#!/usr/bin/env bash # lasuite-docs — post-deps setup hook (operator-2026-05-28 SSO-dep plan §3.2). # # Runs AFTER the generic tiers (install/upgrade/backup/restore) and AFTER each declared dep is # deployed + provisioned with realm/client via the harness. The orchestrator has written # $CCCI_DEPS_FILE with the keycloak dep's domain + realm + client_secret + admin creds. # # This hook: # 1. Reads the dep's connection info from $CCCI_DEPS_FILE. # 2. Inserts the OIDC client secret as an abra app secret (recipe-conventional name oidc_rpcs). # 3. Writes the OIDC env vars to the running app's .env via `abra app config set`. # 4. Triggers an in-place `abra app deploy --force --chaos` so the new env takes effect. # THIS IS NOT a fresh `abra app new` — the deploy-count guard (DG4.1, generalised) still # sees one app_new per app. # # Env supplied by the orchestrator: # CCCI_APP_DOMAIN — the running per-run lasuite-docs app domain # CCCI_RECIPE — "lasuite-docs" # CCCI_DEPS_FILE — JSON file (dict shape: {dep_recipe: {domain, realm, client_id, ...}, ...}) set -euo pipefail : "${CCCI_APP_DOMAIN:?missing}" : "${CCCI_DEPS_FILE:?missing}" test -s "$CCCI_DEPS_FILE" || { echo " setup_custom_tests: deps file empty"; exit 1; } # Read keycloak dep info via jq KC_DOMAIN=$(jq -r '.keycloak.domain' "$CCCI_DEPS_FILE") KC_REALM=$( jq -r '.keycloak.realm' "$CCCI_DEPS_FILE") KC_CLIENT=$(jq -r '.keycloak.client_id' "$CCCI_DEPS_FILE") KC_SECRET=$(jq -r '.keycloak.client_secret' "$CCCI_DEPS_FILE") [ -n "$KC_DOMAIN" ] && [ "$KC_DOMAIN" != "null" ] || { echo " setup_custom_tests: no keycloak.domain in deps"; exit 1; } [ -n "$KC_SECRET" ] && [ "$KC_SECRET" != "null" ] || { echo " setup_custom_tests: no keycloak.client_secret"; exit 1; } echo " lasuite-docs setup_custom_tests: wiring OIDC against keycloak dep ${KC_DOMAIN}" # 1) Insert the OIDC client secret AT A BUMPED VERSION (the recipe-maintainer pattern). # `abra app new -S` already generated `oidc_rpcs:v1` (random) — Docker Swarm forbids overwriting # a secret at the same version, so we bump the version (v2), insert our value there, then # update SECRET_OIDC_RPCS_VERSION in the .env to point at the new one. ENV_PATH="$HOME/.abra/servers/default/${CCCI_APP_DOMAIN}.env" CUR_VER=$(grep -E '^\s*SECRET_OIDC_RPCS_VERSION=' "$ENV_PATH" | tail -1 | cut -d= -f2 | tr -d '"\r' || echo "v1") NEW_NUM=$(( ${CUR_VER#v} + 1 )) NEW_VER="v${NEW_NUM}" INSERT_LOG=$(abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input 2>&1) \ || INSERT_LOG=$(script -qec "abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input" /dev/null 2>&1) \ || { echo " setup_custom_tests: abra app secret insert oidc_rpcs@$NEW_VER failed: $INSERT_LOG"; exit 1; } # Repoint the env var to the new version sed -i "s|^\s*SECRET_OIDC_RPCS_VERSION=.*|SECRET_OIDC_RPCS_VERSION=$NEW_VER|" "$ENV_PATH" echo " setup_custom_tests: oidc_rpcs secret inserted at $NEW_VER (was $CUR_VER)" # 2) Write OIDC env vars to the app's .env (names per lasuite-docs's .env.sample). # Ensure the file ends with a newline FIRST so our appends don't concatenate onto the last line # (we saw `TIMEOUT=900OIDC_REALM=...` malformed by a missing-trailing-newline file). [ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >> "$ENV_PATH" write_env () { local key="$1" val="$2" # remove any existing key (commented or live) then append the live key=val sed -i "/^\s*#\?\s*${key}=/d" "$ENV_PATH" # Re-ensure trailing newline after each delete (sed may leave the file without one) [ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >> "$ENV_PATH" printf '%s=%s\n' "$key" "$val" >> "$ENV_PATH" } write_env OIDC_REALM "$KC_REALM" write_env OIDC_OP_DISCOVERY_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/.well-known/openid-configuration" write_env OIDC_OP_AUTHORIZATION_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/auth" write_env OIDC_OP_TOKEN_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/token" write_env OIDC_OP_USER_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/userinfo" write_env OIDC_OP_LOGOUT_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/logout" write_env OIDC_OP_JWKS_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/certs" write_env OIDC_RP_CLIENT_ID "$KC_CLIENT" write_env OIDC_RP_SIGN_ALGO "RS256" write_env OIDC_RP_SCOPES "openid email profile" # 3) Trigger an in-place redeploy so the env update takes effect. --force re-deploys even when # the recipe hasn't changed; --chaos avoids the chaos prompt; --no-input non-interactive. abra app deploy "$CCCI_APP_DOMAIN" --force --chaos --no-input 2>&1 | tail -10 echo " lasuite-docs setup_custom_tests: OIDC wired + redeployed"