fix(argocd): match both bare and full-path group names in RBAC policy

pkg/argocd/config.go

@@ -55,8 +55,16 @@ requestedScopes:
   - email
   - groups`, issuerURL)
 
+	// Group names are matched both with and without a leading slash because the
+	// Keycloak group-membership mapper's full.path setting differs by deployment
+	// phase: the realm-setup job creates it with full.path=false ("argocd-admins"),
+	// but the data-science-pack rbac-bootstrap job reconciles it to full.path=true
+	// ("/argocd-admins") on every sync, which JupyterHub requires for shared-dir
+	// mounts. Matching both keeps ArgoCD access working regardless of which ran last.
 	rbacPolicy := `g, argocd-admins, role:admin
-g, argocd-viewers, role:readonly`
+g, /argocd-admins, role:admin
+g, argocd-viewers, role:readonly
+g, /argocd-viewers, role:readonly`
 
 	configs := cfg.Values["configs"].(map[string]any)
 	configs["cm"] = map[string]any{

pkg/argocd/config_test.go

@@ -132,11 +132,19 @@ func TestConfigWithOIDC(t *testing.T) {
 			if !ok {
 				t.Fatal("rbac.policy.csv should be a string")
 			}
-			if !strings.Contains(policyCSV, "g, argocd-admins, role:admin") {
-				t.Error("policy.csv should map argocd-admins to role:admin")
-			}
-			if !strings.Contains(policyCSV, "g, argocd-viewers, role:readonly") {
-				t.Error("policy.csv should map argocd-viewers to role:readonly")
+			// Both bare and full-path group names must be mapped: the Keycloak
+			// group-membership mapper's full.path setting differs depending on
+			// whether the realm-setup job (false) or the data-science-pack
+			// rbac-bootstrap job (true) ran last.
+			for _, mapping := range []string{
+				"g, argocd-admins, role:admin",
+				"g, /argocd-admins, role:admin",
+				"g, argocd-viewers, role:readonly",
+				"g, /argocd-viewers, role:readonly",
+			} {
+				if !strings.Contains(policyCSV, mapping) {
+					t.Errorf("policy.csv should contain %q", mapping)
+				}
 			}
 
 			// Check secret injection