Merge pull request #643 from computate/ai-telemetry-keycloak

Add ai-telemetry-sa client for access to all metrics
OCP-on-NERC · Jan 30, 2025 · e6b26ef · e6b26ef
2 parents 723df5d + 917c1ca
commit e6b26ef
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/keycloak/overlays/nerc-ocp-obs/keycloakauthorizations/nerc/keycloakauthorization.yaml b/keycloak/overlays/nerc-ocp-obs/keycloakauthorizations/nerc/keycloakauthorization.yaml
@@ -114,6 +114,15 @@ spec:
                   clients:
                     - ai-telemetry
 
+            - id: client-ai-telemetry-sa
+              name: client-ai-telemetry-sa
+              logic: POSITIVE
+              decisionStrategy: UNANIMOUS
+              type:
+                client:
+                  clients:
+                    - ai-telemetry-sa
+
             - id: client-ai4cloudops
               name: client-ai4cloudops
               logic: POSITIVE
@@ -165,6 +174,13 @@ spec:
               policy: group-ai-telemetry
               resource: namespace
 
+            - name: client-ai-telemetry-sa-cluster-all
+              policy: client-ai-telemetry-sa
+              resource: cluster
+            - name: client-ai-telemetry-sa-namespace-all
+              policy: client-ai-telemetry-sa
+              resource: namespace
+
             - name: group-nerc-ai4cloudops-namespace-all
               policy: group-nerc-ai4cloudops
               resource: namespace

diff --git a/keycloak/overlays/nerc-ocp-obs/keycloakrealmimports/nerc/keycloakrealmimport.yaml b/keycloak/overlays/nerc-ocp-obs/keycloakrealmimports/nerc/keycloakrealmimport.yaml
@@ -307,6 +307,20 @@ spec:
             name: ai-telemetry
             protocol: openid-connect
             protocolMapper: oidc-audience-mapper
+      - id: ai-telemetry-sa
+        name: ai-telemetry-sa
+        description: A client scope for the ai-telemetry-sa client
+        protocol: openid-connect
+        protocolMappers:
+          - config:
+              access.token.claim: 'true'
+              id.token.claim: 'false'
+              included.client.audience: 'ai-telemetry-sa'
+            consentRequired: false
+            id: ai-telemetry-sa
+            name: ai-telemetry-sa
+            protocol: openid-connect
+            protocolMapper: oidc-audience-mapper
     defaultDefaultClientScopes:
       - nerc
     clients:
@@ -340,6 +354,19 @@ spec:
           - ai-telemetry
         authorizationSettings:
           decisionStrategy: AFFIRMATIVE
+      - id: ai-telemetry-sa
+        clientId: ai-telemetry-sa
+        standardFlowEnabled: true
+        serviceAccountsEnabled: true
+        authorizationServicesEnabled: true
+        frontchannelLogout: true
+        protocol: openid-connect
+        defaultClientScopes:
+          - openid
+          - profile
+          - ai-telemetry-sa
+        authorizationSettings:
+          decisionStrategy: AFFIRMATIVE
       - id: ai4cloudops
         clientId: ai4cloudops
         standardFlowEnabled: true