coop-cloud/keycloak
4
0
Fork 3
Code Issues 7 Pull Requests 2 Releases Wiki Activity

add_kcadm #28

Open
oxaliq wants to merge 4 commits from oxaliq/keycloak:add_kcadm into master
pull from: oxaliq/keycloak:add_kcadm
merge into: coop-cloud:master
Conversation 4 Commits 4 Files Changed 5 +71 -13
oxaliq commented 2026-04-01 15:44:43 +00:00
First-time contributor
Copy Link

Closes #27

There is a subtle breaking change introduced, as the semantics of the admin_password secret are changed. kcadm.sh requires authentication against the Keycloak REST API for a user of sufficient permissions to perform the actions attempted. To solve this, this PR uses the admin_password secret as the secret for the permanent admin user that is created after authenticating with the temporary bootstrapped user.

The result is that running login_kcadm and run_kcadm will not work for existing Keycloak deployments without upgrading this secret. I can write a short guide on how to do this if this PR is accepted.

Closes #27 There is a subtle breaking change introduced, as the semantics of the admin_password secret are changed. kcadm.sh requires authentication against the Keycloak REST API for a user of sufficient permissions to perform the actions attempted. To solve this, this PR uses the admin_password secret as the secret for the permanent admin user that is created after authenticating with the temporary bootstrapped user. The result is that running `login_kcadm` and `run_kcadm` will not work for existing Keycloak deployments without upgrading this secret. I can write a short guide on how to do this if this PR is accepted.
❤️ 2
oxaliq added 3 commits 2026-04-01 15:44:46 +00:00
implement kcadm and changes to allow kcadm.sh to authenticate c6eb27e10c 
in order to run kcadm.sh commands the script must authenticate to the REST API.
this commit includes an init_kc command that replaces the bootstrap user with
a permanent admin user (whose password is a docker swarm secret) that can be
used to authenticate before running kcadm commands. this reuses the secret
'admin_password' that was previously used as the password for the bootstrap
admin user.
remove password option from kcadm authentication where possible 1fe630211a
add documentation for admin cli
Some checks failed
continuous-integration/drone/pr Build is failing
Details
a85d4f3b8f 
also updates initial setup documentation to reflect admin cli usage
in creating permanent admin user.
oxaliq requested review from 3wordchant 2026-04-01 15:48:16 +00:00
oxaliq requested review from ammaratef45 2026-04-01 15:48:17 +00:00
oxaliq requested review from cyrnel 2026-04-01 15:48:17 +00:00
oxaliq requested review from notplants 2026-04-01 15:48:17 +00:00
oxaliq commented 2026-04-01 15:48:33 +00:00
Author
First-time contributor
Copy Link

adding reviewers from recent recipe activity. ty!

adding reviewers from recent recipe activity. ty!
decentral1se commented 2026-04-03 14:20:35 +00:00
Owner
Copy Link

The result is that running login_kcadm and run_kcadm will not work for existing Keycloak deployments without upgrading this secret. I can write a short guide on how to do this if this PR is accepted.

OK, I tried to grok this breaking issue but my brain won't let it in 😆 Can you write up the short migration guide in a release note and that might help?

This looks like a solid change in general! Just want to get the breaking stuff agreed upon by a few people. I think the release note will help.

> The result is that running login_kcadm and run_kcadm will not work for existing Keycloak deployments without upgrading this secret. I can write a short guide on how to do this if this PR is accepted. OK, I tried to grok this breaking issue but my brain won't let it in 😆 Can you write up the short migration guide in a [release note](https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-write-version-release-notes) and that might help? This looks like a solid change in general! Just want to get the breaking stuff agreed upon by a few people. I think the release note will help.
👍 1
oxaliq added 1 commit 2026-04-03 16:10:19 +00:00
prepare kcadm release
Some checks failed
continuous-integration/drone/pr Build is failing
Details
a6b84ce9b6
oxaliq commented 2026-04-03 16:12:14 +00:00
Author
First-time contributor
Copy Link

OK, I tried to grok this breaking issue but my brain won't let it in 😆 Can you write up the short migration guide in a release note and that might help?

