maintenance: tighten metis access and control ui

2026-03-31 18:47:38 -03:00 · 2026-03-31 18:47:38 -03:00 · 7aebb4ee08
commit 7aebb4ee08
parent 3bd9f08a67
5 changed files with 11 additions and 8 deletions
--- a/services/keycloak/oneoffs/realm-settings-job.yaml
+++ b/services/keycloak/oneoffs/realm-settings-job.yaml
@ -1,15 +1,15 @@
 # services/keycloak/oneoffs/realm-settings-job.yaml
-# One-off job for sso/keycloak-realm-settings-36.
-# Purpose: keycloak realm settings 36 (see container args/env in this file).
-# Run by setting spec.suspend to false, reconcile, then set it back to true.
+# One-off job for sso/keycloak-realm-settings-37.
+# Purpose: keycloak realm settings 37 (see container args/env in this file).
+# This revision runs once to ensure the maintenance group exists for Metis access.
 # Safe to delete the finished Job/pod; it should not run continuously.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-36
+  name: keycloak-realm-settings-37
  namespace: sso
 spec:
-  suspend: true
+  suspend: false
  backoffLimit: 0
  template:
    metadata:
@ -336,6 +336,7 @@ spec:
              # Ensure basic realm groups exist for provisioning.
              ensure_group("dev")
              ensure_group("admin")
+              ensure_group("maintenance")
              ensure_group("demo")
              ensure_group("test")
              ensure_group("vaultwarden_grandfathered")
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@ -42,7 +42,7 @@ images:
  - name: registry.bstein.dev/bstein/ariadne
    newTag: 0.1.0-22 # {"$imagepolicy": "maintenance:ariadne:tag"}
  - name: registry.bstein.dev/bstein/metis
-    newTag: 0.1.0-1-amd64
+    newTag: 0.1.0-2-amd64
 configMapGenerator:
  - name: disable-k3s-traefik-script
    namespace: maintenance
--- a/services/maintenance/metis-configmap.yaml
+++ b/services/maintenance/metis-configmap.yaml
@ -12,7 +12,6 @@ data:
  METIS_FLASH_HOSTS: titan-22
  METIS_LOCAL_HOST: titan-22
  METIS_ALLOWED_GROUPS: admin,maintenance,maintainer
-  METIS_ALLOWED_USERS: brad.stein@gmail.com,brad@bstein.dev,bstein
  METIS_MAX_DEVICE_BYTES: "300000000000"
  METIS_SENTINEL_PUSH_URL: http://metis.maintenance.svc.cluster.local/internal/sentinel/snapshot
  METIS_SENTINEL_INTERVAL_SEC: "1800"
--- a/services/maintenance/metis-deployment.yaml
+++ b/services/maintenance/metis-deployment.yaml
@ -27,7 +27,7 @@ spec:
        node-role.kubernetes.io/accelerator: "true"
      containers:
        - name: metis
-          image: registry.bstein.dev/bstein/metis:0.1.0-1-amd64
+          image: registry.bstein.dev/bstein/metis:0.1.0-2-amd64
          imagePullPolicy: Always
          envFrom:
            - configMapRef:
--- a/services/maintenance/oauth2-proxy-metis.yaml
+++ b/services/maintenance/oauth2-proxy-metis.yaml
@ -79,8 +79,11 @@ spec:
            - --scope=openid profile email groups
            - --email-domain=*
            - --allowed-group=admin
+            - --allowed-group=/admin
            - --allowed-group=maintenance
+            - --allowed-group=/maintenance
            - --allowed-group=maintainer
+            - --allowed-group=/maintainer
            - --set-xauthrequest=true
            - --pass-access-token=true
            - --set-authorization-header=true