From 917c1caa4d4f549e9da01f73c9ab2d1881b9c77c Mon Sep 17 00:00:00 2001
From: Christopher Tate <computate@computate.org>
Date: Fri, 24 Jan 2025 06:59:54 -0700
Subject: [PATCH] Add ai-telemetry-sa client for access to all metrics

Adding an ai-telemetry-sa service account client which has access to
import all AI related metrics on all clusters for AI telemetry, separate
from the main ai-telemetry client for all users.
---
 .../nerc/keycloakauthorization.yaml           | 16 +++++++++++
 .../nerc/keycloakrealmimport.yaml             | 27 +++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/keycloak/overlays/nerc-ocp-obs/keycloakauthorizations/nerc/keycloakauthorization.yaml b/keycloak/overlays/nerc-ocp-obs/keycloakauthorizations/nerc/keycloakauthorization.yaml
index fd2a7acf..5f19451f 100644
--- a/keycloak/overlays/nerc-ocp-obs/keycloakauthorizations/nerc/keycloakauthorization.yaml
+++ b/keycloak/overlays/nerc-ocp-obs/keycloakauthorizations/nerc/keycloakauthorization.yaml
@@ -114,6 +114,15 @@ spec:
                   clients:
                     - ai-telemetry
 
+            - id: client-ai-telemetry-sa
+              name: client-ai-telemetry-sa
+              logic: POSITIVE
+              decisionStrategy: UNANIMOUS
+              type:
+                client:
+                  clients:
+                    - ai-telemetry-sa
+
             - id: client-ai4cloudops
               name: client-ai4cloudops
               logic: POSITIVE
@@ -165,6 +174,13 @@ spec:
               policy: group-ai-telemetry
               resource: namespace
 
+            - name: client-ai-telemetry-sa-cluster-all
+              policy: client-ai-telemetry-sa
+              resource: cluster
+            - name: client-ai-telemetry-sa-namespace-all
+              policy: client-ai-telemetry-sa
+              resource: namespace
+
             - name: group-nerc-ai4cloudops-namespace-all
               policy: group-nerc-ai4cloudops
               resource: namespace
diff --git a/keycloak/overlays/nerc-ocp-obs/keycloakrealmimports/nerc/keycloakrealmimport.yaml b/keycloak/overlays/nerc-ocp-obs/keycloakrealmimports/nerc/keycloakrealmimport.yaml
index 24147db6..46df8c99 100644
--- a/keycloak/overlays/nerc-ocp-obs/keycloakrealmimports/nerc/keycloakrealmimport.yaml
+++ b/keycloak/overlays/nerc-ocp-obs/keycloakrealmimports/nerc/keycloakrealmimport.yaml
@@ -307,6 +307,20 @@ spec:
             name: ai-telemetry
             protocol: openid-connect
             protocolMapper: oidc-audience-mapper
+      - id: ai-telemetry-sa
+        name: ai-telemetry-sa
+        description: A client scope for the ai-telemetry-sa client
+        protocol: openid-connect
+        protocolMappers:
+          - config:
+              access.token.claim: 'true'
+              id.token.claim: 'false'
+              included.client.audience: 'ai-telemetry-sa'
+            consentRequired: false
+            id: ai-telemetry-sa
+            name: ai-telemetry-sa
+            protocol: openid-connect
+            protocolMapper: oidc-audience-mapper
     defaultDefaultClientScopes:
       - nerc
     clients:
@@ -340,6 +354,19 @@ spec:
           - ai-telemetry
         authorizationSettings:
           decisionStrategy: AFFIRMATIVE
+      - id: ai-telemetry-sa
+        clientId: ai-telemetry-sa
+        standardFlowEnabled: true
+        serviceAccountsEnabled: true
+        authorizationServicesEnabled: true
+        frontchannelLogout: true
+        protocol: openid-connect
+        defaultClientScopes:
+          - openid
+          - profile
+          - ai-telemetry-sa
+        authorizationSettings:
+          decisionStrategy: AFFIRMATIVE
       - id: ai4cloudops
         clientId: ai4cloudops
         standardFlowEnabled: true