From a070b17c73851fb8c474cb71c1fe922b3cf0f0e8 Mon Sep 17 00:00:00 2001 From: Filippo Ledda Date: Tue, 9 Dec 2025 18:33:44 +0100 Subject: [PATCH 1/4] CH-231 refactorAPI user init --- .../accounts/scripts/create_api_user.sh | 79 +++++++++++++------ .../accounts/scripts/kc-entrypoint.sh | 43 +--------- 2 files changed, 60 insertions(+), 62 deletions(-) diff --git a/applications/accounts/scripts/create_api_user.sh b/applications/accounts/scripts/create_api_user.sh index caf92fff..3b34af12 100755 --- a/applications/accounts/scripts/create_api_user.sh +++ b/applications/accounts/scripts/create_api_user.sh @@ -1,25 +1,58 @@ #!/bin/bash -NAMESPACE=${CH_ACCOUNTS_REALM} -USERNAME=admin_api -PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password) - -echo "Checking if API user exists..." - -# Check if user already exists -if /opt/keycloak/bin/kcadm.sh get users -q "username=$USERNAME" | grep -q "$USERNAME"; then - echo "ERROR: API user $USERNAME already exists, but password is out of sync. You may need to reset it manually." - # /opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD" - # Removed automatic password reset as that would only work if the main admin password is unchanged from the default password - # That would create the false impression that the password is reset successfully when in fact it has not on production systems - exit 0 -fi - -echo "Creating API user $USERNAME" -set -e -# create the user and reload keycloak -/opt/keycloak/bin/kcadm.sh create users -s "username=$USERNAME" -s enabled=True -/opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD" -/opt/keycloak/bin/kcadm.sh add-roles --uusername "$USERNAME" --rolename admin - -echo "API user created successfully" \ No newline at end of file + +API_USERNAME="admin_api" +API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "") + +echo "create_api_user: waiting for Keycloak to start..." + +# Wait for Keycloak to be ready - just give it some time to start up +sleep 120s + +echo "Attempting authentication..." + +# First, try to authenticate as admin_api +if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \ + --server http://localhost:8080 \ + --realm master \ + --user "$API_USERNAME" \ + --password "$API_PASSWORD" 2>/dev/null; then + echo "Successfully authenticated as $API_USERNAME" + echo "Startup scripts not needed (admin_api user already exists)" +else + echo "admin_api user does not exist or authentication failed. Authenticating as bootstrap admin to create the user..." + + # Authenticate as bootstrap admin to create admin_api user + if ! /opt/keycloak/bin/kcadm.sh config credentials \ + --server http://localhost:8080 \ + --realm master \ + --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \ + --password "$KC_BOOTSTRAP_ADMIN_PASSWORD"; then + echo "ERROR: Failed to authenticate as bootstrap admin. You must manually create the ${API_USERNAME} with password from the secret api_user_password." + echo "Continuing without running startup scripts..." + exit 0 + fi + + echo "Successfully authenticated as bootstrap admin" + + echo "Checking if API user exists..." + + # Check if user already exists + if /opt/keycloak/bin/kcadm.sh get users -q "username=$API_USERNAME" | grep -q "$API_USERNAME"; then + echo "ERROR: API user $API_USERNAME already exists, but password is out of sync. You may need to reset it manually." + # /opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD" + # Removed automatic password reset as that would only work if the main admin password is unchanged from the default password + # That would create the false impression that the password is reset successfully when in fact it has not on production systems + exit 0 + fi + + echo "Creating API user $API_USERNAME" + set -e + # create the user and reload keycloak + /opt/keycloak/bin/kcadm.sh create users -s "username=$API_USERNAME" -s enabled=True + /opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD" + /opt/keycloak/bin/kcadm.sh add-roles --uusername "$API_USERNAME" --rolename admin + + echo "API user created successfully" +fi + diff --git a/applications/accounts/scripts/kc-entrypoint.sh b/applications/accounts/scripts/kc-entrypoint.sh index 2657b53c..042a59db 100644 --- a/applications/accounts/scripts/kc-entrypoint.sh +++ b/applications/accounts/scripts/kc-entrypoint.sh @@ -2,51 +2,16 @@ /opt/keycloak/bin/kc.sh $@ & -API_USERNAME="admin_api" -API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "") -echo "Waiting for Keycloak to start..." - -# Wait for Keycloak to be ready - just give it some time to start up -sleep 120s - -echo "Attempting authentication..." - -# First, try to authenticate as admin_api -if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \ - --server http://localhost:8080 \ - --realm master \ - --user "$API_USERNAME" \ - --password "$API_PASSWORD" 2>/dev/null; then - echo "Successfully authenticated as $API_USERNAME" - echo "Startup scripts not needed (admin_api user already exists)" -else - echo "admin_api user does not exist or authentication failed. Authenticating as bootstrap admin to create the user..." - - # Authenticate as bootstrap admin to create admin_api user - if ! /opt/keycloak/bin/kcadm.sh config credentials \ - --server http://localhost:8080 \ - --realm master \ - --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \ - --password "$KC_BOOTSTRAP_ADMIN_PASSWORD"; then - echo "ERROR: Failed to authenticate as bootstrap admin. Check KC_BOOTSTRAP_ADMIN credentials." - echo "Continuing without running startup scripts..." - wait - exit 0 - fi - - echo "Successfully authenticated as bootstrap admin" - - # Run startup scripts to create admin_api user - for script in /opt/keycloak/startup-scripts/*.sh; +# Run startup scripts to create admin_api user +for script in /opt/keycloak/startup-scripts/*.sh; do echo "Running startup script: $script" if bash "$script"; then echo "Successfully executed $script" else echo "Warning: $script failed with exit code $?" - fi - done -fi + fi +done wait \ No newline at end of file From 7cb696a1a13f3323c8145efa82931c1a311b3ca8 Mon Sep 17 00:00:00 2001 From: Zoran Sinnema Date: Wed, 10 Dec 2025 14:36:00 +0100 Subject: [PATCH 2/4] chore: refactor create/update/refresh admin_api user --- .../accounts/scripts/create_api_user.sh | 92 +++++++++++-------- 1 file changed, 55 insertions(+), 37 deletions(-) diff --git a/applications/accounts/scripts/create_api_user.sh b/applications/accounts/scripts/create_api_user.sh index 3b34af12..7a854c52 100755 --- a/applications/accounts/scripts/create_api_user.sh +++ b/applications/accounts/scripts/create_api_user.sh @@ -1,13 +1,42 @@ #!/bin/bash - -API_USERNAME="admin_api" -API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "") +export API_USERNAME="admin_api" +export API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "") +export TMP_CLIENT="tmp_client" +export TMP_CLIENT_SECRET="${KC_BOOTSTRAP_ADMIN_USERNAME}" echo "create_api_user: waiting for Keycloak to start..." +create_temporary_client() { + /opt/keycloak/bin/kc.sh bootstrap-admin service --client-id=${TMP_CLIENT} --client-secret:env=TMP_CLIENT_SECRET +} + +delete_temporary_client() { + CLIENT_ID=$(/opt/keycloak/bin/kcadm.sh get clients -r master -q clientId=${TMP_CLIENT} --fields id --format csv|tr -d '"') + if [ -n "$CLIENT_ID" ]; then + /opt/keycloak/bin/kcadm.sh delete clients/$CLIENT_ID -r master + fi +} + +create_kc_config() { + /opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --client ${TMP_CLIENT} --secret ${TMP_CLIENT_SECRET} +} + +api_user_exists() { + return $(/opt/keycloak/bin/kcadm.sh get users -q "username=$API_USERNAME" | grep -q "$API_USERNAME"; echo $?) +} + +create_api_user() { + /opt/keycloak/bin/kcadm.sh create users -s "username=${API_USERNAME}" -s enabled=True +} + +set_password_and_roles() { + /opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD" + /opt/keycloak/bin/kcadm.sh add-roles --uusername "$API_USERNAME" --rolename admin +} + # Wait for Keycloak to be ready - just give it some time to start up -sleep 120s + echo "Attempting authentication..." @@ -19,40 +48,29 @@ if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \ --password "$API_PASSWORD" 2>/dev/null; then echo "Successfully authenticated as $API_USERNAME" echo "Startup scripts not needed (admin_api user already exists)" -else - echo "admin_api user does not exist or authentication failed. Authenticating as bootstrap admin to create the user..." - - # Authenticate as bootstrap admin to create admin_api user - if ! /opt/keycloak/bin/kcadm.sh config credentials \ - --server http://localhost:8080 \ - --realm master \ - --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \ - --password "$KC_BOOTSTRAP_ADMIN_PASSWORD"; then - echo "ERROR: Failed to authenticate as bootstrap admin. You must manually create the ${API_USERNAME} with password from the secret api_user_password." - echo "Continuing without running startup scripts..." - exit 0 - fi - - echo "Successfully authenticated as bootstrap admin" - - echo "Checking if API user exists..." - - # Check if user already exists - if /opt/keycloak/bin/kcadm.sh get users -q "username=$API_USERNAME" | grep -q "$API_USERNAME"; then - echo "ERROR: API user $API_USERNAME already exists, but password is out of sync. You may need to reset it manually." - # /opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD" - # Removed automatic password reset as that would only work if the main admin password is unchanged from the default password - # That would create the false impression that the password is reset successfully when in fact it has not on production systems - exit 0 - fi + exit 0 +fi - echo "Creating API user $API_USERNAME" - set -e - # create the user and reload keycloak - /opt/keycloak/bin/kcadm.sh create users -s "username=$API_USERNAME" -s enabled=True - /opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD" - /opt/keycloak/bin/kcadm.sh add-roles --uusername "$API_USERNAME" --rolename admin +echo "admin_api user does not exist or authentication failed. Authenticating to create the user..." + +set -e +create_temporary_client +create_kc_config +echo "Temporary credentials successfully created." +echo "Checking if API user exists..." +# Check if user already exists +if ! api_user_exists; then + echo "API user $API_USERNAME doesn't exists, creating..." + create_api_user echo "API user created successfully" -fi +else + echo "API user $API_USERNAME already exists." +fi +set +e + +echo "Setting password and role." +set_password_and_roles +echo "Cleaning up temporary client." +delete_temporary_client From 15453555c99d4a4f01d361cbce02732cd8b2e843 Mon Sep 17 00:00:00 2001 From: Zoran Sinnema Date: Wed, 10 Dec 2025 15:32:41 +0100 Subject: [PATCH 3/4] chore: start the temporary client creation on a different admin port --- applications/accounts/scripts/create_api_user.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/applications/accounts/scripts/create_api_user.sh b/applications/accounts/scripts/create_api_user.sh index 7a854c52..37978804 100755 --- a/applications/accounts/scripts/create_api_user.sh +++ b/applications/accounts/scripts/create_api_user.sh @@ -8,7 +8,7 @@ export TMP_CLIENT_SECRET="${KC_BOOTSTRAP_ADMIN_USERNAME}" echo "create_api_user: waiting for Keycloak to start..." create_temporary_client() { - /opt/keycloak/bin/kc.sh bootstrap-admin service --client-id=${TMP_CLIENT} --client-secret:env=TMP_CLIENT_SECRET + /opt/keycloak/bin/kc.sh bootstrap-admin service --client-id=${TMP_CLIENT} --client-secret:env=TMP_CLIENT_SECRET --http-management-port 9876 } delete_temporary_client() { @@ -24,7 +24,7 @@ create_kc_config() { api_user_exists() { return $(/opt/keycloak/bin/kcadm.sh get users -q "username=$API_USERNAME" | grep -q "$API_USERNAME"; echo $?) -} +} create_api_user() { /opt/keycloak/bin/kcadm.sh create users -s "username=${API_USERNAME}" -s enabled=True From 3001302355885268ddce531e11b0cbfbff03cb2e Mon Sep 17 00:00:00 2001 From: Zoran Sinnema Date: Wed, 10 Dec 2025 16:30:14 +0100 Subject: [PATCH 4/4] chore: refactor create/update/refresh admin_api user --- applications/accounts/scripts/create_api_user.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/applications/accounts/scripts/create_api_user.sh b/applications/accounts/scripts/create_api_user.sh index 37978804..43bcac20 100755 --- a/applications/accounts/scripts/create_api_user.sh +++ b/applications/accounts/scripts/create_api_user.sh @@ -2,9 +2,11 @@ export API_USERNAME="admin_api" export API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "") -export TMP_CLIENT="tmp_client" +export TMP_CLIENT="tmp_api_client" export TMP_CLIENT_SECRET="${KC_BOOTSTRAP_ADMIN_USERNAME}" +sleep 120 + echo "create_api_user: waiting for Keycloak to start..." create_temporary_client() {