vault/keycloak: restore kv access and wger sync rbac

services/bstein-dev-home/rbac.yaml

@@ -106,3 +106,34 @@ subjects:
   - kind: ServiceAccount
     name: bstein-dev-home
     namespace: bstein-dev-home
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: bstein-dev-home-wger-user-sync
+  namespace: health
+rules:
+  - apiGroups: ["batch"]
+    resources: ["cronjobs"]
+    verbs: ["get"]
+    resourceNames: ["wger-user-sync"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: bstein-dev-home-wger-user-sync
+  namespace: health
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: bstein-dev-home-wger-user-sync
+subjects:
+  - kind: ServiceAccount
+    name: bstein-dev-home
+    namespace: bstein-dev-home

services/keycloak/user-overrides-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-user-overrides-5
+  name: keycloak-user-overrides-6
   namespace: sso
 spec:
   backoffLimit: 0
@@ -164,5 +164,39 @@ spec:
               )
               if status not in (200, 204):
                   raise SystemExit(f"Unexpected user update response: {status}")
+
+              # Ensure the user is in the admin group for Vault access.
+              status, groups = http_json(
+                  "GET",
+                  f"{base_url}/admin/realms/{realm}/groups?search=admin",
+                  access_token,
+              )
+              if status != 200 or not isinstance(groups, list):
+                  raise SystemExit("Unable to fetch groups")
+              group_id = ""
+              for item in groups:
+                  if isinstance(item, dict) and item.get("name") == "admin":
+                      group_id = item.get("id") or ""
+                      break
+              if not group_id:
+                  raise SystemExit("admin group not found")
+              status, memberships = http_json(
+                  "GET",
+                  f"{base_url}/admin/realms/{realm}/users/{user_id}/groups",
+                  access_token,
+              )
+              if status != 200 or not isinstance(memberships, list):
+                  raise SystemExit("Unable to read user groups")
+              already = any(
+                  isinstance(item, dict) and item.get("id") == group_id for item in memberships
+              )
+              if not already:
+                  status, _ = http_json(
+                      "PUT",
+                      f"{base_url}/admin/realms/{realm}/users/{user_id}/groups/{group_id}",
+                      access_token,
+                  )
+                  if status not in (200, 204):
+                      raise SystemExit(f"Unexpected group update response: {status}")
               PY
-          volumeMounts:
+          volumeMounts:

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -142,6 +142,9 @@ path "kv/metadata/atlas/vault/*" {
 path "kv/data/*" {
   capabilities = ["create", "update", "read", "delete", "patch"]
 }
+path "kv/metadata" {
+  capabilities = ["list"]
+}
 path "kv/metadata/*" {
   capabilities = ["read", "list", "delete"]
 }
@@ -154,6 +157,24 @@ path "kv/metadata/atlas/shared/*" {
 '
 
 write_raw_policy "vault-admin" "${vault_admin_policy}"
+dev_kv_policy='
+path "kv/metadata" {
+  capabilities = ["list"]
+}
+path "kv/metadata/atlas" {
+  capabilities = ["list"]
+}
+path "kv/metadata/atlas/shared" {
+  capabilities = ["list"]
+}
+path "kv/metadata/atlas/shared/*" {
+  capabilities = ["list"]
+}
+path "kv/data/atlas/shared/*" {
+  capabilities = ["read"]
+}
+'
+write_raw_policy "dev-kv" "${dev_kv_policy}"
 log "writing role vault-admin"
 vault write "auth/kubernetes/role/vault-admin" \
   bound_service_account_names="vault-admin" \