client secret fixes

docs/DEVELOPER-GUIDE.md

@@ -1283,7 +1283,9 @@ In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array i
   "attributes": {
     "k8s.secret.sync": "true",
     "k8s.secret.namespace": "myapp",
-    "k8s.secret.name": "myapp-oidc-credentials"
+    "k8s.secret.name": "myapp-oidc-credentials",
+    "k8s.secret.client-id-key": "key",
+    "k8s.secret.client-secret-key": "secret"
   }
 }
 ```
@@ -1292,6 +1294,7 @@ In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array i
 - Do **NOT** include a `"secret"` field — Keycloak generates one automatically
 - The `attributes` block tells the syncer where to create the K8s Secret
 - The target namespace must exist before the syncer runs (ArgoCD creates it via `CreateNamespace=true`)
+- Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`)
 
 ### Step 2: Reference the Secret in Your Application
 
@@ -1345,11 +1348,15 @@ kubectl get secret myapp-oidc-credentials -n myapp -o jsonpath='{.data.client-se
 
 ### Sync Attribute Reference
 
-| Attribute | Required | Description |
-|-----------|----------|-------------|
-| `k8s.secret.sync` | Yes | Set to `"true"` to enable syncing |
-| `k8s.secret.namespace` | Yes | Target K8s namespace for the secret |
-| `k8s.secret.name` | Yes | Name of the K8s Secret to create |
+| Attribute | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
+| `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret |
+| `k8s.secret.name` | Yes | — | Name of the K8s Secret to create |
+| `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret |
+| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret |
+
+**Note on key names:** Different applications expect different field names. For example, the Gitea Helm chart expects `key` and `secret`, while a generic OIDC consumer might expect `client-id` and `client-secret`. Use the optional key attributes to match what the consuming application expects.
 
 ### Retrieving Secrets for External Deployments
 

docs/REFERENCE.md

@@ -893,13 +893,15 @@ dind:
 
 **Client Attributes** (set in `forte-realm.json`):
 
-| Attribute | Description |
-|-----------|-------------|
-| `k8s.secret.sync` | Set to `"true"` to enable syncing |
-| `k8s.secret.namespace` | Target K8s namespace |
-| `k8s.secret.name` | Name of the K8s Secret |
+| Attribute | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
+| `k8s.secret.namespace` | Yes | — | Target K8s namespace |
+| `k8s.secret.name` | Yes | — | Name of the K8s Secret |
+| `k8s.secret.client-id-key` | No | `client-id` | Field name for client ID in the Secret |
+| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for client secret in the Secret |
 
-**Created Secret Format**:
+**Created Secret Format** (key names configurable via attributes):
 ```yaml
 apiVersion: v1
 kind: Secret
@@ -910,8 +912,8 @@ metadata:
     app.kubernetes.io/managed-by: keycloak-secret-syncer
 type: Opaque
 data:
-  client-id: <base64-encoded client ID>
-  client-secret: <base64-encoded client secret>
+  <client-id-key>: <base64-encoded client ID>
+  <client-secret-key>: <base64-encoded client secret>
 ```
 
 **Verification**:

infra/values/gitea-values.yaml

@@ -70,7 +70,7 @@ gitea:
   - name: "Forte"
     provider: "openidConnect"
     existingSecret: gitea-oidc-credentials
-    key: client-secret
+    key: gitea
     autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
     scopes: "openid email profile organization"
     groupClaimName: "groups"

infra/values/keycloak-values.yaml

@@ -81,7 +81,9 @@ keycloakConfigCli:
             "attributes": {
               "k8s.secret.sync": "true",
               "k8s.secret.namespace": "gitea",
-              "k8s.secret.name": "gitea-oidc-credentials"
+              "k8s.secret.name": "gitea-oidc-credentials",
+              "k8s.secret.client-id-key": "key",
+              "k8s.secret.client-secret-key": "secret"
             },
             "protocolMappers": [
               {
@@ -228,8 +230,9 @@ extraDeploy:
             }
 
             # Build a Secret JSON manifest
+            # Args: namespace, name, id-key, secret-key, b64-id, b64-secret
             build_manifest() {
-              local ns="$1" name="$2" b64_id="$3" b64_secret="$4"
+              local ns="$1" name="$2" id_key="$3" secret_key="$4" b64_id="$5" b64_secret="$6"
               cat <<MANIFEST
             {
               "apiVersion": "v1",
@@ -243,8 +246,8 @@ extraDeploy:
               },
               "type": "Opaque",
               "data": {
-                "client-id": "${b64_id}",
-                "client-secret": "${b64_secret}"
+                "${id_key}": "${b64_id}",
+                "${secret_key}": "${b64_secret}"
               }
             }
             MANIFEST
@@ -256,7 +259,11 @@ extraDeploy:
               TARGET_NS=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.namespace"]')
               TARGET_NAME=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.name"]')
 
-              echo "Processing client '${CLIENT_ID}' -> secret '${TARGET_NS}/${TARGET_NAME}'"
+              # Configurable key names (defaults: client-id, client-secret)
+              ID_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-id-key"] // "client-id"')
+              SECRET_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-secret-key"] // "client-secret"')
+
+              echo "Processing client '${CLIENT_ID}' -> secret '${TARGET_NS}/${TARGET_NAME}' (keys: ${ID_KEY}, ${SECRET_KEY})"
 
               # Get the client secret from Keycloak
               SECRET_VALUE=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
@@ -278,14 +285,14 @@ extraDeploy:
                 "${K8S_API}/api/v1/namespaces/${TARGET_NS}")
 
               if [ "$NS_STATUS" = "200" ]; then
-                MANIFEST=$(build_manifest "$TARGET_NS" "$TARGET_NAME" "$B64_CLIENT_ID" "$B64_SECRET")
+                MANIFEST=$(build_manifest "$TARGET_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY" "$B64_CLIENT_ID" "$B64_SECRET")
                 upsert_secret "$TARGET_NS" "$TARGET_NAME" "$MANIFEST" || exit 1
               else
                 echo "  WARNING: Namespace '${TARGET_NS}' does not exist, skipping target"
               fi
 
               # 2. Always write a central copy to the secrets namespace
-              CENTRAL_MANIFEST=$(build_manifest "$CENTRAL_NS" "$TARGET_NAME" "$B64_CLIENT_ID" "$B64_SECRET")
+              CENTRAL_MANIFEST=$(build_manifest "$CENTRAL_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY" "$B64_CLIENT_ID" "$B64_SECRET")
               upsert_secret "$CENTRAL_NS" "$TARGET_NAME" "$CENTRAL_MANIFEST" || exit 1
             done