832be361c7
- Rename the bootstrap human admin from jovann@siteconseil.fr to jovann@e-cosplay.fr in docker-compose env vars and in the realm import JSON. Keycloak identifies users by username so a new user is created on the next sync run; the old jovann@siteconseil.fr is left in place and can be deleted manually from the admin UI. - Introduce a service account client `sync-bot` in the master realm (confidential, service accounts enabled, direct grants off) granted the `admin` realm role. sync.sh now authenticates via client_credentials, falling back to the bootstrap admin only on the very first run — so reconciliation keeps working after the default admin is disabled. - Add disable_default_admin() at the end of the sync script. It first verifies that sync-bot can authenticate, then flips the `admin` user's `enabled` flag to false. Idempotent and safe: refuses to run if sync-bot auth is broken, and is a no-op if admin is already disabled. - SYNC_BOT_CLIENT / SYNC_BOT_SECRET env vars added to the init container for both bootstrap authentication and service client secret reconciliation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
13 KiB
Executable File
13 KiB
Executable File