client secret fixes
Some checks failed
Deploy Gitea Pages / build-and-deploy (push) Failing after 6m6s
Some checks failed
Deploy Gitea Pages / build-and-deploy (push) Failing after 6m6s
This commit is contained in:
@@ -1283,7 +1283,9 @@ In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array i
|
|||||||
"attributes": {
|
"attributes": {
|
||||||
"k8s.secret.sync": "true",
|
"k8s.secret.sync": "true",
|
||||||
"k8s.secret.namespace": "myapp",
|
"k8s.secret.namespace": "myapp",
|
||||||
"k8s.secret.name": "myapp-oidc-credentials"
|
"k8s.secret.name": "myapp-oidc-credentials",
|
||||||
|
"k8s.secret.client-id-key": "key",
|
||||||
|
"k8s.secret.client-secret-key": "secret"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
@@ -1292,6 +1294,7 @@ In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array i
|
|||||||
- Do **NOT** include a `"secret"` field — Keycloak generates one automatically
|
- Do **NOT** include a `"secret"` field — Keycloak generates one automatically
|
||||||
- The `attributes` block tells the syncer where to create the K8s Secret
|
- The `attributes` block tells the syncer where to create the K8s Secret
|
||||||
- The target namespace must exist before the syncer runs (ArgoCD creates it via `CreateNamespace=true`)
|
- The target namespace must exist before the syncer runs (ArgoCD creates it via `CreateNamespace=true`)
|
||||||
|
- Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`)
|
||||||
|
|
||||||
### Step 2: Reference the Secret in Your Application
|
### Step 2: Reference the Secret in Your Application
|
||||||
|
|
||||||
@@ -1345,11 +1348,15 @@ kubectl get secret myapp-oidc-credentials -n myapp -o jsonpath='{.data.client-se
|
|||||||
|
|
||||||
### Sync Attribute Reference
|
### Sync Attribute Reference
|
||||||
|
|
||||||
| Attribute | Required | Description |
|
| Attribute | Required | Default | Description |
|
||||||
|-----------|----------|-------------|
|
|-----------|----------|---------|-------------|
|
||||||
| `k8s.secret.sync` | Yes | Set to `"true"` to enable syncing |
|
| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
|
||||||
| `k8s.secret.namespace` | Yes | Target K8s namespace for the secret |
|
| `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret |
|
||||||
| `k8s.secret.name` | Yes | Name of the K8s Secret to create |
|
| `k8s.secret.name` | Yes | — | Name of the K8s Secret to create |
|
||||||
|
| `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret |
|
||||||
|
| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret |
|
||||||
|
|
||||||
|
**Note on key names:** Different applications expect different field names. For example, the Gitea Helm chart expects `key` and `secret`, while a generic OIDC consumer might expect `client-id` and `client-secret`. Use the optional key attributes to match what the consuming application expects.
|
||||||
|
|
||||||
### Retrieving Secrets for External Deployments
|
### Retrieving Secrets for External Deployments
|
||||||
|
|
||||||
|
|||||||
@@ -893,13 +893,15 @@ dind:
|
|||||||
|
|
||||||
**Client Attributes** (set in `forte-realm.json`):
|
**Client Attributes** (set in `forte-realm.json`):
|
||||||
|
|
||||||
| Attribute | Description |
|
| Attribute | Required | Default | Description |
|
||||||
|-----------|-------------|
|
|-----------|----------|---------|-------------|
|
||||||
| `k8s.secret.sync` | Set to `"true"` to enable syncing |
|
| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
|
||||||
| `k8s.secret.namespace` | Target K8s namespace |
|
| `k8s.secret.namespace` | Yes | — | Target K8s namespace |
|
||||||
| `k8s.secret.name` | Name of the K8s Secret |
|
| `k8s.secret.name` | Yes | — | Name of the K8s Secret |
|
||||||
|
| `k8s.secret.client-id-key` | No | `client-id` | Field name for client ID in the Secret |
|
||||||
|
| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for client secret in the Secret |
|
||||||
|
|
||||||
**Created Secret Format**:
|
**Created Secret Format** (key names configurable via attributes):
|
||||||
```yaml
|
```yaml
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
@@ -910,8 +912,8 @@ metadata:
|
|||||||
app.kubernetes.io/managed-by: keycloak-secret-syncer
|
app.kubernetes.io/managed-by: keycloak-secret-syncer
|
||||||
type: Opaque
|
type: Opaque
|
||||||
data:
|
data:
|
||||||
client-id: <base64-encoded client ID>
|
<client-id-key>: <base64-encoded client ID>
|
||||||
client-secret: <base64-encoded client secret>
|
<client-secret-key>: <base64-encoded client secret>
|
||||||
```
|
```
|
||||||
