From 363e5640024d91244c3cb61e8f2e39b649bef82c Mon Sep 17 00:00:00 2001
From: jenkins <jenkins@bstein.dev>
Date: Tue, 9 Jun 2026 01:18:30 -0300
Subject: [PATCH] keycloak: fix veles groups mapper

---
 services/keycloak/oneoffs/veles-realm-ensure-job.yaml | 5 +++--
 services/veles/NOTES.md                               | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/services/keycloak/oneoffs/veles-realm-ensure-job.yaml b/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
index 5309d315..2b27db42 100644
--- a/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
+++ b/services/keycloak/oneoffs/veles-realm-ensure-job.yaml
@@ -1,11 +1,11 @@
 # services/keycloak/oneoffs/veles-realm-ensure-job.yaml
-# One-off job for sso/veles-realm-ensure-1.
+# One-off job for sso/veles-realm-ensure-2.
 # Purpose: create the Veles realm, groups, OIDC client, SMTP settings, and Vault client secret.
 # Keep suspended until Veles Vault paths/policies have reconciled, then unsuspend once.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: veles-realm-ensure-1
+  name: veles-realm-ensure-2
   namespace: sso
 spec:
   suspend: true
@@ -261,6 +261,7 @@ spec:
                       "access.token.claim": "true",
                       "userinfo.token.claim": "true",
                       "claim.name": "groups",
+                      "jsonType.label": "String",
                   },
               }
               status, mappers = request(
diff --git a/services/veles/NOTES.md b/services/veles/NOTES.md
index 47a93539..1a2e16cf 100644
--- a/services/veles/NOTES.md
+++ b/services/veles/NOTES.md
@@ -53,7 +53,7 @@ tolerations:
 3. Confirm the node normalizer applies the Veles labels and taint.
 4. Add Oceanus Longhorn disks at paths tagged by the Longhorn tag ensure job.
 5. Let Vault policy reconciliation run, then unsuspend `veles-secrets-ensure-2`.
-6. Unsuspend `veles-realm-ensure-1` in `services/keycloak` to create the realm/client secret.
+6. Unsuspend `veles-realm-ensure-2` in `services/keycloak` to create the realm/client secret.
 7. Create the Harbor `veles` project or robot access before image automation is enabled in production.
 8. Scale `veles-postgres`, then backend/frontend once app images exist.