Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

client secret fixes
Some checks failed
Deploy Gitea Pages / build-and-deploy (push) Failing after 6m6s
Details

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-04-16 15:04:27 +02:00
parent 7e10954a8f
commit 020dfeffd4
4 changed files with 38 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docs/DEVELOPER-GUIDE.md
View File

@@ -1283,7 +1283,9 @@ In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array i
"attributes": {
"k8s.secret.sync": "true",
"k8s.secret.namespace": "myapp",
"k8s.secret.name": "myapp-oidc-credentials"
"k8s.secret.name": "myapp-oidc-credentials",
"k8s.secret.client-id-key": "key",
"k8s.secret.client-secret-key": "secret"
}
}
```
@@ -1292,6 +1294,7 @@ In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array i
- Do **NOT** include a `"secret"` field — Keycloak generates one automatically
- The `attributes` block tells the syncer where to create the K8s Secret
- The target namespace must exist before the syncer runs (ArgoCD creates it via `CreateNamespace=true`)
- Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`)
### Step 2: Reference the Secret in Your Application
@@ -1345,11 +1348,15 @@ kubectl get secret myapp-oidc-credentials -n myapp -o jsonpath='{.data.client-se
### Sync Attribute Reference
| Attribute | Required | Description |
|-----------|----------|-------------|
| `k8s.secret.sync` | Yes | Set to `"true"` to enable syncing |
| `k8s.secret.namespace` | Yes | Target K8s namespace for the secret |
| `k8s.secret.name` | Yes | Name of the K8s Secret to create |
| Attribute | Required | Default | Description |
|-----------|----------|---------|-------------|
| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
| `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret |
| `k8s.secret.name` | Yes | — | Name of the K8s Secret to create |
| `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret |
| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret |
**Note on key names:** Different applications expect different field names. For example, the Gitea Helm chart expects `key` and `secret`, while a generic OIDC consumer might expect `client-id` and `client-secret`. Use the optional key attributes to match what the consuming application expects.
### Retrieving Secrets for External Deployments

18
docs/REFERENCE.md
View File

@@ -893,13 +893,15 @@ dind:
**Client Attributes** (set in `forte-realm.json`):
| Attribute | Description |
|-----------|-------------|
| `k8s.secret.sync` | Set to `"true"` to enable syncing |
| `k8s.secret.namespace` | Target K8s namespace |
| `k8s.secret.name` | Name of the K8s Secret |
| Attribute | Required | Default | Description |
|-----------|----------|---------|-------------|
| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
| `k8s.secret.namespace` | Yes | — | Target K8s namespace |
| `k8s.secret.name` | Yes | — | Name of the K8s Secret |
| `k8s.secret.client-id-key` | No | `client-id` | Field name for client ID in the Secret |
| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for client secret in the Secret |
**Created Secret Format**:
**Created Secret Format** (key names configurable via attributes):
```yaml
apiVersion: v1
kind: Secret
@@ -910,8 +912,8 @@ metadata:
app.kubernetes.io/managed-by: keycloak-secret-syncer
type: Opaque
data:
client-id: <base64-encoded client ID>
client-secret: <base64-encoded client secret>
<client-id-key>: <base64-encoded client ID>
<client-secret-key>: <base64-encoded client secret>
```
**Verification**: