keycloak: fix veles groups mapper

2026-06-09 01:18:30 -03:00 · 2026-06-09 01:18:30 -03:00 · 363e564002
commit 363e564002
parent 2985a7d12c
2 changed files with 4 additions and 3 deletions
--- a/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
+++ b/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
@ -1,11 +1,11 @@
 # services/keycloak/oneoffs/veles-realm-ensure-job.yaml
-# One-off job for sso/veles-realm-ensure-1.
+# One-off job for sso/veles-realm-ensure-2.
 # Purpose: create the Veles realm, groups, OIDC client, SMTP settings, and Vault client secret.
 # Keep suspended until Veles Vault paths/policies have reconciled, then unsuspend once.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: veles-realm-ensure-1
+  name: veles-realm-ensure-2
  namespace: sso
 spec:
  suspend: true
@ -261,6 +261,7 @@ spec:
                      "access.token.claim": "true",
                      "userinfo.token.claim": "true",
                      "claim.name": "groups",
+                      "jsonType.label": "String",
                  },
              }
              status, mappers = request(
--- a/services/veles/NOTES.md
+++ b/services/veles/NOTES.md
@ -53,7 +53,7 @@ tolerations:
 3. Confirm the node normalizer applies the Veles labels and taint.
 4. Add Oceanus Longhorn disks at paths tagged by the Longhorn tag ensure job.
 5. Let Vault policy reconciliation run, then unsuspend `veles-secrets-ensure-2`.
-6. Unsuspend `veles-realm-ensure-1` in `services/keycloak` to create the realm/client secret.
+6. Unsuspend `veles-realm-ensure-2` in `services/keycloak` to create the realm/client secret.
 7. Create the Harbor `veles` project or robot access before image automation is enabled in production.
 8. Scale `veles-postgres`, then backend/frontend once app images exist.