sso(keycloak): grant portal admin client management
This commit is contained in:
jenkins
parent
ccf76f2c7d
commit
85468110b3
@ -1,15 +1,15 @@
|
||||
# services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml
|
||||
# One-off job for sso/keycloak-portal-admin-secret-ensure-4.
|
||||
# Purpose: keycloak portal admin secret ensure 4 (see container args/env in this file).
|
||||
# One-off job for sso/keycloak-portal-admin-secret-ensure-5.
|
||||
# Purpose: keycloak portal admin secret ensure 5 (see container args/env in this file).
|
||||
# Run by setting spec.suspend to false, reconcile, then set it back to true.
|
||||
# Safe to delete the finished Job/pod; it should not run continuously.
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: keycloak-portal-admin-secret-ensure-4
|
||||
name: keycloak-portal-admin-secret-ensure-5
|
||||
namespace: sso
|
||||
spec:
|
||||
suspend: true
|
||||
suspend: false
|
||||
backoffLimit: 0
|
||||
template:
|
||||
metadata:
|
||||
@ -163,7 +163,7 @@ spec:
|
||||
if status not in (200, 204):
|
||||
raise SystemExit(f"Client update failed (status={status}) resp={resp}")
|
||||
|
||||
# Ensure the portal admin service account can manage users.
|
||||
# Ensure the portal admin service account can manage users and OIDC clients.
|
||||
status, svc_user = http_json(
|
||||
"GET",
|
||||
f"{base_url}/admin/realms/{realm}/clients/{client_uuid}/service-account-user",
|
||||
@ -184,7 +184,15 @@ spec:
|
||||
if not rm_uuid:
|
||||
raise SystemExit("realm-management client has no id")
|
||||
|
||||
wanted_roles = ("query-users", "view-users", "manage-users", "impersonation")
|
||||
wanted_roles = (
|
||||
"query-users",
|
||||
"view-users",
|
||||
"manage-users",
|
||||
"impersonation",
|
||||
"query-clients",
|
||||
"view-clients",
|
||||
"manage-clients",
|
||||
)
|
||||
role_reps = []
|
||||
for role_name in wanted_roles:
|
||||
status, role = http_json(
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user