From 338b4de3baaf3548e98be4abd09ff944fe18d870 Mon Sep 17 00:00:00 2001 From: Sten Date: Fri, 29 May 2026 14:05:29 +0200 Subject: [PATCH] refactor(apps): registrar-managed oidc creds, drop mcp client, DRY secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per platform review (danijel): - keycloak-client-forte-drop: add the secret{} block telling the registrar where to write the credential Secret + key names (forte-drop-oidc-credentials, client-id/client-secret). The forte-helm oidc sidecar consumes that registrar-created Secret — no manual auth-oidc SealedSecret step (removed that NOTE). - Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers the MCP client; no manual config needed. - Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG*, S3_*, PASSWORD_GATE_SECRET) so both deployments get identical values via envSecretName (values extraEnv now carries only APP_MODE). --- .../keycloak-client-forte-drop-mcp.yaml | 27 ------------------- apps/base/forte-drop-mcp/kustomization.yaml | 9 +++---- .../forte-drop/forte-drop-secrets-sealed.yaml | 18 ++++++++----- .../keycloak-client-forte-drop.yaml | 22 ++++++++++----- apps/base/forte-drop/kustomization.yaml | 5 ---- 5 files changed, 32 insertions(+), 49 deletions(-) delete mode 100644 apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml diff --git a/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml b/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml deleted file mode 100644 index 228062a..0000000 --- a/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g., -# Claude Desktop) discover this via /.well-known/oauth-protected-resource and -# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp. -apiVersion: v1 -kind: Secret -metadata: - name: keycloak-client-forte-drop-mcp - namespace: forte-drop - labels: - keycloak.forteapps.net/client-config: "true" -stringData: - client.json: | - { - "clientId": "forte-drop-mcp", - "name": "Forte Drop (MCP)", - "enabled": true, - "protocol": "openid-connect", - "clientAuthenticatorType": "client-secret", - "standardFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "defaultClientScopes": ["openid","profile","email"], - "attributes": { - "access.token.lifespan": "3600" - } - } diff --git a/apps/base/forte-drop-mcp/kustomization.yaml b/apps/base/forte-drop-mcp/kustomization.yaml index e91a747..869f482 100644 --- a/apps/base/forte-drop-mcp/kustomization.yaml +++ b/apps/base/forte-drop-mcp/kustomization.yaml @@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - forte-drop-mcp.yaml -- keycloak-client-forte-drop-mcp.yaml -# Note: no auth-oidc Secret needed for type: mcp. The MCP sidecar only validates -# tokens against the OIDC issuer (RFC 9728 resource server) and never authenticates -# itself, so it doesn't read a client-secret. forte-drop-secrets (shared with the -# web deployment) covers PG + S3 creds. +# No keycloak-client config + no auth-oidc Secret for mcp mode. The chart's +# auth.type: mcp auto-registers the MCP client; the sidecar is an RFC 9728 +# resource server that validates tokens (no client-secret of its own). +# forte-drop-secrets (shared with web) covers PG + S3 creds. diff --git a/apps/base/forte-drop/forte-drop-secrets-sealed.yaml b/apps/base/forte-drop/forte-drop-secrets-sealed.yaml index fd6613b..0d5b90a 100644 --- a/apps/base/forte-drop/forte-drop-secrets-sealed.yaml +++ b/apps/base/forte-drop/forte-drop-secrets-sealed.yaml @@ -6,12 +6,18 @@ metadata: namespace: forte-drop spec: encryptedData: - PASSWORD_GATE_SECRET: AgAlZOSURqrQo7dqylFYetr50dWEgWNWTtBEjwgmIp/aFbr2X29xSD0gHpANIF+eXuZ1zGvTX9j2r4YoXgmcb/MjKMd85mYG7FTa0PFdxSxighvKOS3BWQwb7chgNFHMwiZNQAAMNUD6NjlfLZXS0V2SMI+5zz2siYjt8OfgLKfSx5v8+zDFb+pGrCUuUZlMaqFF2ZmOryYNMYYq69iE2EW8UQcP49tmP4aaPx5wIGq6nIo+Qc/c6L4K83nK5ijHEipkgEs0Z0vDTDT4ZBbV0Qyif+Uc1j0eG9+vvIkHBCrGC0WbLOCXiSwmzYF5U2uTRKUbkiPWfohW1Ds2hqveIwg6oSOhK6B+O9s17QagKenYBEER2WAXLq/BLbFpwwijZcGaVnIYsFLUjcheQVPEdaxIyOPh3/qhDjEBX7PevwDzEyOGB6W54TAndx/Go6+Mnvq4aefTOsD+Jy9Iqc3SI3mDoTCSuDMrgnE4QUlImm+Qtk+qPC35n36B9s7yqsHZISbC4zBGAwk7MFfhwTZ3t4z3WXBjevT1zFfs/NeQaRPlcRtO7656C62qroOITty0rT4JAbz93fanqHlqFmiMrYNUIu3wlbr/NGgMlZ1kRVnwIryVup5vljZmvhRtF+TGMwIA+3zbO9U3NasjScnh5sraOauIf7kVsBYTU/2oKb37HvroyILXd8fbpPq+lZ1ejcvVseC+heOI6hvvH/DYztgFn5s9egzcfauicCijWtk1jn0ym1RzOYBotP0VFhXX5bF1HHoGGwQWC32fgqFWwxJ8 - PGPASSWORD: AgC5TnoWNEQK13fJHfxM8/ZHRlX85Kd11d8Ig+PgMGcLkxab7fvZJuzg7VX0iksK2UG/c1w1q8fRigMl1WWxmZvW2zM4/BsF45WR99QGt4Z1dhTFHdL5/7OZq2jDMYY5x/7gzCccb2pMAZS7p4rjnJM0EPd7YuMlhXZwIjXcck9Qu8GDpyEu1gg2A1tIfUzjvD+HeTbs6NLy16WHYpMG7Wv4WBNNPO+0k5Z0OwwXmIFSJvSMUHWBg/u2JCJ/1DL0zLyRCdXXOB8VVGok3TFbNscGQqFtFkaaVd0rA4Ao6abrsezcsfZFkcSsfVhATAw+M8ORYRC642BFJjzbhGSbDBsYq7aYyT86MVoqnRJgXK7/K2qzIeT9agM3sJm3ZuRjVCBDGdp/Xo2Rbtely8PH4GwEZI+vRFhTFAj5maduHMt0ZmScusOKuGvr0kFFXKw6XthBT3Arg5Q40upiBtPPrpWhWJYtgT3EfFuXNoc1c1Do7UZ5cmfe51sOBkMZjYk7+8B8a2IejKRflynBcCDQ7r2u76SF18dS5/R7jdOlreyL0yuEiULicKpX8BXPa9dN6Xja8OVPfIHvk0+TwnaYx7YaZDEXlyG0GKv9R3i0wykL1RdDCii6eRSJAp1UFmnCKZJJd9Y6djw7XBAd9G/ux8Vz45XkP+f2Kfgx32HmZsqPq2xaW5DoAeM33uDMfi3Ist+FVRtffuSrTQwBNp76VyhI7YY9MSB5JR1sBUGxGXtAGg== - PGUSER: