From 1bfe644737c168890f54988debc2dbfbb0506b37 Mon Sep 17 00:00:00 2001 From: Adam Lewis <23342526+Adam-D-Lewis@users.noreply.github.com> Date: Tue, 21 Jan 2025 17:39:20 -0600 Subject: [PATCH] revert to non service account user for jhub apps startup apps --- .../kubernetes/services/jupyterhub/main.tf | 36 +++++++++---------- .../services/jupyterhub/versions.tf | 18 +++++----- .../services/keycloak-client/outputs.tf | 12 +++---- 3 files changed, 33 insertions(+), 33 deletions(-) diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf index 3e35f30c71..f8c93c2870 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf @@ -37,23 +37,23 @@ resource "kubernetes_secret" "jhub_apps_secrets" { } -# resource "keycloak_user" "jhub_apps_service_account" { -# count = var.jhub-apps-enabled ? 1 : 0 -# realm_id = var.realm_id -# username = "service-account-jhub-apps" -# enabled = true -# } - - -# resource "keycloak_user_roles" "jhub_apps_sa_allow_app_sharing_role" { -# count = var.jhub-apps-enabled ? 1 : 0 -# realm_id = var.realm_id -# user_id = keycloak_user.jhub_apps_service_account[0].id -# role_ids = [ -# module.jupyterhub-openid-client.client_role_ids["allow-app-sharing-role"] -# ] -# exhaustive = true -# } +resource "keycloak_user" "jhub_apps_service_account" { + count = var.jhub-apps-enabled ? 1 : 0 + realm_id = var.realm_id + username = "service-account-jhub-apps" + enabled = true +} + + +resource "keycloak_user_roles" "jhub_apps_sa_allow_app_sharing_role" { + count = var.jhub-apps-enabled ? 1 : 0 + realm_id = var.realm_id + user_id = keycloak_user.jhub_apps_service_account[0].id + role_ids = [ + module.jupyterhub-openid-client.client_role_ids["allow-app-sharing-role"] + ] + exhaustive = true +} locals { jupyterhub_env_vars = [ @@ -365,7 +365,7 @@ module "jupyterhub-openid-client" { service-accounts-enabled = true service-account-roles = { "realm-management" : ["view-realm", "view-users", "view-clients"], - "jupyterhub" = ["allow-app-sharing-role"] } + } } diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/versions.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/versions.tf index b66ec63ebf..0ddb981e5e 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/versions.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/versions.tf @@ -1,9 +1,9 @@ -# terraform { -# required_providers { -# keycloak = { -# source = "mrparkers/keycloak" -# version = "3.7.0" -# } -# } -# required_version = ">= 1.0" -# } +terraform { + required_providers { + keycloak = { + source = "mrparkers/keycloak" + version = "3.7.0" + } + } + required_version = ">= 1.0" +} diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/keycloak-client/outputs.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/keycloak-client/outputs.tf index 617eab7c3a..8f87eaf108 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/keycloak-client/outputs.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/keycloak-client/outputs.tf @@ -13,9 +13,9 @@ output "config" { } } -# output "client_role_ids" { -# description = "Map of role names to their IDs" -# value = { -# for role_key, role in keycloak_role.default_client_roles : role_key => role.id -# } -# } +output "client_role_ids" { + description = "Map of role names to their IDs" + value = { + for role_key, role in keycloak_role.default_client_roles : role_key => role.id + } +}