incremental fixes

Author: phrocker

.gitignore

@@ -49,3 +49,4 @@ package-lock.json
 .settings/*
 .env.bak
 cp.env.bak
+.generated.env

.local.env

@@ -1,6 +1,6 @@
 SENTRIUS_VERSION=1.1.110
 SENTRIUS_SSH_VERSION=1.1.19
-SENTRIUS_KEYCLOAK_VERSION=1.1.26
+SENTRIUS_KEYCLOAK_VERSION=1.1.31
 SENTRIUS_AGENT_VERSION=1.1.19
 SENTRIUS_AI_AGENT_VERSION=1.1.34
 LLMPROXY_VERSION=1.0.22

.local.env.bak

@@ -1,6 +1,6 @@
-SENTRIUS_VERSION=1.1.109
+SENTRIUS_VERSION=1.1.110
 SENTRIUS_SSH_VERSION=1.1.19
-SENTRIUS_KEYCLOAK_VERSION=1.1.26
+SENTRIUS_KEYCLOAK_VERSION=1.1.30
 SENTRIUS_AGENT_VERSION=1.1.19
 SENTRIUS_AI_AGENT_VERSION=1.1.34
 LLMPROXY_VERSION=1.0.22

docker/keycloak/process-realm-template.sh

@@ -41,8 +41,10 @@ else
 fi
 
 # Set default values for other placeholders
-export ROOT_URL="${ROOT_URL:-http://localhost:8080}"
-export REDIRECT_URIS="${REDIRECT_URIS:-http://localhost:8080}"
+# set in helm chart
+#export ROOT_URL="${ROOT_URL:-http://localhost:8080}"
+# set in helm chart
+#export REDIRECT_URIS="${REDIRECT_URIS:-http://localhost:8080}"
 export GOOGLE_CLIENT_ID="${GOOGLE_CLIENT_ID:-}"
 export GOOGLE_CLIENT_SECRET="${GOOGLE_CLIENT_SECRET:-}"
 
@@ -58,12 +60,14 @@ sed -e "s|\${SENTRIUS_API_CLIENT_SECRET}|${SENTRIUS_API_CLIENT_SECRET}|g" \
     -e "s|\${SENTRIUS_LAUNCHER_CLIENT_SECRET}|${SENTRIUS_LAUNCHER_CLIENT_SECRET}|g" \
     -e "s|\${JAVA_AGENTS_CLIENT_SECRET}|${JAVA_AGENTS_CLIENT_SECRET}|g" \
     -e "s|\${AI_AGENT_ASSESSOR_CLIENT_SECRET}|${AI_AGENT_ASSESSOR_CLIENT_SECRET}|g" \
-    -e "s|\${ROOT_URL}|${ROOT_URL}|g" \
-    -e "s|\${REDIRECT_URIS}|${REDIRECT_URIS}|g" \
     -e "s|\${GOOGLE_CLIENT_ID}|${GOOGLE_CLIENT_ID}|g" \
     -e "s|\${GOOGLE_CLIENT_SECRET}|${GOOGLE_CLIENT_SECRET}|g" \
     "$REALM_TEMPLATE" > "$REALM_OUTPUT"
 
+  # these two are set helm chart
+  #    -e "s|\${ROOT_URL}|${ROOT_URL}|g" \
+  #    -e "s|\${REDIRECT_URIS}|${REDIRECT_URIS}|g" \
+
 if [ $? -eq 0 ]; then
     echo "Realm template processed successfully: $REALM_OUTPUT"
 else
@@ -80,4 +84,4 @@ if command -v jq >/dev/null 2>&1; then
     echo "Generated realm JSON is valid"
 else
     echo "Note: jq not available, skipping JSON validation"
-fi
+fi

ops-scripts/local/deploy-helm.sh

@@ -29,6 +29,32 @@ fi
 #    --set sentrius-keycloak.image.pullPolicy="Never" \
 #    --set sentrius-bad-ssh.image.pullPolicy="Never" \
 
