bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak: make veles realm job idempotent

Browse Source
This commit is contained in:
jenkins 2026-06-09 01:26:22 -03:00
parent 363e564002
commit 6a40f40932
2 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
services/keycloak/oneoffs/veles-realm-ensure-job.yaml
View File

@ -1,11 +1,11 @@
# services/keycloak/oneoffs/veles-realm-ensure-job.yaml # services/keycloak/oneoffs/veles-realm-ensure-job.yaml
# One-off job for sso/veles-realm-ensure-2. # One-off job for sso/veles-realm-ensure-3.
# Purpose: create the Veles realm, groups, OIDC client, SMTP settings, and Vault client secret. # Purpose: create the Veles realm, groups, OIDC client, SMTP settings, and Vault client secret.
# Keep suspended until Veles Vault paths/policies have reconciled, then unsuspend once. # Keep suspended until Veles Vault paths/policies have reconciled, then unsuspend once.
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: veles-realm-ensure-2 name: veles-realm-ensure-3
namespace: sso namespace: sso
spec: spec:
suspend: true suspend: true
@ -273,6 +273,7 @@ spec:
raise SystemExit(f"Mapper lookup failed: status={status}") raise SystemExit(f"Mapper lookup failed: status={status}")
mapper_id = next((mapper.get("id") for mapper in mappers or [] if mapper.get("name") == "groups"), None) mapper_id = next((mapper.get("id") for mapper in mappers or [] if mapper.get("name") == "groups"), None)
if mapper_id: if mapper_id:
mapper_payload["id"] = mapper_id
status, body = request( status, body = request(
"PUT", "PUT",
f"{base_url}/admin/realms/{realm}/clients/{client_uuid}/protocol-mappers/models/{mapper_id}", f"{base_url}/admin/realms/{realm}/clients/{client_uuid}/protocol-mappers/models/{mapper_id}",

2
services/veles/NOTES.md
View File

@ -53,7 +53,7 @@ tolerations:
3. Confirm the node normalizer applies the Veles labels and taint. 3. Confirm the node normalizer applies the Veles labels and taint.
4. Add Oceanus Longhorn disks at paths tagged by the Longhorn tag ensure job. 4. Add Oceanus Longhorn disks at paths tagged by the Longhorn tag ensure job.
5. Let Vault policy reconciliation run, then unsuspend `veles-secrets-ensure-2`. 5. Let Vault policy reconciliation run, then unsuspend `veles-secrets-ensure-2`.
6. Unsuspend `veles-realm-ensure-2` in `services/keycloak` to create the realm/client secret. 6. Unsuspend `veles-realm-ensure-3` in `services/keycloak` to create the realm/client secret.
7. Create the Harbor `veles` project or robot access before image automation is enabled in production. 7. Create the Harbor `veles` project or robot access before image automation is enabled in production.
8. Scale `veles-postgres`, then backend/frontend once app images exist. 8. Scale `veles-postgres`, then backend/frontend once app images exist.