diff --git a/services/bstein-dev-home/rbac.yaml b/services/bstein-dev-home/rbac.yaml index f97ed24..7ce8fd8 100644 --- a/services/bstein-dev-home/rbac.yaml +++ b/services/bstein-dev-home/rbac.yaml @@ -106,3 +106,34 @@ subjects: - kind: ServiceAccount name: bstein-dev-home namespace: bstein-dev-home +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bstein-dev-home-wger-user-sync + namespace: health +rules: + - apiGroups: ["batch"] + resources: ["cronjobs"] + verbs: ["get"] + resourceNames: ["wger-user-sync"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: bstein-dev-home-wger-user-sync + namespace: health +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bstein-dev-home-wger-user-sync +subjects: + - kind: ServiceAccount + name: bstein-dev-home + namespace: bstein-dev-home diff --git a/services/keycloak/user-overrides-job.yaml b/services/keycloak/user-overrides-job.yaml index b865e5e..6b398dc 100644 --- a/services/keycloak/user-overrides-job.yaml +++ b/services/keycloak/user-overrides-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-user-overrides-5 + name: keycloak-user-overrides-6 namespace: sso spec: backoffLimit: 0 @@ -164,5 +164,39 @@ spec: ) if status not in (200, 204): raise SystemExit(f"Unexpected user update response: {status}") + + # Ensure the user is in the admin group for Vault access. + status, groups = http_json( + "GET", + f"{base_url}/admin/realms/{realm}/groups?search=admin", + access_token, + ) + if status != 200 or not isinstance(groups, list): + raise SystemExit("Unable to fetch groups") + group_id = "" + for item in groups: + if isinstance(item, dict) and item.get("name") == "admin": + group_id = item.get("id") or "" + break + if not group_id: + raise SystemExit("admin group not found") + status, memberships = http_json( + "GET", + f"{base_url}/admin/realms/{realm}/users/{user_id}/groups", + access_token, + ) + if status != 200 or not isinstance(memberships, list): + raise SystemExit("Unable to read user groups") + already = any( + isinstance(item, dict) and item.get("id") == group_id for item in memberships + ) + if not already: + status, _ = http_json( + "PUT", + f"{base_url}/admin/realms/{realm}/users/{user_id}/groups/{group_id}", + access_token, + ) + if status not in (200, 204): + raise SystemExit(f"Unexpected group update response: {status}") PY - volumeMounts: \ No newline at end of file + volumeMounts: diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index 3a721c1..325185d 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -142,6 +142,9 @@ path "kv/metadata/atlas/vault/*" { path "kv/data/*" { capabilities = ["create", "update", "read", "delete", "patch"] } +path "kv/metadata" { + capabilities = ["list"] +} path "kv/metadata/*" { capabilities = ["read", "list", "delete"] } @@ -154,6 +157,24 @@ path "kv/metadata/atlas/shared/*" { ' write_raw_policy "vault-admin" "${vault_admin_policy}" +dev_kv_policy=' +path "kv/metadata" { + capabilities = ["list"] +} +path "kv/metadata/atlas" { + capabilities = ["list"] +} +path "kv/metadata/atlas/shared" { + capabilities = ["list"] +} +path "kv/metadata/atlas/shared/*" { + capabilities = ["list"] +} +path "kv/data/atlas/shared/*" { + capabilities = ["read"] +} +' +write_raw_policy "dev-kv" "${dev_kv_policy}" log "writing role vault-admin" vault write "auth/kubernetes/role/vault-admin" \ bound_service_account_names="vault-admin" \