feat(cli): meet build/seed support, production kube tunnel, gitea OIDC bootstrap

- secrets.py: seed secret/meet (django-secret-key, application-jwt-secret-key) - images.py: add sunbeam build meet (meet-backend + meet-frontend from source) - kube.py: production SSH tunnel support, domain discovery from cluster, cmd_bao - gitea.py: configure Hydra as OIDC auth source; mark admin account as private - services.py: minor VSO sync status and services list fixes - users.py: add cmd_user_enable
2026-03-06 12:05:10 +00:00
parent c759f2c014
commit 2569978f47
6 changed files with 750 additions and 206 deletions
--- a/sunbeam/users.py
+++ b/sunbeam/users.py
@@ -7,16 +7,15 @@ import urllib.request
 import urllib.error
 from contextlib import contextmanager

+import sunbeam.kube as _kube_mod
 from sunbeam.output import step, ok, warn, die, table

-K8S_CTX = ["--context=sunbeam"]
-

@contextmanager
 def _port_forward(ns="ory", svc="kratos-admin", local_port=4434, remote_port=80):
    """Port-forward directly to the Kratos admin HTTP API and yield the local URL."""
    proc = subprocess.Popen(
-        ["kubectl", *K8S_CTX, "-n", ns, "port-forward",
+        ["kubectl", _kube_mod.context_arg(), "-n", ns, "port-forward",
         f"svc/{svc}", f"{local_port}:{remote_port}"],
        stdout=subprocess.PIPE, stderr=subprocess.PIPE,
    )
@@ -166,6 +165,27 @@ def cmd_user_disable(target):
    warn("App sessions (docs/people) expire within SESSION_COOKIE_AGE — currently 1h.")


+def cmd_user_set_password(target, password):
+    """Set (or reset) the password credential for an identity."""
+    step(f"Setting password for: {target}")
+    with _port_forward() as base:
+        identity = _find_identity(base, target)
+        iid = identity["id"]
+        _api(base, f"/identities/{iid}", method="PUT", body={
+            "schema_id": identity["schema_id"],
+            "traits": identity["traits"],
+            "state": identity.get("state", "active"),
+            "metadata_public": identity.get("metadata_public"),
+            "metadata_admin": identity.get("metadata_admin"),
+            "credentials": {
+                "password": {
+                    "config": {"password": password},
+                },
+            },
+        })
+    ok(f"Password set for {iid[:8]}...")
+
+
 def cmd_user_enable(target):
    """Re-enable a previously disabled identity."""
    step(f"Enabling identity: {target}")