AgAEyIU4lFCV6A7PyRyc2dTuE3HJW/2KkcDWxj1gOe7mtmmnDS6XhOIW0SMuIYOExNR+pUAiwadMmoGGUXj+k0r4VsnMEiG3HplAXr6FERNyxFtW8XnaXFA7++xOH5751fC6W5BIM5MLzt8YQQ6C8mrp4JXnUTm5K1iBjRH6WtggE5WS/tYV/Y5HryQ18fvyU6saHLzwzn1vJzxrFmCU0zsdglkBTfg+WBZh3f4ufOXFVrOQfm4AKjJclTEbMnqO0vupkbj6VRSKh5timPoNpqKuoA7PsD5YOCyiFzgFUnwAybg8hQAPJ8gMimvuEUxArbpd3bQDhQqBi0j9IZ7Z6ht1+DMp2niZfJ+B1S9R31OmERt/DtXjnMeN7/VDCpABmRUvJ7HJ2DVFUCE2S38V4QDXNRUjvmRgT3mEjMYNsoYnuFf9THqHc3Wzvq96hGnDSVEnLdBRp7WoPO++0WVRvBTM21nhqx2zGvw1HN718xpndhJGrDdRtod6DCnWzKsVHi2ndxo9ZsxCn6yLYn8aRjk9ElHlKFOQ8z6LDqMc4Yt7XbPCWysqH4pu0xyJoz7XmM5y6/y1mrXKhMTNdZm+kE3SiXtVJl8lJioQUo4gOjJs8LfOFM5dfU1IPkKW14tEv/DNvQqqZmAzK9qjXcARgaFulvBvMO4xn+PbYRHm0VwOVo0iwrBS0FHNP/+kVWmZ7TZ+BI5LCw== - S3_ENDPOINT: AgAT2f9jZ8NcpO4S/CE+Arsb0+UsIb1DT4iqVYPxssSip9b/Bdb2mZ2IbzzHHEUtDOSdTIzpHoCaflD1CYrrUevHwu6/ufb44GWG7GaOwHfXUTKOrWUFb/fhXQpXklgEL5txuu48ud2/DekbY2iz3yvKtxffs2otn42nGcPQ/rCcV+AUE0z0q47F1dcicX/enVKeQ/UHszxXU2l7G3Yt3Onxy+ILIc3o/lGuaI8uVX0Zv0wdKUiXpVTy1alm9lJQklNd08/BElPUhKS+2zdIooFvcjz0YRdZrl4gdOzqdw3/2aWsFfkSyE6VhmbQ4pzD5t4H376DCrXFeES/5emvHazZYh4f2RZuiDE1gyHWzC5WMH1ftvHL3Qv6dav9nY8Q/D61Qzwr5dge2Vr69harbvDCMUNDlmu5uxj61lvNkavsGIhmQc1QbHiz5/1RdGi4F8BvBRKyWW1UKDga9QthgUy9JJW0Y9klegWoZIXcTR4BMELExtQCHcNpQhfNXvQzTtNoTNdOF97j1Sat3cOVfH9DveOgOSVkB5U1twGc+LoXF9Vh2aSolk2TNoew3lhHaEcKXrDtuOLWlvSDYOz65JnQUOpQ+ozNfgAKWzoISnS2VcZ0mly1JRmGnHtJMMDGsWepcSRafB7srcxyQaZ4k1u5HQI2Qg8/H7kKgAgYcbEQ2HSYKwjEEaSWIomkBbmmZaq7JXayAJrdsNKQdgtVNZMxFTBR/Krmpi5Z+I26Rob62A== - S3_KEY: AgAUxDq3sxrD9iUNiOfNE+C6TIPMVmVQYchPEW00EyaFhm7ysd9NII2LWHWDcH2zdDYovvGrOmhXnk1O66taKbM9bs1QdTsx2s/sesihPXPQNcTyHbhhSahhRv7/7+V/iNKtVb+6YhRrzCLDNbMLREGrClMo6rJy/IQM5zo8We02yYTETJcVV0+N1MjClkU4yPJy+A+HA5otVWzRfDmwu7rwDUH/PQbzpiB0AaEubXIpRbgrR6j3GKATKr8X4EBjgeUEzG6doIS/9+ZLw4DVzHRhk06RrXW02fu6dg0nPZjcgWYGyfY2vPTQ89G/0lIuZctFI6VcKeMJodY6pDqmGn2SMCA6teR93xFoxmGANGQMa7lqanY2KZc7hXWT2saF5e34nUKJtuvTWZhoEEN2MT8CCQlBVYriBQTjVH1NE0GrHgXJ1MpYF98LaJMl0L0xw47Pk1NlbPAyoamA+prQY83qe6g9PITlqr1xzVhamc02/Yn1xoMXzvfhBX0PFetTdlH1wxaDtpIAsKupdOIuf7NNfvySFToM03ocxvNzXVdqey09wPzAE19hPTfFLMeFjgg8hCTPW0q2yhHwJEd+uH1MhJYwalpTebGGQ7RO3Cs7lNW3Jhe+Ji4haR9NKcfH+O2jioUNz4tNB2UBQIHW9jYEsFFV9fB9j7mauvOa/UhJjYzo/yaUV8NQ7uAVC4CwEiZtuyXciT4pL+zViOPVET6uC1nx+w== - S3_SECRET: