CH-231 refactorAPI user init #828
Conversation
There was a problem hiding this comment.
Pull request overview
This PR refactors the API user initialization logic by moving authentication and user creation logic from the Keycloak entrypoint script into the dedicated create_api_user.sh script, improving separation of concerns and maintainability.
Key Changes:
- Moved API user authentication and creation logic from
kc-entrypoint.shtocreate_api_user.sh - Simplified the entrypoint script to only handle startup script execution
- Consolidated all API user management in a single location
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| applications/accounts/scripts/kc-entrypoint.sh | Removed API user authentication logic and conditional execution, simplified to only run startup scripts |
| applications/accounts/scripts/create_api_user.sh | Added authentication logic and wrapped user creation in conditional block to handle existing user scenarios |
Comments suppressed due to low confidence (1)
applications/accounts/scripts/kc-entrypoint.sh:1
- Missing closing 'fi' for the inner if statement on line 9. The script has mismatched conditional blocks.
#! /bin/bash
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # Run startup scripts to create admin_api user | ||
| for script in /opt/keycloak/startup-scripts/*.sh; | ||
| # Run startup scripts to create admin_api user |
There was a problem hiding this comment.
[nitpick] Corrected spelling in comment: 'create' should be 'creates' or rephrase to 'creation of admin_api user'.
| # Run startup scripts to create admin_api user | |
| # Run startup scripts to create the admin_api user |
| API_USERNAME="admin_api" | ||
| API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "") | ||
|
|
||
| echo "create_api_user: waiting for Keycloak to start..." |
There was a problem hiding this comment.
[nitpick] Corrected spelling: 'create_api_user' should use consistent formatting as 'Creating API user' elsewhere in the script.
| echo "create_api_user: waiting for Keycloak to start..." | |
| echo "Creating API user: waiting for Keycloak to start..." |
| echo "admin_api user does not exist or authentication failed. Authenticating as bootstrap admin to create the user..." | ||
|
|
||
| # Authenticate as bootstrap admin to create admin_api user | ||
| if ! /opt/keycloak/bin/kcadm.sh config credentials \ |
There was a problem hiding this comment.
critical: this still doesn't work when the bootstap user password is changed. Let me think of an automated way to set the api admin user's password
There was a problem hiding this comment.
@filippomc I think this will do the job:
kc.sh bootstrap-admin service --client-id=tmp_client --client-secret:env=KC_BOOTSTRAP_ADMIN_USERNAME
kcadm.sh config credentials --server http://localhost:8080 --realm master --client tmp_client --secret ${KC_BOOTSTRAP_ADMIN_USERNAME}
kcadm.sh create users -s "username=${API_USERNAME}" -s enabled=True
kcadm.sh set-password --username "${API_USERNAME}" --new-password "${API_PASSWORD}"
client_id=$(kcadm.sh get clients -r master -q "clientId=tmp_client"|grep \"id\"|cut -d ":" -f 2|tr -d '", ')
kcadm.sh delete clients/${client_id}
explanation:
- create a temporary service account
- create the api user and set the password
- remove the temporary service account
Closes CH-213
Implemented solution
...
How to test this PR
...
Sanity checks:
Breaking changes (select one):
breaking-changeand the migration procedure is well described abovePossible deployment updates issues (select one):
alert:deploymentTest coverage (select one):
Documentation (select one):
Nice to have (if relevant):