Added a release note! thanks @decentral1se

> OK, I tried to grok this breaking issue but my brain won't let it in 😆 Can you write up the short migration guide in a [release note](https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-write-version-release-notes) and that might help? Added a release note! thanks @decentral1se
decentral1se reviewed 2026-04-03 16:28:11 +00:00
decentral1se left a comment
Owner
Copy Link

Keycloak is hands down the most bizarre software 😆 Great work! I think I've reached the limits of evaluating this PR. I don't maintain Keycloak anymore. I hope the others can weigh in. You might need to chase them up on the Matrix chats.

Keycloak is hands down the most bizarre software 😆 Great work! I think I've reached the limits of evaluating this PR. I don't maintain Keycloak anymore. I hope the others can weigh in. You might need to chase them up on the Matrix chats.
❤️ 1
.env.sample
@ -6,3 +6,3 @@
LETS_ENCRYPT_ENV=production
ADMIN_USERNAME=admin
BOOTSTRAP_PASSWORD= # temporary admin password
decentral1se commented 2026-04-03 16:21:24 +00:00
Owner
Copy Link

Do I understand that you want operators to set this secret value themselves manually? That seems fine since it is temporary but it is a bit of an unexpected context switch. I don't think any other single recipe asks operators to put plain secrets in their .env files. How annoying is it to generate this temporary secret and remove it after you run init_kc? That would be more "standard" 😬

Do I understand that you want operators to set this secret value themselves manually? That seems fine since it is temporary but it is a bit of an unexpected context switch. I don't think any other single recipe asks operators to put plain secrets in their `.env` files. How annoying is it to generate this temporary secret and remove it after you run `init_kc`? That would be more "standard" 😬
oxaliq commented 2026-04-03 19:10:23 +00:00
Author
First-time contributor
Copy Link

That makes sense! I was hoping to really highlight how this password should not be relied upon, but I can make it a temporary secret again to avoid a strange pattern.

That makes sense! I was hoping to really highlight how this password should not be relied upon, but I can make it a temporary secret again to avoid a strange pattern.
❤️ 1
release/next
@ -0,0 +12,4 @@
To insert your permanent admin password:
"abra app secret insert $APP SECRET_ADMIN_PASSWORD_VERSION \
$NEW_VERSION $ADMIN_PASSWORD"
decentral1se commented 2026-04-03 16:27:00 +00:00
Owner
Copy Link

Do we want to qualify here that $ADMIN_PASSWORD is the 2nd password they entered in manually in the web UI when creating their "permanent admin" in the previous workflow? Idk how others see this but I'm really confused but this whole change because Keycloak is just so weird 😅

Do we want to qualify here that `$ADMIN_PASSWORD` is the 2nd password they entered in manually in the web UI when creating their "permanent admin" in the previous workflow? Idk how others see this but I'm really confused but this whole change because Keycloak is just so weird 😅
oxaliq commented 2026-04-03 19:11:19 +00:00
Author
First-time contributor
Copy Link

I'll add more language to that effect. I was really struggling with how to delineate the two passwords. The pattern is super strange!

I'll add more language to that effect. I was really struggling with how to delineate the two passwords. The pattern is super strange!
❤️ 1
Some checks failed
continuous-integration/drone/pr Build is failing
Details
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u add_kcadm:oxaliq-add_kcadm
git checkout oxaliq-add_kcadm
Sign in to join this conversation.
Reviewers
No Reviewers
3wordchant
ammaratef45
cyrnel
notplants
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
3wordchant aadil abra-bot ammaratef45 Apfelwurm appletalk arjan basebuilder Brooke carla cas codegod100 coopcloud cyrnel decentral1se devydave fauno flancian Frando iexos jade javielico jjsfunhouse jmakdah2 joe-irving kawaiipunk knoflook kolaente lambdabundesverband linnealovespie marlon mayel mirsal moosemower moritz nicksellen notplants p4u1 pau pharaohgraphy PhiNatalie renovate-bot ripclap rix rscmbbng sef simon sixsmith stevensting tobias trav val vaznasty virtualboys wolcen wykwit xynosis yksflip
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coop-cloud/keycloak#28
No description provided.
Delete Branch "oxaliq/keycloak:add_kcadm"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?