AgAvWoqSF/qo6FNEcIaYQ75MJjetpjkMfnviZMcQxxCBbnrO2NPs0bqlcyKG0QSarOnBdbsKBsflxCOBqMweX8XpduKZWCAa0CbF8/PQ+TTcjHGeY9jU0/8bMhG4YnaKSy9XbzHKIMQ+pQvwV5/IF+2FSkgEaFxvMrGDAYoT/mmqT6k/NTIO9IsirDAMaOCkmb56DhN37yFNa94eaFN7jKeqwEsGeS6AB2IV8IWlyUpul4BQfS1BUfhYGPg+4betYTdvuvKSEGZ6fv9wMcUl86B1YD13Fs9D8rLenpsOjSgpflWZDOpq05OIqoeeht87N6kbMF7fKVJwfSCo3FDeEGq4Rp+T8ufYl661ac7Gh7weg4T2JCKjW4aJN/Nv3y4s57XqQXzlXW5zQOHBC6l5hH0XbnwByFnpfuyjG4G0Ssza3kdfDq5rXFnnSBMHCeVQgOEtfrC9gxOUYdCYPnz7o8sTYkP5mGITcnk9I7jn/aSc2hCIF8JPPRuOh415hwhqX4c/rp1IjQhV9dD/0YVyv9JBkn5aGq/HYDZMTn406gFd0f+LQiMZfnVChXBr151+JYPgZhEoDxwZ2+kU5YWLRKthSgOyzZTRIOk5wJKYxNBJVxU5GlsZe1uDzeertwfE8jOKpd3z0gNIzmVTvOuQUwyXDkTPxvpl3ITFHTNAmHw4sugsOu4IpRQOEQUitud3gkYUzAJQ4buUo3h4CV+VN/Of/jZ0t3OuhwDt/4t/w6nKRFJkd2tlkAp3 + BASE_DOMAIN: AgAFybdBryVb2AQuGQC8REXzW0YZlyycJp/KeXnROkW71UjDe4qMAWkWszrJWxZMvAPO/tXmibp7jEol6aB5GKG0k3tswWoprTFXLd9CMR2U9SWR3ZCol4npPXo7uOxhBcNSVt+cDXyejSiFTi6goY2oOtbKAJSF9Nv7Z5ePaqhhFni3ntcmM0S1Ad1l3QR7VvyazHFBXfO0b8Z9NgYsUNbGrXWDwoSAZIv3ly3wx90AXn+dXX5FNPtl9CtyAVhHsl3liwQdhEwS2krZZjj7NiQTCfNXp7BSB9ZETpo9KkoV4AZNy1zupd3HpeXHsyhHjq/JqXIAF3iFU0tZTWjhcwnehYdEU5oduwfLCWym5PYgpiQAGiazpkm1Ss3/PYpZYnR2nWv60b1Pa5i79ZiPNi4GL67AiWoJDw6QxV0Kbzi0AvUkZI1E2PeIJvv1w9NKdMRo49xK8LUx2qSTpWeqRP+1kzklHqclTuNVxiWtR2wUgdoLzvU7p5ETu7kPEmaoE8rYw4dKgQvHlMok2Ky2JsELGBkCiYjUN75T+yNlGs5dzbiwtWOja/r0dJ3ZGBQjcK4/BbTLiMYsrxmJTPPF/2zhCOlFY6cfcRMmc7Mwr68mK9m2rTOJQNjBMDoASiqVMmeSqfRSln7JNb1pAeq4xcz9YJMBJhPy2XNiBvRJK3pGIjVcNST0jSpic1X01NJTy7aFbcniZzYnsKJV61AQb+daGEsB1Ib3GnJ+Rv8+9NfvWg== + PASSWORD_GATE_SECRET: AgDIiAPb7bCpTeORoZXIn7Is/yKT7Qm+qSexgmXuXpe+WaLCJDWM5uOlvxp5tbtK2KD3SNtUDrOJQYfWYBOAPrBMBnSpDr8Ie7/wlJBxXCfROk1TldOU3s5O+5OnFfTDS9rAdcWdZdJ+Bt0aktnpuHJpjdurFca5o8ne5SRwYtGk6mNinCYRcnwMApZ9Y7IxvC9xzOi1QIhoOepMrotRkVJtbrXiclN5cI+P/nU8LaGwM4AEJtO3L8zY5QK30SZ/Tsz20Qo8HHGdIBLhHbhTALrFe8+n+Egda66Vr1DkKgDERW59PeWBd6xHCRGNuAk2ZzUmuiN5DJmWgacAGy9QblMMjhOIGKgiqsd4jx/8wC8FoyxBSstGFajahL2C6oFzCpbp5NiS185znN0ohJXqQzkp5RbcBliSYUZgHC8D1jDGxzcTksD2Hgh2NIAlJOStsfB3fUb6hWIFzxim0lyP9kFM5y92Sf5B1/h6PeHKOi1CMC5RFAEKhoyM4W1W+NxASJeT/NptTehcrjBPxLVKBPh/qgMcuNYNk34EB0asELalYBJ5cxzt31LLiLE/uDxCydXiSk7ACho7LxNffcUUakEwwsJDmjFiCscu83TfZq2vw5/2bgOzUng4XGDBgYwwr/KEHueGX4Keg255R3KqxyiMSKDi4CUEtYShjSsSYwU62rdogOQu20N3HGVn+/CksqKky7GoD958d4PwT5MGJwQhp8EjemBomDxTKNsO+C4moMNZpAEBtPlP65Lc1cfcaLlaFrwP4VtYHLXXBIvMzCC+ + PGDATABASE: AgCCkY7AUaoy2V+fRXrEeLODlHOTXWXmWCW6MBWEY1J32QrN0bWUmwDdTxv5KHchbhH8lra9bABNOGfRcz59GIg8fH3fwTWOE8luh9cD50QkphjZPe9eGXc6YzheG0CG5hDnUoiJjnP9/l5cZc6sRxAo7for/bbLa0zja3VMzI+NMhVVRZT01G5R/Aoyf+B/TGm4mYbMyWAIgEEfjl50yIkc4WscfQrRkbxAtBF2qFuS3OL95TYSRULBAt0f3Z2WpCdS2b/pUyHJuuoi8aTo1a9QLFMrUdxVi6ydIKaMcx8xR8DlXQLOOdtIQu4TrgzGX2MgHwrbWuf/SFO5IWB/6/JI3yubo+i88M9LwPKsGeslcquoBG3Ibqlnmw8pcPrXUwBq2BowjAqpGsxdiR5XIi2j8QnpA8dTmFARX9CWKHoXFH5+uxx7SSTPG+izlGtVspsu5xx3F8MZ6eStInCyBimTVrn74+IvMPEBrj7wThO6Bl9EA3POkTRf6AmjuPItTgZK8lfXY/t0qDN5zApeB051+jSGZ0/o4PaY414vCm/+OteuCAI4ooCpDOwG3QD52VtpmoAvGjtuWExrvCHMW+hTIxsNbYJ+2SE1oQy8n8J5kKK+AU/SnYf/VEpbawHrpU48g6sDUHQzzPhoLN41j67qopmfRZAo1r5Tb4n7MnEOF3Yi7aT3lE6JvB3gZUSRqnDYSWObTg== + PGHOST: AgCWDPCQ4P+vPKQXmzNspODUJYVidwQDzFRxY8JDj5JYW1u+2xK8LqE2uWWYCW3YjF+H6yJoH6gu35KqOtjm0E23zMlknwZwkK+L93J/nrnNZHCznoub9jEzaAsTRhytvuIUBPQnFulP/t9Q04RjmR9c14puS7VS/tM57/cLq5zq/BiSYL3Wx2lblE7Xn6k44+8robPP3YkmlOuqziM1li/qevB/jxRV9YFjIpCz6D7WG6Kkx9CA6fzgalMJ5ErUVTJOuLDDty3qKd+9mg4WCLahjyzhPq/rIPUFE77EBDCulnnlMyvOSPSP7pMzkaNR1Ce3cOxOYAZ5mO2u5Y5pXt34V8iPe87N85KHQNZTu1Mu5ELMLdhEYOlO5ZX2x/RsdEuriWz1NW8MC57pEUGE/XrFhDe6x80eHi++qDRat2d04rTBOtlceZMmPVxs8tTa3VaD4PepekSogddLVooscLL7lYIpyR0Q6qOA1NdF2uOpx7hf6QLY1HeD4V8RSVVxV9uK5lUTrnBjtU/aUwnGs0xKxVNdBEKwG5Kh7qdsgyBiEa9V4Y2ElteGHave4J7xzimdASrbgMnlgIfcMuo94eX/0M0BAmpD4bEByMCWbcFgAfNnIOpXLZvoEfZ3DxVysmCzD+0nq+CEatdOjKp11EKbtf3H4PgnKqWDe2p8FNPXhev60CMhFvXS/QYg9fe2YJt/wqcN5MstCej4IuiOJkuFJ0UhZ/F5760xhuPYCUWP1suIVZM= + PGPASSWORD: AgBH32G+EUtc3jzGCA9bf27TCbzgK9xz+r4dqd0QQJL9xHbqgOARGVVaQ88AOkWV5VgYjqc/GFp51jLzVOHxgLdkqO/oCBuX9ajQEoGfq24AxFnaB7fh+Vlc3/N9yhT8lWoxHmHjyMVeX75g/9KvhNaRKBgiWQNHlt1C2FNh1h3U/aMfWVJIENmKKH2A5sxWe5haB7nynZc9r1QXBQKa7XVpuxAFXDHz3j3cFyR5Qflp+ac2APEM1/xbiaZDgkBtBd6dsDoCP56Dr1m91kaRGgbeX6WmRJ/Y89WAp4yt3QVfa8uGL1+DrBBMcfB1nAQKA45eZjPE6zTOEHxgTETCcmXJQiOzttDmBHRkIClOLLipgGDJwMqtgQoEMoJKjXMC0rsRy0NVRmibZa310R3PQjuHrQXxRD9ZAXkYg3opwLKeKi07b/7mvLHr7hU81fkBGnqNm/6heOSAqDZfRdregbBbcI/go72aypn2vQ5R+ozCdfwcp1tGla8FGpkI+zAdBKihp5Yo21VZ83FlIMq2JHF2+tv58C+LFeyqL1nr6BUmGKUQ+lEOnRzGYo1sbO5wBChc6yP3ZbzZYfxfvXAdfDY7vZUsareOC4uyR1wDnIiJgQ4kqmAKf7HulJJatKNgsvbmukj7c6lHLsfFRg5pwLO6iese9TZgtima2wkdcRpHSdt4ycnyHbwrEZ4kepfFlN1pGUl573/3l2cOdzO+WLCqV96P5myL6OOmCTxOaLdSyA== + PGPORT: AgCXyGjhlTcq3ffD+ZZZxe5gvqRLQl2MYGl7SfJDjw4LMdr3iojAeQNdYZIeZN4Bec9thhz1DI/Bc5Iiw5TiB3MAAvl/XtQM/T23JrSlUsfqECuHKQGw5kkgeVCds4j4d/IHFt9yBv4W4+ogcL5TZIGGgMiKa/99T77xgE4OqjeqqC+bpFuLObiKt5sYcqcHl2DDshTy4xeukfdA2yI3N9Tq7zfbLpZUKHWWe1gE+FbA0s+QA1ZCYv9uEtu/E5BWOYxE0u4GKhMDfMpguks0CNnIoRpovY3vmOxzFtqa7RpPoQrQtEN2Xtizu/G8K8p+mZLQ0cf3KX0rwp8tAsVKWrp8FYOy6+2OLYlhmDl1hK+M15czaL60DVBqiRIlQFdj9K+s5KQ0qfsG9m4v2WPSeCLEKwcsyLyq9vzXbDKwcMN2DOMOan8VDo04UZzkfdZa3lztfw7MWIdpvB0+cpgK3mdbbPCqSIQ8UTjeSVBgEz4EPUds81W8gqAgmeVKpUQplgFuLNwCTnCkuMSNiA93D3dgGccXzXiDrIBIcLzxHAWr0XEjISyD/pmNEowbDvXB5yRlNi1ZB5AHsRPurUYs4XtZN5ar+sxyex78tG18OkcBbABatBp3ol28Rs1LEN+HJupzNl4XDUx35/j3t/FPcw9PkcF+hzaQL7aWj4EDEWfjlzz5FEBlU5N6sd078tB79TpasuIk + PGUSER: AgDH9oSzu61NVOUlK7Evr278VuOx7ZxZgdsk+kdJmwpBGX7r5gmPrdomh/mqLYTuLokkanFiTfchRWHc76FvjbA/KxqwCq1qsZbW+dXrRtx/z1wQApKxNUJ7JolwMwP7tHE6QlGzO2mWj6RUROnhKpNybJXVvC3E5sSyz2QWC9hjamQP997RGA9yiiT/OShC7I6drFYR5cRDtpjW7Sy46qhMwlCRppiKh3wOV7qIAa0aPQE3Rfcg2WpK2ugRL1N+SiVnM+wPQwYVLiDaVF40vP40Kari99hIgmhcbjPeGG3kGX5VLww9KGm7iryrW3Yx45L/CCh1arUUpjkK2FGLVKtb3+YmDadnOA/I8Rr5kebhoMc93E3U3+mDfQA3cO/23xgpOJEGRCQwBlN9mazqkdq4zQkb4+nuxsdyQcxYtncgxhfCcZ0mXnbX2aW2kYcxKqa/jNjBcEpGMvos7dq6QzNq2nHrITo15S74M0292CAje2NFvKURA/KZnT26dDw3e5xa74E1nI/tBJEHWrUwRXpPu7naCZ2sZMxQV6ixQMuDakx3YamXZmMwgFO2FZ6ZL9BDDsbV4+JAsNwEaHGIIaTbE28R/xPIcUqcxrQV4ZWmHnJXFGyJ0XXxJ57GGjs7QwvvzAm+9WGYtlSC6H/8rX8uZIQLr3llVbJMuLpIv45i3p0Nkx8jyxGSG3rNQ4l3K0rjly2qZg== + S3_BUCKET: AgBcx2UvWafkVQ4fc+Xuc+gCLm5O5DceYSYBslL1bd8p4hKI/2hJF9z9UoLyAedyyrx8pHizcugkcIccrV1iyfQod2lDrivVJCy3qHz0mrQ6ZCOAk9ApNJTYUn+x/AYZL9EKVj/vfEzSwOTqlri6H53aUrZr8lv01TqLcrZDeG+jv64psydYKmSESkPl0iQ9DOx2sGkowNYbiTjux+ED9yXDMDdzojhMepbuUHhjNr7V7Z2NpX8+pNVz2o8o/oIA0zAJs3+C02018N3cyJ9P9BP2/qR6N31aykyI4P6GU5WlL0CDGKaheYy9ukM5x8SoU87yZBHLUxN0MhrMVKoFswU6CwTG/A8Gjkp84ce2cvlnuXP6JEMlqgSb+O+SeCH8+kwL9A87xmb42OOXSGokS188/2/13b6S733WL81B0RX1X1pOfWybpJzDhgiOC3Pjn18ItVHjKw3FlY6kwk1+P1vbZoRl343avRdyQyJam28A9UvZeTG+ac7drRTDndKYKGP8IWg/A32MEFSiKHsvnRQoYE7KORyzJxp610L1+w46KOUF5VF2afch02Jt4uLcmCOyUb6LdcWln3Jiz+wydJI1HK1RPio5oUT5d5se3K3DCa+GffbPMorHe/SdzqaBH2+uBcQn+wZO7JC1ei7hz4U1xdV41gkG1uq7Xz49ymW6P7G6qUr65MtvD73iMRlnJt/mdkw5UQ== + S3_ENDPOINT: