Implement dynamic secret injection for Keycloak realm configuration

Copilot · phrocker · Copilot · commit ab2b183247ef · 2025-06-26T17:12:12.000Z
Co-authored-by: phrocker &lt;1781585+phrocker@users.noreply.github.com&gt;
diff --git a/docker/keycloak/Dockerfile b/docker/keycloak/Dockerfile
@@ -14,10 +14,37 @@ RUN /opt/keycloak/bin/kc.sh build
 FROM quay.io/keycloak/keycloak:24.0.1
 COPY --from=builder /opt/keycloak/ /opt/keycloak/
 
-COPY ./realms/sentrius-realm.json /opt/keycloak/data/import/sentrius-realm.json
+# Install gettext for envsubst command
+USER root
+RUN microdnf install -y gettext && microdnf clean all
+USER keycloak
 
-RUN ls -l /opt/keycloak/data/import/sentrius-realm.json
+# Copy realm template and processing script
+COPY ./realms/sentrius-realm.json.template /opt/keycloak/data/import/sentrius-realm.json.template
+COPY ./process-realm-template.sh /opt/keycloak/bin/process-realm-template.sh
 
-ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
-CMD ["start-dev", "--proxy=passthrough", "--import-realm", "--import-realm-overwrite=true", "--health-enabled=true"]
+# Make the script executable
+USER root
+RUN chmod +x /opt/keycloak/bin/process-realm-template.sh
+USER keycloak
+
+RUN ls -l /opt/keycloak/data/import/sentrius-realm.json.template
+
+# Create startup script that processes template then starts Keycloak
+COPY <<'EOF' /opt/keycloak/bin/startup.sh
+#!/bin/bash
+echo "Starting Keycloak with dynamic realm processing..."
+
+# Process the realm template
+/opt/keycloak/bin/process-realm-template.sh
+
+# Start Keycloak with the processed realm
+exec /opt/keycloak/bin/kc.sh start-dev --proxy=passthrough --import-realm --import-realm-overwrite=true --health-enabled=true
+EOF
+
+USER root
+RUN chmod +x /opt/keycloak/bin/startup.sh
+USER keycloak
+
+ENTRYPOINT ["/opt/keycloak/bin/startup.sh"]
 
diff --git a/docker/keycloak/README.md b/docker/keycloak/README.md
@@ -1,14 +1,30 @@
 # Keycloak Realm Configuration
 
-This realm configuration file contains client definitions for Sentrius.
+This realm configuration file contains client definitions for Sentrius with dynamic secret injection.
 
-⚠️ **IMPORTANT**: The client secrets in this file are set to "CHANGE_ME_AFTER_IMPORT" and must be updated after importing the realm to match the secrets configured in your Helm deployment.
+## 🔐 Dynamic Secret Management
 
-The client secrets should be configured to match:
-- The OAuth2 secrets generated by the Helm chart
-- Or the secrets you provide in your values.yaml
+The Keycloak container now supports dynamic secret injection through environment variables:
 
