diff --git a/services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml b/services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml index 1d3e7f37..9f544db6 100644 --- a/services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml +++ b/services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml @@ -1,15 +1,15 @@ # services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml -# One-off job for sso/keycloak-portal-admin-secret-ensure-4. -# Purpose: keycloak portal admin secret ensure 4 (see container args/env in this file). +# One-off job for sso/keycloak-portal-admin-secret-ensure-5. +# Purpose: keycloak portal admin secret ensure 5 (see container args/env in this file). # Run by setting spec.suspend to false, reconcile, then set it back to true. # Safe to delete the finished Job/pod; it should not run continuously. apiVersion: batch/v1 kind: Job metadata: - name: keycloak-portal-admin-secret-ensure-4 + name: keycloak-portal-admin-secret-ensure-5 namespace: sso spec: - suspend: true + suspend: false backoffLimit: 0 template: metadata: @@ -163,7 +163,7 @@ spec: if status not in (200, 204): raise SystemExit(f"Client update failed (status={status}) resp={resp}") - # Ensure the portal admin service account can manage users. + # Ensure the portal admin service account can manage users and OIDC clients. status, svc_user = http_json( "GET", f"{base_url}/admin/realms/{realm}/clients/{client_uuid}/service-account-user", @@ -184,7 +184,15 @@ spec: if not rm_uuid: raise SystemExit("realm-management client has no id") - wanted_roles = ("query-users", "view-users", "manage-users", "impersonation") + wanted_roles = ( + "query-users", + "view-users", + "manage-users", + "impersonation", + "query-clients", + "view-clients", + "manage-clients", + ) role_reps = [] for role_name in wanted_roles: status, role = http_json(