Merge pull request #828 from MetaCell/keycloak-init-fix

filippomc · web-flow · commit 9ecb4a98ae54 · 2025-12-10T17:00:52.000+01:00
CH-231 refactorAPI user init
diff --git a/applications/accounts/scripts/create_api_user.sh b/applications/accounts/scripts/create_api_user.sh
@@ -1,25 +1,78 @@
 #!/bin/bash
 
-NAMESPACE=${CH_ACCOUNTS_REALM}
-USERNAME=admin_api
-PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password)
+export API_USERNAME="admin_api"
+export API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "")
+export TMP_CLIENT="tmp_api_client"
+export TMP_CLIENT_SECRET="${KC_BOOTSTRAP_ADMIN_USERNAME}"
 
-echo "Checking if API user exists..."
+sleep 120
 
-# Check if user already exists
-if /opt/keycloak/bin/kcadm.sh get users -q "username=$USERNAME" | grep -q "$USERNAME"; then
-    echo "ERROR: API user $USERNAME already exists, but password is out of sync. You may need to reset it manually."
-    # /opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
-    # Removed automatic password reset as that would only work if the main admin password is unchanged from the default password
-    # That would create the false impression that the password is reset successfully when in fact it has not on production systems
+echo "create_api_user: waiting for Keycloak to start..."
+
+create_temporary_client() {
+    /opt/keycloak/bin/kc.sh bootstrap-admin service --client-id=${TMP_CLIENT} --client-secret:env=TMP_CLIENT_SECRET --http-management-port 9876
+}
+
+delete_temporary_client() {
+    CLIENT_ID=$(/opt/keycloak/bin/kcadm.sh get clients -r master -q clientId=${TMP_CLIENT} --fields id --format csv|tr -d '"')
+    if [ -n "$CLIENT_ID" ]; then
+        /opt/keycloak/bin/kcadm.sh delete clients/$CLIENT_ID -r master
+    fi
+}
+
+create_kc_config() {
+    /opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --client ${TMP_CLIENT} --secret ${TMP_CLIENT_SECRET}
+}
+
+api_user_exists() {
+    return $(/opt/keycloak/bin/kcadm.sh get users -q "username=$API_USERNAME" | grep -q "$API_USERNAME"; echo $?)
+}   
+
+create_api_user() {
+    /opt/keycloak/bin/kcadm.sh create users -s "username=${API_USERNAME}" -s enabled=True
+}
+
+set_password_and_roles() {
+    /opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD"
+    /opt/keycloak/bin/kcadm.sh add-roles --uusername "$API_USERNAME" --rolename admin
+}
+
+# Wait for Keycloak to be ready - just give it some time to start up
+
+
+echo "Attempting authentication..."
+
+# First, try to authenticate as admin_api
+if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \
+    --server http://localhost:8080 \
+    --realm master \
+    --user "$API_USERNAME" \
+    --password "$API_PASSWORD" 2>/dev/null; then
+    echo "Successfully authenticated as $API_USERNAME"
+    echo "Startup scripts not needed (admin_api user already exists)"
     exit 0
 fi
 
-echo "Creating API user $USERNAME"
-set -e 
-# create the user and reload keycloak
-/opt/keycloak/bin/kcadm.sh create users -s "username=$USERNAME" -s enabled=True
-/opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
-/opt/keycloak/bin/kcadm.sh add-roles --uusername "$USERNAME" --rolename admin
+echo "admin_api user does not exist or authentication failed. Authenticating to create the user..."
+
+set -e
+create_temporary_client
+create_kc_config
+echo "Temporary credentials successfully created."
+
+echo "Checking if API user exists..."
+# Check if user already exists
+if ! api_user_exists; then
+    echo "API user $API_USERNAME doesn't exists, creating..."
+    create_api_user
+    echo "API user created successfully"
+else
+    echo "API user $API_USERNAME already exists."
+fi
+set +e
+
+echo "Setting password and role."
+set_password_and_roles
 
-echo "API user created successfully"
+echo "Cleaning up temporary client."
+delete_temporary_client
diff --git a/applications/accounts/scripts/kc-entrypoint.sh b/applications/accounts/scripts/kc-entrypoint.sh
@@ -2,51 +2,16 @@
 
 /opt/keycloak/bin/kc.sh $@ &
 
-API_USERNAME="admin_api"
-API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "")
 
-echo "Waiting for Keycloak to start..."
-
-# Wait for Keycloak to be ready - just give it some time to start up
-sleep 120s
-
-echo "Attempting authentication..."
-
-# First, try to authenticate as admin_api
-if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \
-    --server http://localhost:8080 \
-    --realm master \
-    --user "$API_USERNAME" \
-    --password "$API_PASSWORD" 2>/dev/null; then
-    echo "Successfully authenticated as $API_USERNAME"
-    echo "Startup scripts not needed (admin_api user already exists)"
-else
-    echo "admin_api user does not exist or authentication failed. Authenticating as bootstrap admin to create the user..."
-    
-    # Authenticate as bootstrap admin to create admin_api user
-    if ! /opt/keycloak/bin/kcadm.sh config credentials \
-        --server http://localhost:8080 \
-        --realm master \
-        --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \
-        --password "$KC_BOOTSTRAP_ADMIN_PASSWORD"; then
-        echo "ERROR: Failed to authenticate as bootstrap admin. Check KC_BOOTSTRAP_ADMIN credentials."
-        echo "Continuing without running startup scripts..."
-        wait
-        exit 0
-    fi
-    
-    echo "Successfully authenticated as bootstrap admin"
-    
-    # Run startup scripts to create admin_api user
-    for script in /opt/keycloak/startup-scripts/*.sh;
+# Run startup scripts to create admin_api user
+for script in /opt/keycloak/startup-scripts/*.sh;
     do
         echo "Running startup script: $script"
         if bash "$script"; then
             echo "Successfully executed $script"
         else
             echo "Warning: $script failed with exit code $?"
-        fi
-    done
-fi
+    fi
+done
 
 wait
