diff --git a/docs/DEVELOPER-GUIDE.md b/docs/DEVELOPER-GUIDE.md index f812c5b..d9b13c3 100644 --- a/docs/DEVELOPER-GUIDE.md +++ b/docs/DEVELOPER-GUIDE.md @@ -1283,7 +1283,9 @@ In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array i "attributes": { "k8s.secret.sync": "true", "k8s.secret.namespace": "myapp", - "k8s.secret.name": "myapp-oidc-credentials" + "k8s.secret.name": "myapp-oidc-credentials", + "k8s.secret.client-id-key": "key", + "k8s.secret.client-secret-key": "secret" } } ``` @@ -1292,6 +1294,7 @@ In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array i - Do **NOT** include a `"secret"` field — Keycloak generates one automatically - The `attributes` block tells the syncer where to create the K8s Secret - The target namespace must exist before the syncer runs (ArgoCD creates it via `CreateNamespace=true`) +- Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`) ### Step 2: Reference the Secret in Your Application @@ -1345,11 +1348,15 @@ kubectl get secret myapp-oidc-credentials -n myapp -o jsonpath='{.data.client-se ### Sync Attribute Reference -| Attribute | Required | Description | -|-----------|----------|-------------| -| `k8s.secret.sync` | Yes | Set to `"true"` to enable syncing | -| `k8s.secret.namespace` | Yes | Target K8s namespace for the secret | -| `k8s.secret.name` | Yes | Name of the K8s Secret to create | +| Attribute | Required | Default | Description | +|-----------|----------|---------|-------------| +| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing | +| `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret | +| `k8s.secret.name` | Yes | — | Name of the K8s Secret to create | +| `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret | +| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret | + +**Note on key names:** Different applications expect different field names. For example, the Gitea Helm chart expects `key` and `secret`, while a generic OIDC consumer might expect `client-id` and `client-secret`. Use the optional key attributes to match what the consuming application expects. ### Retrieving Secrets for External Deployments diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 3cee384..837a0d4 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -893,13 +893,15 @@ dind: **Client Attributes** (set in `forte-realm.json`): -| Attribute | Description | -|-----------|-------------| -| `k8s.secret.sync` | Set to `"true"` to enable syncing | -| `k8s.secret.namespace` | Target K8s namespace | -| `k8s.secret.name` | Name of the K8s Secret | +| Attribute | Required | Default | Description | +|-----------|----------|---------|-------------| +| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing | +| `k8s.secret.namespace` | Yes | — | Target K8s namespace | +| `k8s.secret.name` | Yes | — | Name of the K8s Secret | +| `k8s.secret.client-id-key` | No | `client-id` | Field name for client ID in the Secret | +| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for client secret in the Secret | -**Created Secret Format**: +**Created Secret Format** (key names configurable via attributes): ```yaml apiVersion: v1 kind: Secret @@ -910,8 +912,8 @@ metadata: app.kubernetes.io/managed-by: keycloak-secret-syncer type: Opaque data: - client-id: - client-secret: + : + : ``` **Verification**: diff --git a/infra/values/gitea-values.yaml b/infra/values/gitea-values.yaml index b20f588..4391799 100644 --- a/infra/values/gitea-values.yaml +++ b/infra/values/gitea-values.yaml @@ -70,7 +70,7 @@ gitea: - name: "Forte" provider: "openidConnect" existingSecret: gitea-oidc-credentials - key: client-secret + key: gitea autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration" scopes: "openid email profile organization" groupClaimName: "groups" diff --git a/infra/values/keycloak-values.yaml b/infra/values/keycloak-values.yaml index d709513..c151afe 100644 --- a/infra/values/keycloak-values.yaml +++ b/infra/values/keycloak-values.yaml @@ -81,7 +81,9 @@ keycloakConfigCli: "attributes": { "k8s.secret.sync": "true", "k8s.secret.namespace": "gitea", - "k8s.secret.name": "gitea-oidc-credentials" + "k8s.secret.name": "gitea-oidc-credentials", + "k8s.secret.client-id-key": "key", + "k8s.secret.client-secret-key": "secret" }, "protocolMappers": [ { @@ -228,8 +230,9 @@ extraDeploy: } # Build a Secret JSON manifest + # Args: namespace, name, id-key, secret-key, b64-id, b64-secret build_manifest() { - local ns="$1" name="$2" b64_id="$3" b64_secret="$4" + local ns="$1" name="$2" id_key="$3" secret_key="$4" b64_id="$5" b64_secret="$6" cat < secret '${TARGET_NS}/${TARGET_NAME}'" + # Configurable key names (defaults: client-id, client-secret) + ID_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-id-key"] // "client-id"') + SECRET_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-secret-key"] // "client-secret"') + + echo "Processing client '${CLIENT_ID}' -> secret '${TARGET_NS}/${TARGET_NAME}' (keys: ${ID_KEY}, ${SECRET_KEY})" # Get the client secret from Keycloak SECRET_VALUE=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ @@ -278,14 +285,14 @@ extraDeploy: "${K8S_API}/api/v1/namespaces/${TARGET_NS}") if [ "$NS_STATUS" = "200" ]; then - MANIFEST=$(build_manifest "$TARGET_NS" "$TARGET_NAME" "$B64_CLIENT_ID" "$B64_SECRET") + MANIFEST=$(build_manifest "$TARGET_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY" "$B64_CLIENT_ID" "$B64_SECRET") upsert_secret "$TARGET_NS" "$TARGET_NAME" "$MANIFEST" || exit 1 else echo " WARNING: Namespace '${TARGET_NS}' does not exist, skipping target" fi # 2. Always write a central copy to the secrets namespace - CENTRAL_MANIFEST=$(build_manifest "$CENTRAL_NS" "$TARGET_NAME" "$B64_CLIENT_ID" "$B64_SECRET") + CENTRAL_MANIFEST=$(build_manifest "$CENTRAL_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY" "$B64_CLIENT_ID" "$B64_SECRET") upsert_secret "$CENTRAL_NS" "$TARGET_NAME" "$CENTRAL_MANIFEST" || exit 1 done