From fbbf7dd33cef818eef2fc1ec571fb4c79d5d96ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guilhem=20Barth=C3=A9s?= <guilhem.barthes@owkin.com>
Date: Mon, 26 May 2025 10:32:40 +0200
Subject: [PATCH 1/3] fix(migration): add internet access role for OIDC enabled
 jobs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>
---
 charts/substra-backend/templates/job-migrations.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/charts/substra-backend/templates/job-migrations.yaml b/charts/substra-backend/templates/job-migrations.yaml
index e9e0d83f5..48f35d9ad 100644
--- a/charts/substra-backend/templates/job-migrations.yaml
+++ b/charts/substra-backend/templates/job-migrations.yaml
@@ -15,6 +15,10 @@ spec:
       labels:
           {{ include "substra.labels" . | nindent 10 }}
           role-database-client: 'true'
+          # If OIDC is enabled, we need to allow the job to access the internet to fetch the user info, as it is based on the user info.
+          {{- if .Values.oidc.enabled }}
+          role-internet-ingress: 'true'
+          {{- end }}
     spec:
       restartPolicy: OnFailure
       automountServiceAccountToken: false

From fbf817ac4d2b7dc19e36b07a54611c9074aff157 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guilhem=20Barth=C3=A9s?= <guilhem.barthes@owkin.com>
Date: Fri, 30 May 2025 15:00:44 +0200
Subject: [PATCH 2/3] fix: replace ingress by egress
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>
---
 charts/substra-backend/templates/job-migrations.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/substra-backend/templates/job-migrations.yaml b/charts/substra-backend/templates/job-migrations.yaml
index 48f35d9ad..fc844adbe 100644
--- a/charts/substra-backend/templates/job-migrations.yaml
+++ b/charts/substra-backend/templates/job-migrations.yaml
@@ -17,7 +17,7 @@ spec:
           role-database-client: 'true'
           # If OIDC is enabled, we need to allow the job to access the internet to fetch the user info, as it is based on the user info.
           {{- if .Values.oidc.enabled }}
-          role-internet-ingress: 'true'
+          role-internet-egress: 'true'
           {{- end }}
     spec:
       restartPolicy: OnFailure

From afb33bffa2af2512c49becc553c12349edb9476a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guilhem=20Barth=C3=A9s?= <guilhem.barthes@owkin.com>
Date: Fri, 30 May 2025 15:12:49 +0200
Subject: [PATCH 3/3] feat: add doc & bump chart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>
---
 charts/substra-backend/CHANGELOG.md | 4 ++++
 charts/substra-backend/Chart.yaml   | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/charts/substra-backend/CHANGELOG.md b/charts/substra-backend/CHANGELOG.md
index 527abe53b..1c636a260 100644
--- a/charts/substra-backend/CHANGELOG.md
+++ b/charts/substra-backend/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 
 <!-- towncrier release notes start -->
+## [26.15.3] - 2025-30-05
+
+Allow OIDC connection to job-migration
+
 ## [26.15.2] - 2025-02-17
 
 Inject OIDC config in migration job & bump app version to 1.0.1
diff --git a/charts/substra-backend/Chart.yaml b/charts/substra-backend/Chart.yaml
index ac5a0e13a..8d8ebaf85 100644
--- a/charts/substra-backend/Chart.yaml
+++ b/charts/substra-backend/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: substra-backend
 home: https://github.com/Substra
-version: 26.15.2
+version: 26.15.3
 appVersion: 1.0.1
 kubeVersion: '>= 1.19.0-0'
 description: Main package for Substra