-You can update client secrets via:
-1. Keycloak Admin Console
-2. Keycloak Admin REST API
-3. Environment variable substitution during realm import
+- **SENTRIUS_API_CLIENT_SECRET** - Secret for sentrius-api client
+- **SENTRIUS_LAUNCHER_CLIENT_SECRET** - Secret for sentrius-launcher-service client  
+- **JAVA_AGENTS_CLIENT_SECRET** - Secret for java-agents client
+- **AI_AGENT_ASSESSOR_CLIENT_SECRET** - Secret for ai-agent-assessor client
+
+## How It Works
+
+1. **Template Processing**: The `sentrius-realm.json.template` file contains environment variable placeholders
+2. **Runtime Substitution**: During container startup, the `process-realm-template.sh` script replaces placeholders with actual values
+3. **Helm Integration**: The Helm chart generates OAuth2 secrets and passes them as environment variables
+4. **Automatic Import**: Keycloak imports the processed realm with the dynamically generated secrets
+
+## Environment Variable Integration
+
+The Helm chart automatically:
+- Generates random 32-character secrets when none are provided
+- Passes these secrets as environment variables to the Keycloak container
+- Ensures consistency between Helm-managed OAuth2 secrets and Keycloak realm configuration
+
+## Fallback Behavior
+
+If environment variables are not provided, the startup script generates default random secrets to ensure the container can start successfully.
diff --git a/docker/keycloak/process-realm-template.sh b/docker/keycloak/process-realm-template.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Process realm template with environment variable substitution
+# This script replaces environment variable placeholders in the realm template
+# with actual values before Keycloak imports the realm
+
+# Set paths - different for container vs local testing
+if [ -f "/opt/keycloak/data/import/sentrius-realm.json.template" ]; then
+    # Container environment
+    REALM_TEMPLATE="/opt/keycloak/data/import/sentrius-realm.json.template"
+    REALM_OUTPUT="/opt/keycloak/data/import/sentrius-realm.json"
+elif [ -f "./realms/sentrius-realm.json.template" ]; then
+    # Local testing environment
+    REALM_TEMPLATE="./realms/sentrius-realm.json.template"
+    REALM_OUTPUT="${REALM_OUTPUT:-./sentrius-realm.json}"
+else
+    echo "Error: Realm template not found"
+    echo "  Looked for: /opt/keycloak/data/import/sentrius-realm.json.template"
+    echo "  Looked for: ./realms/sentrius-realm.json.template"
+    exit 1
+fi
+
+echo "Processing Keycloak realm template..."
+echo "  Template: $REALM_TEMPLATE"
+echo "  Output: $REALM_OUTPUT"
+
+# Set default values for secrets if not provided
+export SENTRIUS_API_CLIENT_SECRET="${SENTRIUS_API_CLIENT_SECRET:-default-api-secret-$(openssl rand -hex 16)}"
+export SENTRIUS_LAUNCHER_CLIENT_SECRET="${SENTRIUS_LAUNCHER_CLIENT_SECRET:-default-launcher-secret-$(openssl rand -hex 16)}"
+export JAVA_AGENTS_CLIENT_SECRET="${JAVA_AGENTS_CLIENT_SECRET:-default-agents-secret-$(openssl rand -hex 16)}"
+export AI_AGENT_ASSESSOR_CLIENT_SECRET="${AI_AGENT_ASSESSOR_CLIENT_SECRET:-default-assessor-secret-$(openssl rand -hex 16)}"
+
+# Set default values for other placeholders
+export ROOT_URL="${ROOT_URL:-http://localhost:8080}"
+export REDIRECT_URIS="${REDIRECT_URIS:-http://localhost:8080}"
+export GOOGLE_CLIENT_ID="${GOOGLE_CLIENT_ID:-}"
+export GOOGLE_CLIENT_SECRET="${GOOGLE_CLIENT_SECRET:-}"
+
+echo "Substituting environment variables in realm template..."
+echo "  SENTRIUS_API_CLIENT_SECRET: ${SENTRIUS_API_CLIENT_SECRET:0:8}..."
+echo "  SENTRIUS_LAUNCHER_CLIENT_SECRET: ${SENTRIUS_LAUNCHER_CLIENT_SECRET:0:8}..."
+echo "  JAVA_AGENTS_CLIENT_SECRET: ${JAVA_AGENTS_CLIENT_SECRET:0:8}..."
+echo "  AI_AGENT_ASSESSOR_CLIENT_SECRET: ${AI_AGENT_ASSESSOR_CLIENT_SECRET:0:8}..."
+
+# Use envsubst to replace environment variables
+envsubst < "$REALM_TEMPLATE" > "$REALM_OUTPUT"
+
+if [ $? -eq 0 ]; then
+    echo "Realm template processed successfully: $REALM_OUTPUT"
+else
+    echo "Error: Failed to process realm template"
+    exit 1
+fi
+
+# Validate the JSON is valid
+if command -v jq >/dev/null 2>&1; then
+    if ! jq empty < "$REALM_OUTPUT" >/dev/null 2>&1; then
+        echo "Error: Generated realm JSON is invalid"
+        exit 1
+    fi
+    echo "Generated realm JSON is valid"
+else
+    echo "Note: jq not available, skipping JSON validation"
+fi
diff --git a/docker/keycloak/realms/sentrius-realm.json.template b/docker/keycloak/realms/sentrius-realm.json.template
@@ -6,7 +6,7 @@
       "clientId": "sentrius-api",
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
-      "secret": "CHANGE_ME_AFTER_IMPORT",
+      "secret": "${SENTRIUS_API_CLIENT_SECRET}",
       "rootUrl": "${ROOT_URL}",
       "baseUrl": "${ROOT_URL}",
       "serviceAccountsEnabled": true,
@@ -40,7 +40,7 @@
       "clientId": "sentrius-launcher-service",
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
-      "secret": "CHANGE_ME_AFTER_IMPORT",
+      "secret": "${SENTRIUS_LAUNCHER_CLIENT_SECRET}",
       "rootUrl": "${ROOT_URL}",
       "baseUrl": "${ROOT_URL}",
 
@@ -81,7 +81,7 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "CHANGE_ME_AFTER_IMPORT",
+      "secret": "${JAVA_AGENTS_CLIENT_SECRET}",
       "redirectUris": [
         "${REDIRECT_URIS}/*"
       ],
@@ -168,7 +168,7 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "CHANGE_ME_AFTER_IMPORT",
+      "secret": "${AI_AGENT_ASSESSOR_CLIENT_SECRET}",
       "redirectUris": [
         "${REDIRECT_URIS}/*"
       ],
diff --git a/docs/secret-management.md b/docs/secret-management.md
@@ -49,6 +49,28 @@ Application properties files now use environment variables with fallback default
 - `DATABASE_PASSWORD` - Database password (defaults to "password")
 - `KEYSTORE_PASSWORD` - Keystore password (defaults to "keystorepassword")
 
