From 9474ab97f27147d4792f9ac1da83c0e29a0e5207 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Fri, 16 Jan 2026 07:53:04 -0300
Subject: [PATCH] maintenance: disable k3s traefik; keycloak portal admin roles

---
 ...portal-admin-client-secret-ensure-job.yaml | 67 ++++++++++++++++++-
 .../disable-k3s-traefik-daemonset.yaml        | 49 ++++++++++++++
 .../disable-k3s-traefik-serviceaccount.yaml   |  6 ++
 services/maintenance/kustomization.yaml       |  8 +++
 .../scripts/disable_k3s_traefik.sh            | 64 ++++++++++++++++++
 5 files changed, 193 insertions(+), 1 deletion(-)
 create mode 100644 services/maintenance/disable-k3s-traefik-daemonset.yaml
 create mode 100644 services/maintenance/disable-k3s-traefik-serviceaccount.yaml
 create mode 100644 services/maintenance/scripts/disable_k3s_traefik.sh

diff --git a/services/keycloak/portal-admin-client-secret-ensure-job.yaml b/services/keycloak/portal-admin-client-secret-ensure-job.yaml
index 350fc6e..af053a9 100644
--- a/services/keycloak/portal-admin-client-secret-ensure-job.yaml
+++ b/services/keycloak/portal-admin-client-secret-ensure-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-admin-secret-ensure-1
+  name: keycloak-portal-admin-secret-ensure-2
   namespace: sso
 spec:
   backoffLimit: 0
@@ -123,8 +123,18 @@ spec:
               if status != 200 or not isinstance(client_rep, dict):
                   raise SystemExit(f"Unable to fetch client representation (status={status})")
 
+              updated = False
+              if client_rep.get("serviceAccountsEnabled") is not True:
+                  client_rep["serviceAccountsEnabled"] = True
+                  updated = True
+              if client_rep.get("publicClient") is not False:
+                  client_rep["publicClient"] = False
+                  updated = True
               if client_rep.get("secret") != client_secret:
                   client_rep["secret"] = client_secret
+                  updated = True
+
+              if updated:
                   status, resp = http_json(
                       "PUT",
                       f"{base_url}/admin/realms/{realm}/clients/{client_uuid}",
@@ -134,5 +144,60 @@ spec:
                   if status not in (200, 204):
                       raise SystemExit(f"Client update failed (status={status}) resp={resp}")
 
+              # Ensure the portal admin service account can manage users.
+              status, svc_user = http_json(
+                  "GET",
+                  f"{base_url}/admin/realms/{realm}/clients/{client_uuid}/service-account-user",
+                  token,
+              )
+              if status != 200 or not isinstance(svc_user, dict) or not svc_user.get("id"):
+                  raise SystemExit(f"Unable to fetch service account user (status={status})")
+              svc_user_id = svc_user["id"]
+
+              status, rm_clients = http_json(
+                  "GET",
+                  f"{base_url}/admin/realms/{realm}/clients?clientId=realm-management",
+                  token,
+              )
+              if status != 200 or not isinstance(rm_clients, list) or not rm_clients:
+                  raise SystemExit("Unable to find realm-management client")
+              rm_uuid = rm_clients[0].get("id")
+              if not rm_uuid:
+                  raise SystemExit("realm-management client has no id")
+
+              wanted_roles = ("query-users", "view-users", "manage-users", "impersonation")
+              role_reps = []
+              for role_name in wanted_roles:
+                  status, role = http_json(
+                      "GET",
+                      f"{base_url}/admin/realms/{realm}/clients/{rm_uuid}/roles/{urllib.parse.quote(role_name)}",
+                      token,
+                  )
+                  if status != 200 or not isinstance(role, dict):
+                      raise SystemExit(f"Unable to fetch role {role_name} (status={status})")
+                  role_reps.append({"id": role.get("id"), "name": role.get("name")})
+
+              status, assigned = http_json(
+                  "GET",
+                  f"{base_url}/admin/realms/{realm}/users/{svc_user_id}/role-mappings/clients/{rm_uuid}",
+                  token,
+              )
+              assigned_names = set()
+              if status == 200 and isinstance(assigned, list):
+                  for r in assigned:
+                      if isinstance(r, dict) and r.get("name"):
+                          assigned_names.add(r["name"])
+
+              missing = [r for r in role_reps if r.get("name") and r["name"] not in assigned_names]
+              if missing:
+                  status, resp = http_json(
+                      "POST",
+                      f"{base_url}/admin/realms/{realm}/users/{svc_user_id}/role-mappings/clients/{rm_uuid}",
+                      token,
+                      missing,
+                  )
+                  if status not in (200, 204):
+                      raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}")
+
               print(f"OK: ensured secret for {client_id}")
               PY
diff --git a/services/maintenance/disable-k3s-traefik-daemonset.yaml b/services/maintenance/disable-k3s-traefik-daemonset.yaml
new file mode 100644
index 0000000..71f0ece
--- /dev/null
+++ b/services/maintenance/disable-k3s-traefik-daemonset.yaml
@@ -0,0 +1,49 @@
+# services/maintenance/disable-k3s-traefik-daemonset.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: disable-k3s-traefik
+  namespace: maintenance
+spec:
+  selector:
+    matchLabels:
+      app: disable-k3s-traefik
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: disable-k3s-traefik
+    spec:
+      serviceAccountName: disable-k3s-traefik
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: "true"
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+          effect: NoSchedule
+      containers:
+        - name: disable-k3s-traefik
+          image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
+          command: ["/usr/bin/env", "bash"]
+          args: ["/scripts/disable_k3s_traefik.sh"]
+          securityContext:
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - name: host-root
+              mountPath: /host
+            - name: script
+              mountPath: /scripts
+              readOnly: true
+      volumes:
+        - name: host-root
+          hostPath:
+            path: /
+        - name: script
+          configMap:
+            name: disable-k3s-traefik-script
+            defaultMode: 0555
diff --git a/services/maintenance/disable-k3s-traefik-serviceaccount.yaml b/services/maintenance/disable-k3s-traefik-serviceaccount.yaml
new file mode 100644
index 0000000..37bf6dc
--- /dev/null
+++ b/services/maintenance/disable-k3s-traefik-serviceaccount.yaml
@@ -0,0 +1,6 @@
+# services/maintenance/disable-k3s-traefik-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: disable-k3s-traefik
+  namespace: maintenance
diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml
index ce34afb..23d3f85 100644
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@@ -3,8 +3,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
+  - disable-k3s-traefik-serviceaccount.yaml
   - node-nofile-serviceaccount.yaml
   - pod-cleaner-rbac.yaml
+  - disable-k3s-traefik-daemonset.yaml
   - node-nofile-daemonset.yaml
   - pod-cleaner-cronjob.yaml
   - node-image-sweeper-serviceaccount.yaml
@@ -12,6 +14,12 @@ resources:
   - image-sweeper-cronjob.yaml
 
