Skip to content

Instantly share code, notes, and snippets.

@FaKod

FaKod/addArgoCDToRealm.py

Created February 19, 2021 05:51
Show Gist options
  • Save FaKod/5403aeacd367eda3255013653f38b4dc to your computer and use it in GitHub Desktop.
Save FaKod/5403aeacd367eda3255013653f38b4dc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
addArgoCDToRealm.py
#!/usr/bin/python3.8
import subprocess
import getpass
import json
import argparse
import os
parser = argparse.ArgumentParser(description='Create new Client for ArgoCD')
parser.add_argument('-realm', required=True, help='realm to change')
parser.add_argument('-keycloak', required=True,
help='Keycloak hostname (e.g. keycloak)')
parser.add_argument('-domain', required=True,
help='Domain (e.g dev.mydomain.com)')
args = parser.parse_args()
REALM = args.realm
DOMAIN = args.domain
KEYCLOAK_HOST = f"{args.keycloak}.{DOMAIN}"
KC = os.path.dirname(os.path.realpath(__file__)) + "/keycloak/kcadm.sh "
def kc(script):
return subprocess.run(KC + script, check=True, shell=True, stdout=subprocess.PIPE).stdout.decode('utf-8').strip()
def escapeJson(object):
return "'" + json.dumps(object) + "'"
password = getpass.getpass("Whats your Keycloak Admin Password? ")
kc(f"config credentials --server https://{KEYCLOAK_HOST}/auth --realm master --user keycloak --password {password}")
try:
CID = json.loads(kc(f"get clients?clientId=argocd -r {REALM}"))[0]["id"]
except:
CID = kc(f"create clients -r {REALM}" +
""" -s clientId=argocd -s 'redirectUris=["*"]' -s 'baseUrl="/applications"' -s rootUrl=https://""" + f"{REALM}.{DOMAIN} -s adminUrl=https://{REALM}.{DOMAIN} -i")
secret = json.loads(kc(f"get clients/{CID}/client-secret -r {REALM}"))["value"]
with open(os.getcwd()+"/oidc.keycloak.clientSecret", "w") as f:
f.write(secret)
# setup User Group
try:
GROUPID = json.loads(
kc(f"get groups?search=ArgoCDAdmins -r {REALM}"))[0]["id"]
except:
GROUPID = kc(f"create groups -r {REALM} -s name=ArgoCDAdmins -i")
# client scopes
try:
CSCOPE = kc(f"create client-scopes -r {REALM} -b " + escapeJson({"attributes": {"consent.screen.text": "${groupsScopeConsentText}",
"display.on.consent.screen": "true"}, "name": "groups", "protocol": "openid-connect"}) + " -i")
kc(f"create client-scopes/{CSCOPE}/protocol-mappers/models -r {REALM} -b " + escapeJson({"protocol": "openid-connect", "config": {"full.path": "true", "id.token.claim": "true",
"access.token.claim": "true", "userinfo.token.claim": "true", "claim.name": "groups"}, "name": "groups", "protocolMapper": "oidc-group-membership-mapper"}))
kc(f"update clients/{CID}/default-client-scopes/{CSCOPE}/ -r {REALM} -b " +
escapeJson({"realm": "argocd", "client": f"{CID}", "clientScopeId": f"{CSCOPE}"}))
except:
pass
# write config map
with open(os.getcwd()+"/oidc.config", "w") as text_file:
print(f"""name: Keycloak
issuer: https://{KEYCLOAK_HOST}/auth/realms/{REALM}
clientID: argocd
clientSecret: $oidc.keycloak.clientSecret
requestedScopes: ["openid", "profile", "email", "groups"]""", file=text_file)
Raw
kustomization.yaml
secretGenerator:
- name: argocd-secret
behavior: merge
files:
- oidc.keycloak.clientSecret
configMapGenerator:
- name: argocd-cm
behavior: merge
literals:
- url=https://argocd.phoenix.ch.innoq.io
files:
- oidc.config
- name: argocd-rbac-cm
behavior: merge
literals:
- policy.csv= g, /ArgoCDAdmins, role:admin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment