bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault/keycloak: restore kv access and wger sync rbac

Browse Source
This commit is contained in:
Brad Stein 2026-01-16 03:46:07 -03:00
parent 8ad9f0a664
commit 5cd196e043
3 changed files with 88 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
services/bstein-dev-home/rbac.yaml
View File

@ -106,3 +106,34 @@ subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: bstein-dev-home name: bstein-dev-home
namespace: bstein-dev-home namespace: bstein-dev-home
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: bstein-dev-home-wger-user-sync
namespace: health
rules:
- apiGroups: ["batch"]
resources: ["cronjobs"]
verbs: ["get"]
resourceNames: ["wger-user-sync"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: bstein-dev-home-wger-user-sync
namespace: health
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: bstein-dev-home-wger-user-sync
subjects:
- kind: ServiceAccount
name: bstein-dev-home
namespace: bstein-dev-home

36
services/keycloak/user-overrides-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: keycloak-user-overrides-5 name: keycloak-user-overrides-6
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -164,5 +164,39 @@ spec:
) )
if status not in (200, 204): if status not in (200, 204):
raise SystemExit(f"Unexpected user update response: {status}") raise SystemExit(f"Unexpected user update response: {status}")
# Ensure the user is in the admin group for Vault access.
status, groups = http_json(
"GET",
f"{base_url}/admin/realms/{realm}/groups?search=admin",
access_token,
)
if status != 200 or not isinstance(groups, list):
raise SystemExit("Unable to fetch groups")
group_id = ""
for item in groups:
if isinstance(item, dict) and item.get("name") == "admin":
group_id = item.get("id") or ""
break
if not group_id:
raise SystemExit("admin group not found")
status, memberships = http_json(
"GET",
f"{base_url}/admin/realms/{realm}/users/{user_id}/groups",
access_token,
)
if status != 200 or not isinstance(memberships, list):
raise SystemExit("Unable to read user groups")
already = any(
isinstance(item, dict) and item.get("id") == group_id for item in memberships
)
if not already:
status, _ = http_json(
"PUT",
f"{base_url}/admin/realms/{realm}/users/{user_id}/groups/{group_id}",
access_token,
)
if status not in (200, 204):
raise SystemExit(f"Unexpected group update response: {status}")
PY PY
volumeMounts: volumeMounts:

21
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -142,6 +142,9 @@ path "kv/metadata/atlas/vault/*" {
path "kv/data/*" { path "kv/data/*" {
capabilities = ["create", "update", "read", "delete", "patch"] capabilities = ["create", "update", "read", "delete", "patch"]
} }
path "kv/metadata" {
capabilities = ["list"]
}
path "kv/metadata/*" { path "kv/metadata/*" {
capabilities = ["read", "list", "delete"] capabilities = ["read", "list", "delete"]
} }
@ -154,6 +157,24 @@ path "kv/metadata/atlas/shared/*" {
' '
write_raw_policy "vault-admin" "${vault_admin_policy}" write_raw_policy "vault-admin" "${vault_admin_policy}"
dev_kv_policy='
path "kv/metadata" {
capabilities = ["list"]
}
path "kv/metadata/atlas" {
capabilities = ["list"]
}
path "kv/metadata/atlas/shared" {
capabilities = ["list"]
}
path "kv/metadata/atlas/shared/*" {
capabilities = ["list"]
}
path "kv/data/atlas/shared/*" {
capabilities = ["read"]
}
'
write_raw_policy "dev-kv" "${dev_kv_policy}"
log "writing role vault-admin" log "writing role vault-admin"
vault write "auth/kubernetes/role/vault-admin" \ vault write "auth/kubernetes/role/vault-admin" \
bound_service_account_names="vault-admin" \ bound_service_account_names="vault-admin" \