -347,7 +347,7 @@ extraDeploy:
# Write to target namespace (if it exists) # Write to target namespace (if it exists)
local ns_status local ns_status
ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \ ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
"${K8S_API}/api/v1/namespaces/${target_ns}") "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -371,12 +371,12 @@ extraDeploy:
local ns="$1" name="$2" key="$3" value="$4" local ns="$1" name="$2" key="$3" value="$4"
local patch local patch
patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value") patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
curl -sf -o /dev/null \ curl -s -o /dev/null \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/strategic-merge-patch+json" \ -H "Content-Type: application/strategic-merge-patch+json" \
-X PATCH -d "$patch" \ -X PATCH -d "$patch" \
"${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
} }
# ============================================= # =============================================
@@ -384,7 +384,7 @@ extraDeploy:
# ============================================= # =============================================
echo "=== Legacy sync: clients with k8s.secret.sync=true ===" echo "=== Legacy sync: clients with k8s.secret.sync=true ==="
CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ CLIENTS=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients") "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]') SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
@@ -409,7 +409,7 @@ extraDeploy:
echo "" echo ""
echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ===" echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="
CONFIG_SECRETS=$(curl -sf \ CONFIG_SECRETS=$(curl -s \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
"${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true") "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
@@ -430,6 +430,10 @@ extraDeploy:
CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d) CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)
CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId') CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
echo "ERROR: Could not extract clientId from config '${CONFIG_NAME}', skipping"
continue
fi
echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'" echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"
# Compute config hash for change detection # Compute config hash for change detection
@@ -443,7 +447,7 @@ extraDeploy:
CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"') CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
# Check if credential Secret already exists in target namespace # Check if credential Secret already exists in target namespace
CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \ CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
"${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}") "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
@@ -471,13 +475,13 @@ extraDeploy:
}') }')
# Check if client already exists # Check if client already exists
EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
| jq -r '.[0].id // empty') | jq -r '.[0].id // empty')
if [ -n "$EXISTING" ]; then if [ -n "$EXISTING" ]; then
echo " Updating existing Keycloak client (uuid: ${EXISTING})" echo " Updating existing Keycloak client (uuid: ${EXISTING})"
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \ HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer ${TOKEN}" \ -H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-X PUT -d "$KC_CLIENT" \ -X PUT -d "$KC_CLIENT" \
@@ -490,7 +494,7 @@ extraDeploy:
CLIENT_UUID="$EXISTING" CLIENT_UUID="$EXISTING"
else else
echo " Creating new Keycloak client '${CLIENT_ID}'" echo " Creating new Keycloak client '${CLIENT_ID}'"
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \ HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer ${TOKEN}" \ -H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-X POST -d "$KC_CLIENT" \ -X POST -d "$KC_CLIENT" \
@@ -501,7 +505,7 @@ extraDeploy:
continue continue
fi fi
# Fetch the newly created client's UUID # Fetch the newly created client's UUID
CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
| jq -r '.[0].id') | jq -r '.[0].id')
fi fi