sso(keycloak): grant portal admin client management

2026-05-21 02:43:06 -03:00 · 2026-05-21 02:43:06 -03:00 · 85468110b3
commit 85468110b3
parent ccf76f2c7d
1 changed files with 14 additions and 6 deletions
--- a/services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml
+++ b/services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml
@ -1,15 +1,15 @@
 # services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml
-# One-off job for sso/keycloak-portal-admin-secret-ensure-4.
+# One-off job for sso/keycloak-portal-admin-secret-ensure-5.
-# Purpose: keycloak portal admin secret ensure 4 (see container args/env in this file).
+# Purpose: keycloak portal admin secret ensure 5 (see container args/env in this file).
 # Run by setting spec.suspend to false, reconcile, then set it back to true.
 # Safe to delete the finished Job/pod; it should not run continuously.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-admin-secret-ensure-4
+  name: keycloak-portal-admin-secret-ensure-5
  namespace: sso
 spec:
-  suspend: true
+  suspend: false
  backoffLimit: 0
  template:
    metadata:
@ -163,7 +163,7 @@ spec:
                  if status not in (200, 204):
                      raise SystemExit(f"Client update failed (status={status}) resp={resp}")
-              # Ensure the portal admin service account can manage users.
+              # Ensure the portal admin service account can manage users and OIDC clients.
              status, svc_user = http_json(
                  "GET",
                  f"{base_url}/admin/realms/{realm}/clients/{client_uuid}/service-account-user",
@ -184,7 +184,15 @@ spec:
              if not rm_uuid:
                  raise SystemExit("realm-management client has no id")
-              wanted_roles = ("query-users", "view-users", "manage-users", "impersonation")
+              wanted_roles = (
                  "query-users",
                  "view-users",
                  "manage-users",
                  "impersonation",
                  "query-clients",
                  "view-clients",
                  "manage-clients",
              )
              role_reps = []
              for role_name in wanted_roles:
                  status, role = http_json(