+# Load any previously generated password from .generated.env
+GENERATED_ENV_PATH="${SCRIPT_DIR}/../../.generated.env"
+if [[ -f "$GENERATED_ENV_PATH" ]]; then
+    source "$GENERATED_ENV_PATH"
+fi
+
+# Generate Keycloak DB password if not set and secret doesn't exist
+if [[ -z "$KEYCLOAK_DB_PASSWORD" ]]; then
+    echo "🔎 Checking if keycloak secret already exists..."
+    if kubectl get secret "${TENANT}-keycloak-secrets" --namespace "${TENANT}" >/dev/null 2>&1; then
+        echo "✅ Found existing keycloak secret; extracting DB password..."
+        KEYCLOAK_DB_PASSWORD=$(kubectl get secret "${TENANT}-keycloak-secrets" --namespace "${TENANT}" -o jsonpath="{.data.db-password}" | base64 --decode)
+
+        if [[ -z "$KEYCLOAK_DB_PASSWORD" ]]; then
+            echo "❌ Secret exists but db-password is empty; exiting for safety"
+            exit 1
+        fi
+    else
+        echo "⚠️ No existing secret found; generating new Keycloak DB password..."
+        KEYCLOAK_DB_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)
+
+        # Persist it to .generated.env so it doesn't change between runs
+        echo "KEYCLOAK_DB_PASSWORD=${KEYCLOAK_DB_PASSWORD}" > "$GENERATED_ENV_PATH"
+    fi
+fi
+
 
 helm upgrade --install sentrius ./sentrius-chart --namespace ${TENANT} \
     --set tenant=${TENANT} \
@@ -41,6 +67,7 @@ helm upgrade --install sentrius ./sentrius-chart --namespace ${TENANT} \
     --set integrationproxy.image.repository="sentrius-integration-proxy" \
     --set integrationproxy.image.pullPolicy="Never" \
     --set sentrius.image.repository="sentrius" \
+    --set keycloak.db.password="${KEYCLOAK_DB_PASSWORD}" \
     --set sentrius.image.pullPolicy="Never" \
     --set keycloak.image.pullPolicy="Never" \
     --set ssh.image.pullPolicy="Never" \

ops-scripts/local/shutdown-k8s.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+
+TENANT="dev"
+RELEASE="sentrius"
+
+echo "This will delete the Helm release '$RELEASE' and the entire TENANT '$TENANT'."
+read -p "Are you sure? (y/N): " CONFIRM
+
+if [[ "$CONFIRM" != "y" && "$CONFIRM" != "Y" ]]; then
+  echo "❌ Aborted."
+  exit 1
+fi
+
+echo "Uninstalling Helm release..."
+helm uninstall "$RELEASE" -n "$TENANT" || echo "Helm release not found."
+
+echo "🧹 Deleting TENANT '$TENANT'..."
+kubectl delete TENANT "$TENANT" || echo "TENANT not found."
+
+echo "⏳ Waiting for TENANT deletion to complete..."
+while kubectl get TENANT "$TENANT" &> /dev/null; do
+  echo "  ... still deleting ..."
+  sleep 2
+done
+
+echo "TENANT '$TENANT' deleted."
+
+echo "Done."

sentrius-chart/templates/_helpers.tpl

@@ -17,4 +17,9 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: sentrius-launcher-service
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
+{{- end -}}
+{{- define "keycloak.requireDbPassword" -}}
+{{- if not .Values.keycloak.db.password }}
+  {{- fail "Error: keycloak.db.password must be specified or generated externally." }}
+{{- end }}
+{{- end }}

sentrius-chart/templates/agent-deployment.yaml

@@ -43,6 +43,11 @@ spec:
                 secretKeyRef:
                   name: {{ .Release.Name }}-db-secret
                   key: keystore-password
+            - name: KEYCLOAK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-oauth2-secrets
+                  key: java-agents-client-secret
       volumes:
         - name: config-volume
           configMap:

sentrius-chart/templates/ai-agent-deployment.yaml

@@ -27,6 +27,12 @@ spec:
           volumeMounts:
             - name: config-volume
               mountPath: /config
+          env:
+            - name: KEYCLOAK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-oauth2-secrets
+                  key: sentriusaiagent-client-secret
       volumes:
         - name: config-volume
           configMap:

sentrius-chart/templates/configmap.yaml

@@ -74,6 +74,7 @@ data:
     spring.kafka.properties.max.block.ms=500
     spring.kafka.properties.metadata.max.age.ms=10000
     spring.kafka.properties.retry.backoff.ms=1000
+    bootstrap-servers=sentrius-kafka:9092:
   ai-agent-application.properties: |
     spring.main.web-application-type=servlet
     spring.thymeleaf.enabled=true
@@ -131,6 +132,7 @@ data:
     spring.kafka.properties.max.block.ms=500
     spring.kafka.properties.metadata.max.age.ms=10000
     spring.kafka.properties.retry.backoff.ms=1000
+    bootstrap-servers=sentrius-kafka:9092:
 
   analysis-agent-application.properties: |
     keystore.file=sso.jceks
@@ -201,6 +203,7 @@ data:
     # Reliability
     spring.kafka.producer.retries=5
     spring.kafka.producer.acks=all
+    bootstrap-servers=sentrius-kafka:9092:
 
     # Timeout tuning
     spring.kafka.producer.request-timeout-ms=10000