client secret fixes

2026-04-16 15:04:27 +02:00
parent 7e10954a8f
commit 020dfeffd4
4 changed files with 38 additions and 22 deletions
--- a/infra/values/keycloak-values.yaml
+++ b/infra/values/keycloak-values.yaml
@@ -81,7 +81,9 @@ keycloakConfigCli:
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "gitea",
-              "k8s.secret.name": "gitea-oidc-credentials"
+              "k8s.secret.name": "gitea-oidc-credentials",
+              "k8s.secret.client-id-key": "key",
+              "k8s.secret.client-secret-key": "secret"
            },
            "protocolMappers": [
              {
@@ -228,8 +230,9 @@ extraDeploy:
            }

            # Build a Secret JSON manifest
+            # Args: namespace, name, id-key, secret-key, b64-id, b64-secret
            build_manifest() {
-              local ns="$1" name="$2" b64_id="$3" b64_secret="$4"
+              local ns="$1" name="$2" id_key="$3" secret_key="$4" b64_id="$5" b64_secret="$6"
              cat <<MANIFEST
            {
              "apiVersion": "v1",
@@ -243,8 +246,8 @@ extraDeploy:
              },
              "type": "Opaque",
              "data": {
-                "client-id": "${b64_id}",
-                "client-secret": "${b64_secret}"
+                "${id_key}": "${b64_id}",
+                "${secret_key}": "${b64_secret}"
              }
            }
            MANIFEST
@@ -256,7 +259,11 @@ extraDeploy:
              TARGET_NS=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.namespace"]')
              TARGET_NAME=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.name"]')

-              echo "Processing client '${CLIENT_ID}' -> secret '${TARGET_NS}/${TARGET_NAME}'"
+              # Configurable key names (defaults: client-id, client-secret)
+              ID_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-id-key"] // "client-id"')
+              SECRET_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-secret-key"] // "client-secret"')
+
+              echo "Processing client '${CLIENT_ID}' -> secret '${TARGET_NS}/${TARGET_NAME}' (keys: ${ID_KEY}, ${SECRET_KEY})"

              # Get the client secret from Keycloak
              SECRET_VALUE=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
@@ -278,14 +285,14 @@ extraDeploy:
                "${K8S_API}/api/v1/namespaces/${TARGET_NS}")

              if [ "$NS_STATUS" = "200" ]; then
-                MANIFEST=$(build_manifest "$TARGET_NS" "$TARGET_NAME" "$B64_CLIENT_ID" "$B64_SECRET")
+                MANIFEST=$(build_manifest "$TARGET_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY" "$B64_CLIENT_ID" "$B64_SECRET")
                upsert_secret "$TARGET_NS" "$TARGET_NAME" "$MANIFEST" || exit 1
              else
                echo "  WARNING: Namespace '${TARGET_NS}' does not exist, skipping target"
              fi

              # 2. Always write a central copy to the secrets namespace
-              CENTRAL_MANIFEST=$(build_manifest "$CENTRAL_NS" "$TARGET_NAME" "$B64_CLIENT_ID" "$B64_SECRET")
+              CENTRAL_MANIFEST=$(build_manifest "$CENTRAL_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY" "$B64_CLIENT_ID" "$B64_SECRET")
              upsert_secret "$CENTRAL_NS" "$TARGET_NAME" "$CENTRAL_MANIFEST" || exit 1
            done