keycloak: fix setup to use a shell script

keycloak.yaml

@@ -42,6 +42,9 @@ services:
       depends_on:
         - keycloak-db
 
+  # all of the various subdomains can install files in
+  # /keycloak-setup/ to be executed during the setup phase
+  # to enable their clients using the client-create tool
   keycloak-setup:
         image: quay.io/keycloak/keycloak:18.0.0
         profiles:
@@ -52,9 +55,10 @@ services:
         env_file:
           - env.production
           - data/keycloak/secrets
-        entrypoint: /keycloak-setup.sh
+        entrypoint: /entrypoint.sh
         volumes:
-          - ./keycloak/setup:/keycloak-setup.sh:ro
+          - ./keycloak/entrypoint-setup.sh:/entrypoint.sh:ro
+          - ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
           - ./keycloak/client-create:/bin/client-create:ro
 
   # add the keycloak nginx configuration into the nginx volume

keycloak/entrypoint-setup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+export PATH=/opt/keycloak/bin:$PATH
+
+# perform an authentication as admin so that all other scripts can
+# use the cached credentials
+
+kcadm.sh \
+	config credentials \
+	--server http://keycloak:8080/ \
+	--user admin \
+	--password "$KEYCLOAK_ADMIN_PASSWORD" \
+	--realm master \
+|| exit 1
+
+for file in /keycloak-setup/* ; do
+	echo >&2 "$file: running setup"
+	$file || exit 1
+done

keycloak/mail-setup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [ -z "$SMTP_SERVER" ]; then
+	exit 0
+fi
+
+echo >&2 "*** configuring email to use $SMTP_SERVER"
+/opt/keycloak/bin/kcadm.sh update \
+	"realms/$REALM" \
+	-f - <<EOF || exit 1
+{
+  "resetPasswordAllowed": "true",
+  "smtpServer" : {
+    "auth" : "true",
+    "starttls" : "true",
+    "user" : "$SMTP_USER",
+    "password" : "$SMTP_PASSWORD",
+    "port" : "$SMTP_PORT",
+    "host" : "$SMTP_SERVER",
+    "from" : "keycloak@$DOMAIN_NAME",
+    "fromDisplayName" : "Keycloak @ $DOMAIN_NAME",
+    "ssl" : "false"
+  }
+}
+EOF
+
+exit 0