 configMapGenerator:
+  - name: disable-k3s-traefik-script
+    namespace: maintenance
+    files:
+      - disable_k3s_traefik.sh=scripts/disable_k3s_traefik.sh
+    options:
+      disableNameSuffixHash: true
   - name: node-nofile-script
     namespace: maintenance
     files:
diff --git a/services/maintenance/scripts/disable_k3s_traefik.sh b/services/maintenance/scripts/disable_k3s_traefik.sh
new file mode 100644
index 0000000..7b8cebd
--- /dev/null
+++ b/services/maintenance/scripts/disable_k3s_traefik.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+host_root="/host"
+env_file="${host_root}/etc/systemd/system/k3s.service.env"
+manifest_dir="${host_root}/var/lib/rancher/k3s/server/manifests"
+
+changed=0
+
+ensure_disable_flag() {
+  mkdir -p "$(dirname "${env_file}")"
+  if [ ! -f "${env_file}" ]; then
+    printf 'K3S_DISABLE=traefik\n' > "${env_file}"
+    changed=1
+    return
+  fi
+
+  if grep -q '^K3S_DISABLE=' "${env_file}"; then
+    current="$(grep '^K3S_DISABLE=' "${env_file}" | tail -n1 | cut -d= -f2-)"
+    current="$(printf '%s' "${current}" | sed 's/^\"//;s/\"$//' | tr -d ' ')"
+    if ! printf '%s' "${current}" | grep -qw "traefik"; then
+      if [ -z "${current}" ]; then
+        updated="traefik"
+      else
+        updated="${current},traefik"
+      fi
+      sed -i "s/^K3S_DISABLE=.*/K3S_DISABLE=${updated}/" "${env_file}"
+      changed=1
+    fi
+  else
+    printf '\nK3S_DISABLE=traefik\n' >> "${env_file}"
+    changed=1
+  fi
+}
+
+remove_manifest() {
+  if [ -d "${manifest_dir}" ] && ls "${manifest_dir}"/traefik* >/dev/null 2>&1; then
+    rm -f "${manifest_dir}"/traefik*.yaml "${manifest_dir}"/traefik*.yml
+    changed=1
+  fi
+}
+
+restart_k3s() {
+  node_name="$(cat "${host_root}/etc/hostname" 2>/dev/null || hostname)"
+  delay=0
+  case "${node_name}" in
+    *0b) delay=60 ;;
+    *0c) delay=120 ;;
+  esac
+  if [ "${delay}" -gt 0 ]; then
+    sleep "${delay}"
+  fi
+  chroot "${host_root}" /bin/systemctl daemon-reload || true
+  chroot "${host_root}" /bin/systemctl restart k3s
+}
+
+ensure_disable_flag
+remove_manifest
+
+if [ "${changed}" -eq 1 ]; then
+  restart_k3s
+fi
+
+sleep infinity