|
|
||||||
**Verification**:
|
**Verification**:
|
||||||
|
|||||||
@@ -70,7 +70,7 @@ gitea:
|
|||||||
- name: "Forte"
|
- name: "Forte"
|
||||||
provider: "openidConnect"
|
provider: "openidConnect"
|
||||||
existingSecret: gitea-oidc-credentials
|
existingSecret: gitea-oidc-credentials
|
||||||
key: client-secret
|
key: gitea
|
||||||
autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
|
autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
|
||||||
scopes: "openid email profile organization"
|
scopes: "openid email profile organization"
|
||||||
groupClaimName: "groups"
|
groupClaimName: "groups"
|
||||||
|
|||||||
@@ -81,7 +81,9 @@ keycloakConfigCli:
|
|||||||
"attributes": {
|
"attributes": {
|
||||||
"k8s.secret.sync": "true",
|
"k8s.secret.sync": "true",
|
||||||
"k8s.secret.namespace": "gitea",
|
"k8s.secret.namespace": "gitea",
|
||||||
"k8s.secret.name": "gitea-oidc-credentials"
|
"k8s.secret.name": "gitea-oidc-credentials",
|
||||||
|
"k8s.secret.client-id-key": "key",
|
||||||
|
"k8s.secret.client-secret-key": "secret"
|
||||||
},
|
},
|
||||||
"protocolMappers": [
|
"protocolMappers": [
|
||||||
{
|
{
|
||||||
@@ -228,8 +230,9 @@ extraDeploy:
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Build a Secret JSON manifest
|
# Build a Secret JSON manifest
|
||||||
|
# Args: namespace, name, id-key, secret-key, b64-id, b64-secret
|
||||||
build_manifest() {
|
build_manifest() {
|
||||||
local ns="$1" name="$2" b64_id="$3" b64_secret="$4"
|
local ns="$1" name="$2" id_key="$3" secret_key="$4" b64_id="$5" b64_secret="$6"
|
||||||
cat <<MANIFEST
|
cat <<MANIFEST
|
||||||
{
|
{
|
||||||
"apiVersion": "v1",
|
"apiVersion": "v1",
|
||||||
@@ -243,8 +246,8 @@ extraDeploy:
|
|||||||
},
|
},
|
||||||
"type": "Opaque",
|
"type": "Opaque",
|
||||||
"data": {
|
"data": {
|
||||||
"client-id": "${b64_id}",
|
"${id_key}": "${b64_id}",
|
||||||
"client-secret": "${b64_secret}"
|
"${secret_key}": "${b64_secret}"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
MANIFEST
|
MANIFEST
|
||||||
@@ -256,7 +259,11 @@ extraDeploy:
|
|||||||
TARGET_NS=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.namespace"]')
|
TARGET_NS=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.namespace"]')
|
||||||
TARGET_NAME=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.name"]')
|
TARGET_NAME=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.name"]')
|
||||||
|
|
||||||
echo "Processing client '${CLIENT_ID}' -> secret '${TARGET_NS}/${TARGET_NAME}'"
|
# Configurable key names (defaults: client-id, client-secret)
|
||||||
|
ID_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-id-key"] // "client-id"')
|
||||||
|
SECRET_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-secret-key"] // "client-secret"')
|
||||||
|
|
||||||
|
echo "Processing client '${CLIENT_ID}' -> secret '${TARGET_NS}/${TARGET_NAME}' (keys: ${ID_KEY}, ${SECRET_KEY})"
|
||||||
|
|
||||||
# Get the client secret from Keycloak
|
# Get the client secret from Keycloak
|
||||||
SECRET_VALUE=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
|
SECRET_VALUE=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
|
||||||
@@ -278,14 +285,14 @@ extraDeploy:
|
|||||||
"${K8S_API}/api/v1/namespaces/${TARGET_NS}")
|
"${K8S_API}/api/v1/namespaces/${TARGET_NS}")
|
||||||
|
|
||||||
if [ "$NS_STATUS" = "200" ]; then
|
if [ "$NS_STATUS" = "200" ]; then
|
||||||
MANIFEST=$(build_manifest "$TARGET_NS" "$TARGET_NAME" "$B64_CLIENT_ID" "$B64_SECRET")
|
MANIFEST=$(build_manifest "$TARGET_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY" "$B64_CLIENT_ID" "$B64_SECRET")
|
||||||
upsert_secret "$TARGET_NS" "$TARGET_NAME" "$MANIFEST" || exit 1
|
upsert_secret "$TARGET_NS" "$TARGET_NAME" "$MANIFEST" || exit 1
|
||||||
else
|
else
|
||||||
echo " WARNING: Namespace '${TARGET_NS}' does not exist, skipping target"
|
echo " WARNING: Namespace '${TARGET_NS}' does not exist, skipping target"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# 2. Always write a central copy to the secrets namespace
|
# 2. Always write a central copy to the secrets namespace
|
||||||
CENTRAL_MANIFEST=$(build_manifest "$CENTRAL_NS" "$TARGET_NAME" "$B64_CLIENT_ID" "$B64_SECRET")
|
CENTRAL_MANIFEST=$(build_manifest "$CENTRAL_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY" "$B64_CLIENT_ID" "$B64_SECRET")
|
||||||
upsert_secret "$CENTRAL_NS" "$TARGET_NAME" "$CENTRAL_MANIFEST" || exit 1
|
upsert_secret "$CENTRAL_NS" "$TARGET_NAME" "$CENTRAL_MANIFEST" || exit 1
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user