bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak: enforce bstein group membership

Browse Source
This commit is contained in:
Brad Stein 2026-01-16 17:36:07 -03:00
parent 401df4d68c
commit 1eb7d58259
1 changed files with 48 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
services/keycloak/user-overrides-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: keycloak-user-overrides-6 name: keycloak-user-overrides-7
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -150,11 +150,13 @@ spec:
if not isinstance(attrs, dict): if not isinstance(attrs, dict):
attrs = {} attrs = {}
existing = attrs.get("mailu_email") existing = attrs.get("mailu_email")
needs_update = True
if isinstance(existing, list) and existing and existing[0] == override_mailu_email: if isinstance(existing, list) and existing and existing[0] == override_mailu_email:
raise SystemExit(0) needs_update = False
if isinstance(existing, str) and existing == override_mailu_email: if isinstance(existing, str) and existing == override_mailu_email:
raise SystemExit(0) needs_update = False
if needs_update:
attrs["mailu_email"] = [override_mailu_email] attrs["mailu_email"] = [override_mailu_email]
status, _ = http_json( status, _ = http_json(
"PUT", "PUT",
@ -165,21 +167,22 @@ spec:
if status not in (200, 204): if status not in (200, 204):
raise SystemExit(f"Unexpected user update response: {status}") raise SystemExit(f"Unexpected user update response: {status}")
# Ensure the user is in the admin group for Vault access. # Ensure the user is in the admin and planka-users groups.
def ensure_group(group_name: str) -> None:
status, groups = http_json( status, groups = http_json(
"GET", "GET",
f"{base_url}/admin/realms/{realm}/groups?search=admin", f"{base_url}/admin/realms/{realm}/groups?search={urllib.parse.quote(group_name)}",
access_token, access_token,
) )
if status != 200 or not isinstance(groups, list): if status != 200 or not isinstance(groups, list):
raise SystemExit("Unable to fetch groups") raise SystemExit("Unable to fetch groups")
group_id = "" group_id = ""
for item in groups: for item in groups:
if isinstance(item, dict) and item.get("name") == "admin": if isinstance(item, dict) and item.get("name") == group_name:
group_id = item.get("id") or "" group_id = item.get("id") or ""
break break
if not group_id: if not group_id:
raise SystemExit("admin group not found") raise SystemExit(f"{group_name} group not found")
status, memberships = http_json( status, memberships = http_json(
"GET", "GET",
f"{base_url}/admin/realms/{realm}/users/{user_id}/groups", f"{base_url}/admin/realms/{realm}/users/{user_id}/groups",
@ -190,13 +193,19 @@ spec:
already = any( already = any(
isinstance(item, dict) and item.get("id") == group_id for item in memberships isinstance(item, dict) and item.get("id") == group_id for item in memberships
) )
if not already: if already:
return
status, _ = http_json( status, _ = http_json(
"PUT", "PUT",
f"{base_url}/admin/realms/{realm}/users/{user_id}/groups/{group_id}", f"{base_url}/admin/realms/{realm}/users/{user_id}/groups/{group_id}",
access_token, access_token,
) )
if status not in (200, 204): if status not in (200, 204):
raise SystemExit(f"Unexpected group update response: {status}") raise SystemExit(
f"Unexpected group update response for {group_name}: {status}"
)
for group in ("admin", "planka-users"):
ensure_group(group)
PY PY
volumeMounts: volumeMounts: