recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit)
Sanitized single-commit public mirror of recipe-maintainer. - Removed test-ssh/.testenv (live creds); added test-ssh/.testenv.example placeholders. - Removed plans/ and planned-updates/ (deployment-planning docs) so no client/ deployment domains appear in the public repo. - All other secret stores were already gitignored. - docs.coopcloud.tech retained as a submodule (public upstream).
This commit is contained in:
121
recipe-info/lasuite-docs/setup_keycloak_integration.py
Normal file
121
recipe-info/lasuite-docs/setup_keycloak_integration.py
Normal file
@ -0,0 +1,121 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Setup Keycloak OIDC integration for La Suite Docs.
|
||||
|
||||
Creates a Keycloak realm, OIDC client, and test user, then inserts
|
||||
the client secret and updates the Docs env file with OIDC settings.
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
|
||||
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", ".."))
|
||||
|
||||
from lib.abra import app_secret_insert
|
||||
from lib.env import apply_env_overrides, get_abra_env_path, read_env_file
|
||||
from lib.keycloak import KeycloakAdmin
|
||||
from lib.models import load_default_instance
|
||||
from lib.secrets import load_secrets
|
||||
|
||||
# Configuration
|
||||
REALM = "lasuite-docs"
|
||||
CLIENT_ID = "docs"
|
||||
TEST_USER = "testuser"
|
||||
TEST_PASS = "testpass123"
|
||||
TEST_EMAIL = f"{TEST_USER}@test.example.com"
|
||||
|
||||
|
||||
def main():
|
||||
inst = load_default_instance()
|
||||
docs_domain = inst.default_domain("lasuite-docs")
|
||||
kc_domain = inst.default_domain("keycloak")
|
||||
|
||||
# Get Keycloak admin credentials from synced secrets
|
||||
kc_secrets = load_secrets(kc_domain)
|
||||
kc_admin_pass = kc_secrets["admin_password"]
|
||||
|
||||
# Try the configured admin username first; fall back to temp-admin.
|
||||
# temp-admin is created when kc.sh bootstrap-admin user is run for recovery
|
||||
# and may be the only working admin if the original admin password changed.
|
||||
kc_url = f"https://{kc_domain}"
|
||||
for username in ("admin", "temp-admin"):
|
||||
kc = KeycloakAdmin(kc_url, username, kc_admin_pass)
|
||||
try:
|
||||
kc.get_admin_token()
|
||||
print(f"Authenticated as '{username}'", flush=True)
|
||||
break
|
||||
except Exception:
|
||||
print(f"Login as '{username}' failed, trying next...", flush=True)
|
||||
else:
|
||||
print("ERROR: Could not authenticate with Keycloak admin API", flush=True)
|
||||
sys.exit(1)
|
||||
|
||||
# Step 1: Create realm
|
||||
kc.ensure_realm(REALM)
|
||||
|
||||
# Step 2: Create OIDC client
|
||||
_, client_secret = kc.ensure_client(
|
||||
REALM, CLIENT_ID,
|
||||
redirect_uris=[f"https://{docs_domain}/*"],
|
||||
web_origins=[f"https://{docs_domain}"],
|
||||
)
|
||||
|
||||
# Step 3: Create test user
|
||||
kc.ensure_user(REALM, TEST_USER, TEST_EMAIL, TEST_PASS)
|
||||
|
||||
# Step 4: Insert client secret via abra
|
||||
print("=== Insert OIDC client secret into Docs ===", flush=True)
|
||||
env_path = get_abra_env_path(inst.server, docs_domain)
|
||||
env_data = read_env_file(env_path)
|
||||
current_version = env_data.get("SECRET_OIDC_RPCS_VERSION", "v1")
|
||||
next_num = int(current_version.lstrip("v")) + 1
|
||||
next_version = f"v{next_num}"
|
||||
print(f" Current secret version: {current_version}", flush=True)
|
||||
print(f" Inserting as: {next_version}", flush=True)
|
||||
app_secret_insert(docs_domain, "oidc_rpcs", next_version, client_secret)
|
||||
|
||||
# Step 5: Update Docs env with OIDC settings
|
||||
print("=== Update Docs OIDC settings in env file ===", flush=True)
|
||||
apply_env_overrides(env_path, {
|
||||
"SECRET_OIDC_RPCS_VERSION": next_version,
|
||||
"OIDC_REALM": REALM,
|
||||
"AUTH_DOMAIN": kc_domain,
|
||||
"OIDC_RP_CLIENT_ID": CLIENT_ID,
|
||||
})
|
||||
|
||||
# Step 6: Write credentials file
|
||||
script_dir = os.path.dirname(os.path.abspath(__file__))
|
||||
creds_file = os.path.join(script_dir, f"keycloak-test-credentials.{inst.domain_suffix}.toml")
|
||||
print(f"=== Write credentials to {creds_file} ===", flush=True)
|
||||
with open(creds_file, "w") as f:
|
||||
f.write(f'# Keycloak OIDC credentials for lasuite-docs test instance\n')
|
||||
f.write(f'#\n')
|
||||
f.write(f'# Keycloak instance: {kc_domain}\n')
|
||||
f.write(f'# Realm: {REALM}\n')
|
||||
f.write(f'# Created by: setup_keycloak_integration.py\n')
|
||||
f.write(f'\n')
|
||||
f.write(f'# Keycloak admin (master realm)\n')
|
||||
f.write(f'kc_admin_user = "admin"\n')
|
||||
f.write(f'kc_admin_pass = "{kc_admin_pass}"\n')
|
||||
f.write(f'\n')
|
||||
f.write(f'# OIDC client\n')
|
||||
f.write(f'kc_realm = "{REALM}"\n')
|
||||
f.write(f'kc_client_id = "{CLIENT_ID}"\n')
|
||||
f.write(f'kc_client_secret = "{client_secret}"\n')
|
||||
f.write(f'\n')
|
||||
f.write(f'# Test user (in {REALM} realm)\n')
|
||||
f.write(f'kc_test_user = "{TEST_USER}"\n')
|
||||
f.write(f'kc_test_pass = "{TEST_PASS}"\n')
|
||||
f.write(f'kc_test_email = "{TEST_EMAIL}"\n')
|
||||
print(f" Written to {creds_file}", flush=True)
|
||||
|
||||
print("", flush=True)
|
||||
print("=== Keycloak integration setup complete ===", flush=True)
|
||||
print("", flush=True)
|
||||
print("Next steps:", flush=True)
|
||||
print(f" 1. Redeploy Docs: abra app deploy {docs_domain} --chaos --force --no-input", flush=True)
|
||||
print(f" 2. Run migrations: script -qefc 'abra app cmd {docs_domain} backend migrate --no-input' /dev/null", flush=True)
|
||||
print(f" 3. Run OIDC test: python3 recipe-info/lasuite-docs/tests/oidc_login.py", flush=True)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user