+## Keycloak Realm Dynamic Configuration
+
+The Keycloak Docker container now supports dynamic realm configuration with automatic secret injection:
+
+### How It Works
+
+1. **Template Processing**: The Keycloak realm configuration uses a template file (`sentrius-realm.json.template`) with environment variable placeholders
+2. **Runtime Substitution**: During container startup, secrets are injected via environment variables:
+   - `SENTRIUS_API_CLIENT_SECRET` - Secret for sentrius-api client
+   - `SENTRIUS_LAUNCHER_CLIENT_SECRET` - Secret for sentrius-launcher-service client
+   - `JAVA_AGENTS_CLIENT_SECRET` - Secret for java-agents client
+   - `AI_AGENT_ASSESSOR_CLIENT_SECRET` - Secret for ai-agent-assessor client
+3. **Helm Integration**: The Helm chart automatically generates these secrets and passes them to the Keycloak container
+4. **Fallback Generation**: If no secrets are provided, the container generates secure random defaults
+
+### Build Integration
+
+When building the Keycloak container with `./build-images.sh --sentrius-keycloak`, the system:
+- Includes the realm template and processing script
+- Configures automatic secret substitution during startup
+- Ensures consistency between Helm-generated OAuth2 secrets and Keycloak realm configuration
+
 ## Production Deployment
 
 For production environments, it is recommended to:
diff --git a/sentrius-chart/templates/keycloak-deployment.yaml b/sentrius-chart/templates/keycloak-deployment.yaml
@@ -87,5 +87,23 @@ spec:
                 secretKeyRef:
                   name: {{ .Release.Name }}-keycloak-secrets
                   key: client-secret
-          command: ["/opt/keycloak/bin/kc.sh"]
-          args: ["start-dev", "--proxy=edge", "--import-realm", "--health-enabled=true"]
+            - name: SENTRIUS_API_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-oauth2-secrets
+                  key: sentrius-api-client-secret
+            - name: SENTRIUS_LAUNCHER_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-oauth2-secrets
+                  key: sentrius-launcher-service-client-secret
+            - name: JAVA_AGENTS_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-oauth2-secrets
+                  key: java-agents-client-secret
+            - name: AI_AGENT_ASSESSOR_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-oauth2-secrets
+                  key: ai-agent-assessor-client-secret
diff --git a/sentrius-chart/templates/oauth2-secrets.yaml b/sentrius-chart/templates/oauth2-secrets.yaml
@@ -37,4 +37,29 @@ data:
   launcherservice-client-secret: {{ .Values.launcherservice.oauth2.client_secret | b64enc }}
   {{- else }}
   launcherservice-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  
+  # Keycloak Realm Client Secrets - These are used by Keycloak realm configuration
+  {{- if .Values.keycloak.realm.clients.sentriusApi.client_secret }}
+  sentrius-api-client-secret: {{ .Values.keycloak.realm.clients.sentriusApi.client_secret | b64enc }}
+  {{- else }}
+  sentrius-api-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  
+  {{- if .Values.keycloak.realm.clients.sentriusLauncher.client_secret }}
+  sentrius-launcher-service-client-secret: {{ .Values.keycloak.realm.clients.sentriusLauncher.client_secret | b64enc }}
+  {{- else }}
+  sentrius-launcher-service-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  
+  {{- if .Values.keycloak.realm.clients.javaAgents.client_secret }}
+  java-agents-client-secret: {{ .Values.keycloak.realm.clients.javaAgents.client_secret | b64enc }}
+  {{- else }}
+  java-agents-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  
+  {{- if .Values.keycloak.realm.clients.aiAgentAssessor.client_secret }}
+  ai-agent-assessor-client-secret: {{ .Values.keycloak.realm.clients.aiAgentAssessor.client_secret | b64enc }}
+  {{- else }}
+  ai-agent-assessor-client-secret: {{ randAlphaNum 32 | b64enc }}
   {{- end }}
diff --git a/sentrius-chart/values.yaml b/sentrius-chart/values.yaml
@@ -194,6 +194,17 @@ keycloak:
     database: keycloak
     storageSize: 10Gi
   replicas: 1
+  # Realm client secrets - used for Keycloak realm template processing
+  realm:
+    clients:
+      sentriusApi:
+        client_secret: ""  # Dynamically generated if not provided
+      sentriusLauncher:
+        client_secret: ""  # Dynamically generated if not provided
+      javaAgents:
+        client_secret: ""  # Dynamically generated if not provided
+      aiAgentAssessor:
+        client_secret: ""  # Dynamically generated if not provided
   annotations:
     gke:
       cloud.google.com/backend-config: '{"default": "sentrius-backend-config"}'
