fix(migration): add internet access role for OIDC enabled jobs (#1032)

* fix(migration): add internet access role for OIDC enabled jobs

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

* fix: replace ingress by egress

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

* feat: add doc & bump chart

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

---------

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

Author: guilhem-barthes

charts/substra-backend/CHANGELOG.md

@@ -1,6 +1,10 @@
 # Changelog
 
 <!-- towncrier release notes start -->
+## [26.15.3] - 2025-30-05
+
+Allow OIDC connection to job-migration
+
 ## [26.15.2] - 2025-02-17
 
 Inject OIDC config in migration job & bump app version to 1.0.1

charts/substra-backend/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: substra-backend
 home: https://github.com/Substra
-version: 26.15.2
+version: 26.15.3
 appVersion: 1.0.1
 kubeVersion: '>= 1.19.0-0'
 description: Main package for Substra

charts/substra-backend/templates/job-migrations.yaml

@@ -15,6 +15,10 @@ spec:
       labels:
           {{ include "substra.labels" . | nindent 10 }}
           role-database-client: 'true'
+          # If OIDC is enabled, we need to allow the job to access the internet to fetch the user info, as it is based on the user info.
+          {{- if .Values.oidc.enabled }}
+          role-internet-egress: 'true'
+          {{- end }}
     spec:
       restartPolicy: OnFailure
       automountServiceAccountToken: false