baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(keycloak): use ESO

Browse Source
This commit is contained in:
Masaki Yatsu
2025-08-30 12:16:17 +09:00
parent e7ed3a1a67
commit 57c75689fd
3 changed files with 238 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
keycloak/justfile
View File

@@ -7,7 +7,8 @@ export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "")
export K8S_OIDC_CLIENT_ID := env('K8S_OIDC_CLIENT_ID', "k8s")
export KEYCLOAK_ADMIN_USER := env("KEYCLOAK_ADMIN_USER", "")
export KEYCLOAK_ADMIN_PASSWORD := env("KEYCLOAK_ADMIN_PASSWORD", "")
export VAULT_ENABLED := env("VAULT_ENABLED", "true")
export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets")
[private]
default:
@@ -35,20 +36,37 @@ create-credentials:
password=$(just utils::random-password)
fi
just create-namespace
if kubectl get secret keycloak-credentials -n ${KEYCLOAK_NAMESPACE} &>/dev/null; then
kubectl delete --ignore-not-found secret keycloak-credentials -n ${KEYCLOAK_NAMESPACE}
fi
kubectl create secret generic keycloak-credentials -n ${KEYCLOAK_NAMESPACE} \
--from-literal=admin-user="${admin_user}" \
--from-literal=password="${password}"
if [ "${VAULT_ENABLED}" != "false" ]; then
if helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} &>/dev/null; then
echo "External Secrets Operator detected. Creating ExternalSecret..."
just put-admin-credentials-to-vault "${admin_user}" "${password}"
kubectl delete secret keycloak-credentials -n ${KEYCLOAK_NAMESPACE} --ignore-not-found
kubectl delete externalsecret keycloak-credentials -n ${KEYCLOAK_NAMESPACE} --ignore-not-found
gomplate -f keycloak-credentials-external-secret.gomplate.yaml | kubectl apply -f -
echo "Waiting for ExternalSecret to sync..."
kubectl wait --for=condition=Ready externalsecret/keycloak-credentials \
-n ${KEYCLOAK_NAMESPACE} --timeout=60s
else
echo "External Secrets Operator not found. Creating secret directly..."
if kubectl get secret keycloak-credentials -n ${KEYCLOAK_NAMESPACE} &>/dev/null; then
kubectl delete --ignore-not-found secret keycloak-credentials -n ${KEYCLOAK_NAMESPACE}
fi
kubectl create secret generic keycloak-credentials -n ${KEYCLOAK_NAMESPACE} \
--from-literal=admin-user="${admin_user}" \
--from-literal=password="${password}"
if helm status vault -n ${K8S_VAULT_NAMESPACE} &>/dev/null; then
just put-admin-credentials-to-vault "${admin_user}" "${password}"
fi
fi
# Delete Keycloak secret
delete-credentials:
@kubectl delete secret keycloak-credentials -n ${KEYCLOAK_NAMESPACE} --ignore-not-found
@kubectl delete externalsecret keycloak-credentials -n ${KEYCLOAK_NAMESPACE} --ignore-not-found
# Create Keycloak database secret
create-database-secret:
@@ -164,6 +182,24 @@ add-audience-mapper client_id:
export KEYCLOAK_CLIENT_ID={{ client_id }}
dotenvx run -f ../.env.local -- tsx ./scripts/add-audience-mapper.ts
# Add attribute mapper for Keycloak client
add-attribute-mapper client_id attribute_name display_name='' claim_name='' options='' default_value='' mapper_name='' view_perms='admin,user' edit_perms='admin':
#!/bin/bash
set -euo pipefail
export KEYCLOAK_ADMIN_USER=$(just keycloak::admin-user)
export KEYCLOAK_ADMIN_PASSWORD=$(just keycloak::admin-password)
export KEYCLOAK_REALM=${KEYCLOAK_REALM}
export CLIENT_ID={{ client_id }}
export ATTRIBUTE_NAME={{ attribute_name }}
export ATTRIBUTE_DISPLAY_NAME="{{ display_name }}"
export ATTRIBUTE_CLAIM_NAME="{{ claim_name }}"
export ATTRIBUTE_OPTIONS="{{ options }}"
export ATTRIBUTE_DEFAULT_VALUE="{{ default_value }}"
export MAPPER_NAME="{{ mapper_name }}"
export ATTRIBUTE_VIEW_PERMISSIONS="{{ view_perms }}"
export ATTRIBUTE_EDIT_PERMISSIONS="{{ edit_perms }}"
dotenvx run -f ../.env.local -- tsx ./scripts/add-attribute-mapper.ts
# Add Keycloak client groups mapper
add-groups-mapper client_id:
#!/bin/bash
@@ -300,36 +336,6 @@ delete-user username='':
done
dotenvx run -f ../.env.local -- tsx ./scripts/delete-user.ts
# Create an admin user
# create-admin-user username='' password='':
# #!/bin/bash
# set -euo pipefail
# echo "Creating a new admin user in Keycloak"
# export KEYCLOAK_ADMIN_USER=$(just admin-user)
# export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
# export USERNAME="{{ username }}"
# export PASSWORD="{{ password }}"
# while [ -z "${USERNAME}" ]; do
# USERNAME=$(gum input --prompt="Admin username: " --width=100)
# done
# if [ -z "${PASSWORD}" ]; then
# PASSWORD=$(
# gum input --prompt="Admin assword: " --password --width=100 \
# --placeholder="Empty to generate a random password"
# )
# fi
# if [ -z "${PASSWORD}" ]; then
# PASSWORD=$(just utils::random-password)
# fi
# export EMAIL=""
# export FIRST_NAME=""
# export LAST_NAME=""
# export CREATE_AS_ADMIN=true
# dotenvx run -f ../.env.local -- tsx ./scripts/create-user.ts
# if [ "${VAULT_ENABLED}" != "false" ]; then
# just put-admin-credentials-to-vault "${USERNAME}" "${PASSWORD}"
# fi
# Put admin credentials to Vault
put-admin-credentials-to-vault username password:
@just vault::put-root keycloak/admin username={{ username }} password={{ password }}
@@ -363,6 +369,7 @@ create-system-user username='' password='':
--user="https://${KEYCLOAK_HOST}/realms/${KEYCLOAK_REALM}#${USERNAME}"
# Check if user exists
[no-exit-message]
user-exists username='':
#!/bin/bash
set -euo pipefail
@@ -382,14 +389,6 @@ admin-username:
echo "${KEYCLOAK_ADMIN_USER}"
exit 0
fi
# if [ "${VAULT_ENABLED}" != "false" ]; then
# just vault::setup-token
# if just vault::exist keycloak/admin 2>/dev/null; then
# just vault::get-root keycloak/admin username
# echo
# exit 0
# fi
# fi
just default-admin-username
# Print Keycloak admin password
@@ -400,14 +399,6 @@ admin-password:
echo "${KEYCLOAK_ADMIN_PASSWORD}"
exit 0
fi
# if [ "${VAULT_ENABLED}" != "false" ]; then
# just vault::setup-token
# if just vault::exist keycloak/admin 2>/dev/null; then
# just vault::get-root keycloak/admin password
# echo
# exit 0
# fi
# fi
just default-admin-password
# Print default Keycloak admin username