- Rename the bootstrap human admin from jovann@siteconseil.fr to
jovann@e-cosplay.fr in docker-compose env vars and in the realm
import JSON. Keycloak identifies users by username so a new user
is created on the next sync run; the old jovann@siteconseil.fr
is left in place and can be deleted manually from the admin UI.
- Introduce a service account client `sync-bot` in the master
realm (confidential, service accounts enabled, direct grants off)
granted the `admin` realm role. sync.sh now authenticates via
client_credentials, falling back to the bootstrap admin only on
the very first run — so reconciliation keeps working after the
default admin is disabled.
- Add disable_default_admin() at the end of the sync script. It
first verifies that sync-bot can authenticate, then flips the
`admin` user's `enabled` flag to false. Idempotent and safe:
refuses to run if sync-bot auth is broken, and is a no-op if
admin is already disabled.
- SYNC_BOT_CLIENT / SYNC_BOT_SECRET env vars added to the init
container for both bootstrap authentication and service client
secret reconciliation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
832be361c7