export tools_pod=$( oc --context ${cluster1} get pods -n cockroachdb | grep tools | awk ' {print $1}' ) ${cluster1} exec $tools_pod -c tools -n cockroachdb -- /cockroach/cockroach sql --execute=' CREATE DATABASE keycloak;' ${cluster1} exec $tools_pod -c tools -n cockroachdb -- /cockroach/cockroach sql --execute=' CREATE ROLE keycloak LOGIN PASSWORD keycloak;' ${cluster1} exec $tools_pod -c tools -n cockroachdb -- /cockroach/cockroach sql --execute=' GRANT ALL ON DATABASE keycloak TO keycloak' export cluster_base_domain=$( oc --context ${control_cluster} get dns cluster -o jsonpath=' {.spec.baseDomain}' ) export global_base_domain=global.${cluster_base_domain#* .}
export keycloak_username=keycloak
export keycloak_password=keycloak
for context in ${cluster1} ${cluster2} ${cluster3} ; do
oc --context ${context} new-project rhsso
oc --context ${context} apply -f ./keycloak/operator.yaml -n rhsso
envsubst < ./keycloak/keycloak.yaml | oc --context ${context} apply -f - -n rhsso
done Preparing Vault to manage account for the keycloak database export VAULT_ADDR=https://vault.${global_base_domain}
export VAULT_TOKEN=$( oc --context ${control_cluster} get secret vault-init -n vault -o jsonpath=' {.data.root_token}' | base64 -d ) enable -tls-skip-verify database
vault write -tls-skip-verify database/config/keycloak plugin_name=postgresql-database-plugin allowed_roles=" keycloak-role" " postgresql://{{username}}:{{password}}@cockroachdb-public.cockroachdb.svc.cluster.local:26257/keycloak?sslmode=require" " dba" " dba" " CREATE ROLE \" {{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL ON DATABASE keycloak TO \" {{name}}\" ;" " 24h" " 7d"