chore: add view-users permission to lagoon-opensearch-sync

uselagoon · Dec 23, 2024 · 6024f47 · 6024f47
1 parent 6ad1f0f
commit 6024f47
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/services/keycloak/lagoon-realm-base-import.json b/services/keycloak/lagoon-realm-base-import.json
@@ -525,7 +525,8 @@
       ],
       "clientRoles": {
         "realm-management": [
-          "query-groups"
+          "query-groups",
+          "view-users"
         ]
       },
       "notBefore": 0,

diff --git a/services/keycloak/startup-scripts/00-configure-lagoon.sh b/services/keycloak/startup-scripts/00-configure-lagoon.sh
@@ -869,6 +869,15 @@ EOF
 
 }
 
+function lagoon-opensearch-sync_add_view-users_permission {
+	if /opt/keycloak/bin/kcadm.sh get-roles -r lagoon --uusername service-account-lagoon-opensearch-sync --cclientid realm-management --config /tmp/kcadm.config | jq -e '.[].name|contains("view-users")' >/dev/null; then
+		echo "lagoon-opensearch-sync already has view-users realm-management role"
+	else
+		echo "adding lagoon-opensearch-sync view-users realm-management role"
+		/opt/keycloak/bin/kcadm.sh add-roles -r lagoon --uusername service-account-lagoon-opensearch-sync --cclientid realm-management --rolename view-users --config $CONFIG_PATH
+	fi
+}
+
 ##################
 # Initialization #
 ##################
@@ -921,6 +930,7 @@ function configure_keycloak {
     add_lagoon-cli_client
     add_lagoon-ui-oidc_client
     add_update_platform_organization_permissions
+    lagoon-opensearch-sync_add_view-users_permission
 
     # always run last
     sync_client_secrets