planka: enable project owners via oidc
This commit is contained in:
parent
ed9a41bd70
commit
1a50f51115
@ -2,7 +2,7 @@
|
|||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
name: keycloak-realm-settings-14
|
name: keycloak-realm-settings-15
|
||||||
namespace: sso
|
namespace: sso
|
||||||
spec:
|
spec:
|
||||||
backoffLimit: 0
|
backoffLimit: 0
|
||||||
@ -251,6 +251,67 @@ spec:
|
|||||||
if status not in (201, 204):
|
if status not in (201, 204):
|
||||||
raise SystemExit(f"Unexpected group create response for {group_name}: {status}")
|
raise SystemExit(f"Unexpected group create response for {group_name}: {status}")
|
||||||
|
|
||||||
|
# Ensure Planka client exposes groups in userinfo for role mapping.
|
||||||
|
status, clients = http_json(
|
||||||
|
"GET",
|
||||||
|
f"{base_url}/admin/realms/{realm}/clients?clientId=planka",
|
||||||
|
access_token,
|
||||||
|
)
|
||||||
|
planka_client = None
|
||||||
|
if status == 200 and isinstance(clients, list):
|
||||||
|
for item in clients:
|
||||||
|
if isinstance(item, dict) and item.get("clientId") == "planka":
|
||||||
|
planka_client = item
|
||||||
|
break
|
||||||
|
|
||||||
|
if planka_client:
|
||||||
|
client_id = planka_client.get("id")
|
||||||
|
mapper_payload = {
|
||||||
|
"name": "groups",
|
||||||
|
"protocol": "openid-connect",
|
||||||
|
"protocolMapper": "oidc-group-membership-mapper",
|
||||||
|
"consentRequired": False,
|
||||||
|
"config": {
|
||||||
|
"full.path": "false",
|
||||||
|
"id.token.claim": "true",
|
||||||
|
"access.token.claim": "true",
|
||||||
|
"userinfo.token.claim": "true",
|
||||||
|
"claim.name": "groups",
|
||||||
|
"jsonType.label": "String",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
status, mappers = http_json(
|
||||||
|
"GET",
|
||||||
|
f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models",
|
||||||
|
access_token,
|
||||||
|
)
|
||||||
|
existing = None
|
||||||
|
if status == 200 and isinstance(mappers, list):
|
||||||
|
for item in mappers:
|
||||||
|
if isinstance(item, dict) and item.get("name") == mapper_payload["name"]:
|
||||||
|
existing = item
|
||||||
|
break
|
||||||
|
|
||||||
|
if existing and existing.get("id"):
|
||||||
|
mapper_payload["id"] = existing["id"]
|
||||||
|
status, _ = http_json(
|
||||||
|
"PUT",
|
||||||
|
f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models/{existing['id']}",
|
||||||
|
access_token,
|
||||||
|
mapper_payload,
|
||||||
|
)
|
||||||
|
if status not in (200, 204):
|
||||||
|
raise SystemExit(f"Unexpected protocol mapper update response: {status}")
|
||||||
|
else:
|
||||||
|
status, _ = http_json(
|
||||||
|
"POST",
|
||||||
|
f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models",
|
||||||
|
access_token,
|
||||||
|
mapper_payload,
|
||||||
|
)
|
||||||
|
if status not in (201, 204):
|
||||||
|
raise SystemExit(f"Unexpected protocol mapper create response: {status}")
|
||||||
|
|
||||||
# Ensure MFA is on by default for newly-created users.
|
# Ensure MFA is on by default for newly-created users.
|
||||||
status, required_actions = http_json(
|
status, required_actions = http_json(
|
||||||
"GET",
|
"GET",
|
||||||
|
|||||||
@ -66,6 +66,12 @@ spec:
|
|||||||
value: https://tasks.bstein.dev
|
value: https://tasks.bstein.dev
|
||||||
- name: TRUST_PROXY
|
- name: TRUST_PROXY
|
||||||
value: "true"
|
value: "true"
|
||||||
|
- name: OIDC_IGNORE_ROLES
|
||||||
|
value: "false"
|
||||||
|
- name: OIDC_PROJECT_OWNER_ROLES
|
||||||
|
value: "*"
|
||||||
|
- name: OIDC_ROLES_ATTRIBUTE
|
||||||
|
value: groups
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: planka-db
|
name: planka-db
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user