Merge pull request #3721 from uselagoon/ssh-portal-group-db

feat: add query-group permission to the service-api client

services/keycloak/lagoon-realm-2.16.0.json

@@ -528,6 +528,11 @@
       "realmRoles": [
         "default-roles-lagoon"
       ],
+      "clientRoles": {
+        "realm-management": [
+          "query-groups"
+        ]
+      },
       "notBefore": 0,
       "groups": []
     }

services/keycloak/startup-scripts/00-configure-lagoon.sh

@@ -204,6 +204,15 @@ function migrate_to_custom_group_mapper {
 
 }
 
+function service-api_add_query-groups_permission {
+	if /opt/keycloak/bin/kcadm.sh get-roles -r lagoon --uusername service-account-service-api --cclientid realm-management --config /tmp/kcadm.config | jq -e '.[].name|contains("query-groups")' >/dev/null; then
+		echo "service-api already has query-groups realm-management role"
+	else
+		echo "adding service-api query-groups realm-management role"
+		/opt/keycloak/bin/kcadm.sh add-roles -r lagoon --uusername service-account-service-api --cclientid realm-management --rolename query-groups --config $CONFIG_PATH
+	fi
+}
+
 ##################
 # Initialization #
 ##################
@@ -231,6 +240,7 @@ function configure_keycloak {
     check_migrations_version
     migrate_to_custom_group_mapper
     #post 2.18.0+ migrations after this point
+    service-api_add_query-groups_permission
 
     # always run last
     sync_client_secrets