Skip to content

[ocp4_workload_ols] Grant lightspeed-operator-query-access to non-admin users#19

Merged
stencell merged 5 commits intomainfrom
ols-multiuser-26-feb
Feb 27, 2026
Merged

[ocp4_workload_ols] Grant lightspeed-operator-query-access to non-admin users#19
stencell merged 5 commits intomainfrom
ols-multiuser-26-feb

Conversation

@stencell
Copy link
Contributor

@stencell stencell commented Feb 26, 2026

Summary

  • Automatically discover non-admin users from the active auth provider and grant them lightspeed-operator-query-access
  • Supports both htpasswd and keycloak auth providers with provider-specific discovery logic
  • No manual user list configuration required — the role reads directly from the auth system

Changes

roles/ocp4_workload_ols/defaults/main.yaml

Added a new User Access Configuration section with 5 variables that mirror ocp4_workload_authentication defaults:

Variable Purpose
ocp4_workload_ols_auth_provider htpasswd or keycloak
ocp4_workload_ols_admin_username Excluded from grants
ocp4_workload_ols_htpasswd_secret_name htpasswd secret name in openshift-config
ocp4_workload_ols_keycloak_namespace Keycloak install namespace
ocp4_workload_ols_keycloak_realm Keycloak realm to query (default: sso)

roles/ocp4_workload_ols/tasks/workload.yaml

Added tasks at the end of the workload to build a user list and grant ClusterRoleBinding per user:

  • htpasswd path: reads and parses the htpasswd secret in openshift-config — captures all configured users (numbered users, cluster accounts, any naming convention) automatically
  • keycloak path: fetches the Keycloak admin token from the keycloak-initial-admin secret, then queries /admin/realms/{realm}/users via the REST API
  • Admin user is excluded from grants in both paths
  • ClusterRoleBinding creation is idempotent (state: present)
  • Sensitive Keycloak API responses use no_log: true

@stencell
ocp4_workload_ols: Grant lightspeed access to non-admin users
e2878df 
Automatically discover and grant lightspeed-operator-query-access to
all non-admin users created by ocp4_workload_authentication.

- htpasswd: parse the htpasswd secret in openshift-config to get the
  authoritative list of all configured usernames
- keycloak: query the Keycloak REST API (master realm token → realm
  users endpoint) to get the live user list
- Admin user is excluded from grants in both paths
- ClusterRoleBinding created per user, idempotent via k8s state: present
@stencell stencell marked this pull request as draft February 26, 2026 09:18
@stencell
ocp4_workload_ols: Fix Keycloak URL formatting and remove no_log
1b72e70
@stencell
ocp4_workload_ols: Replace Keycloak REST API with KeycloakRealmImport…
7fae916 
… CR lookup

Read users directly from the KeycloakRealmImport Kubernetes CR instead
of authenticating to the Keycloak REST API. This avoids token management,
URL construction issues, and Keycloak admin permission variability across
RHBK versions.
@stencell
ocp4_workload_ols: Refactor user discovery into blocks
93d0b83
@stencell stencell marked this pull request as ready for review February 26, 2026 16:17
wkulhanek
wkulhanek previously approved these changes Feb 27, 2026
View reviewed changes
@stencell stencell merged commit a730731 into main Feb 27, 2026
1 check passed
@stencell stencell deleted the ols-multiuser-26-feb branch February 27, 2026 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wkulhanek wkulhanek wkulhanek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stencell @wkulhanek