AgDA5n96LeW1spJfmm7f9lcus5Ndv/91HAlhOfv0YwP+9R8rQhKF1sEL9Oi7Fpd4VJCQi9vDbeWYjGOMtsMqsLJivcZK6367rdSqL/YpKax9SkDgU+UG5Bpr5SDv4p5C3/J4+GPkZV+BduJQlNVPycTrdM80VBK8aALCNs7gGxy68v6mMgI90MpTp84ZeWgtJ7ZpTySivpwgycwcezldJTYDDjOvVfbK79trsRzDtjbAZzbDn0M8At4LYAfY7JTqcdCRHSGnzyg+81CX2jjyMOH0K55SsIqPEBdXqvh+VmC+jPyFMzfAN5hA8+otWTXfI7VucxAMZtRUiLU3I4/kIO60OkVjEf/SWrJv3nKb85aVfvRZ9k/A7kJ/ysKTXz2/iSAHU1DHTJlMW7SfhXciotx1p3BWOREF0QAQvrNCURFP+eZogBCIuiP38fD0gHkhG2BZkAY/OVZTr17a3F02kwemAuJ85hgUf0iwFV+/LD6X2OiqM85lnac/3B5Qp7UQf+Enn5RTqd90Pk/7QtAf/zTDmfxiWTkwpKXeQ62xcnHL9dQnUmDDs16eJZd04AJGgT8yrC//2lVOht7u6KuyG/+JXRxLBXAkGkr68lHBBuGmeVZ/t7ChL2Asyfu/uUTl9E1BOUfNvZXxwyLgqueL0Uw/MGLgswBsP6pYNGraMF+K5v7dse8cUxpyqk3s1C1zqoAhkehsCBtTjI+hF90G9Nh6mVSocoH12znt7fgUnwNbpg== + S3_KEY: AgAiciTM2ZNVlU1M1CNNXLkhCEYYbO7q5+Mp/DoC4OHBgIDKVfHurH39Dniuwxe6DcvE3vG2glRyTxQEg/ASLcwa7HBwBAwXe3wl1tRGM5Bp40/Vq935BXpkhcdp2fSoup8lPEbKS8q+L5LOqUlx7jmnkHXbI1tasz63KE8O9RUFDdQ8Gxy3nn/u4xkvibYxwmo60ApLKYgOu/ODPEETrWBcITHAVFUxbA8Kr9X9mPm3VpfrnFcUlxsCFr/zZwE/Y01eWdi8GGafb+apDPKMd7mAsLHFcPIQlpkHVT1M21qwwntZg9yV0RBACNu5BVPUgbmtUOQeWYMXn3FE+NJ7ajfdKAUCcEUV/f4s00b0S7jJTJwOUixDquMKSfu00AwDRCs8UcouikZe110uWnfEF3tVE0xQGF/3ItLni9VugBz7wQv7ACvmwnHmX5ZcjE0hxYcIS7ABWgHOZxgWoRWPao8eNAATipafcVIG1szl5ZMNTmAqHFyp2dlNU3zaiW6fz4q4CU7SrlhsrtqYM788qHvpJvDpFdF/i6oitH9CgpwmdCpH6YbBXxatnkWq9bqjEFcSZGDfDyT+iZaoPwhiOfaEoCyKlZ9RLLaK3E8zFcCDRXHnvnkqPtP/+VG30xz9pIat2EVB1N4b/kVIrr+fIM28mwk0vkC/tU8T55GF5BZr7VaYedHM9DVcQ4OJl7Ctrc9Ki8PXrne8gywyomA0F+YY9lxdDw== + S3_REGION: AgAAHTbNQ3gGnvg67ck2N5zSKKhMwR1j6pi/tZzYMEPK8jSnDTBkLYAt6ZVRtdsO+dG9kjnMsc/xTUMxJspbvQkgLSd9mG5FzJ37rBn+azCCSTDYBKq2ddGK1Yf/9w7MxOgN8aCyD4QCFOzR0EI49GbVYQynxDD5BwYuf7y4t2xCYt5wRGsjyNAmH3202Z90XKUkts8Na1hyD+xrrtrAtNfugyZqKo2WUSsHu82TD+cu5xZI51oQ9w9Mh9LaH3nfn/X5S+t17TjYvI7/c6hOwCVv10OdoaZa+SzqOvy7XxnqAShAYkPqJKfWhjecE1b9c/Cun32X4MRI0GBWyA02z4nR+WBbaVmasicx6hchVn8/wZeKMIl68F5LE7184MKKPNNwqsYslwFhuWq8dEw3TaVvnWgx3+cSMiX15SBwcLtE2UzJp+jjN/dpQ2MM0+6uV1GK4mNso5JAwGpUUUi2i+V1Ng7uXipI+5J9w6K0IMg1puGqFyahby42saSuH6vuPnjSx+2dXQTlgbl2SvCBoCgyOOJs4q5IafEvupAmRCNzx2HHv8/z6CFbSQZITQ3plmyNGLFXjynVw/6Q1PD4z3Pows4uVcYOEPbC0UoaXVgwgdBWa2N44BUhpdbqJUCyKuapLigpjKujG43jmdLzuk6gaPeH7SJTZKr624vs9hrGhzQYKdl6FZOQhmCFRDKXVCUiH2Z2pfwd3oo= + S3_SECRET: AgCcVQ7YtBAGpKBm+rE/hQBHrFlX5O0JO94xkZeoAppA9Tf8YR/PguZRGBWgLdNEJRI8C08lRRCUX3PY68jTySyjamb32iQkslOXGjAfnULeNGoGg05nLY2ZDYCEom6ieL8cc2xfbrV3yHoPQ7yVz9vcLjh1vATxyfdkqMapl8FpvQf0k0Zecmw3rLWE9y6vAn6Gb+/CWTnuhcW/8uDykmjIBTDQQddWshaZi+HosHyDbNxlnGj4U8mie68wytpS+Unp1gIWWE0hvelqO/3OUEEBB1OYMLV2DW8v86HXAE1Ix9jiCpSbyB+UzjOlrE/p4fJpeG4FtUC+/5ibRSxxgQRQYklKFJmdRDYWUnOngjgcT/Ewe41mTrpCUvb+jtir68pYLmVrLoha7S60w1YQHNkDAN2GftOyBjkkt6MtUDNzvNkfnKqKGUWyDSC27yfJdE/9k/4lDxQs0Sp20kIuz66/culBpg/s/oPSNs4SolCqG3GVLlKL775uqwLLuDN3txlPLb+Ex5vZAUapke+rn2zXzJVc1qlPfI/96vSEy6cx58LXdBadmBXn6c4Uy2MDa66EwsxOMXxzGLTd7AGkd5oeQVYfVPdTfGV5zx1AdzQhP3u/DD5FhKeWGDOr21iYB2jNm/P/hw0nFP2pf83W4/jLzPvuth1LF/WLF8cjclnGbcep2Kxrh/Xq0LmufofuVJyEI9/fl6onl5KIa6ZnVBJ8TsQesXJtNEKt9cPHiCvBKfLj5C+a4FlY template: metadata: name: forte-drop-secrets diff --git a/apps/base/forte-drop/keycloak-client-forte-drop.yaml b/apps/base/forte-drop/keycloak-client-forte-drop.yaml index b7d6e85..0d79e1a 100644 --- a/apps/base/forte-drop/keycloak-client-forte-drop.yaml +++ b/apps/base/forte-drop/keycloak-client-forte-drop.yaml @@ -1,8 +1,8 @@ -# Labeled config Secret read by the Keycloak Client Registrar. The registrar will -# create the OIDC client in the forte realm and write the resulting credentials -# back into forte-drop-oidc-credentials Secret in this namespace within ~2 min. -# That client-secret then gets manually copied into the auth-oidc SealedSecret -# (one-time per cluster; see PR description). +# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it +# to the keycloak namespace; a CronJob registers the OIDC client in the forte +# realm and writes the credentials back as forte-drop-oidc-credentials in THIS +# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that +# registrar-created Secret automatically — no manual SealedSecret step needed. apiVersion: v1 kind: Secret metadata: @@ -10,6 +10,8 @@ metadata: namespace: forte-drop labels: keycloak.forteapps.net/client-config: "true" + annotations: + keycloak.forteapps.net/source-namespace: "forte-drop" stringData: client.json: | { @@ -24,5 +26,13 @@ stringData: "publicClient": false, "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"], "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"], - "defaultClientScopes": ["openid","email","profile"] + "defaultClientScopes": ["openid","email","profile"], + "secret": { + "namespace": "forte-drop", + "name": "forte-drop-oidc-credentials", + "keys": { + "clientId": "client-id", + "clientSecret": "client-secret" + } + } } diff --git a/apps/base/forte-drop/kustomization.yaml b/apps/base/forte-drop/kustomization.yaml index 83e7172..080f3f7 100644 --- a/apps/base/forte-drop/kustomization.yaml +++ b/apps/base/forte-drop/kustomization.yaml @@ -6,8 +6,3 @@ resources: - keycloak-client-forte-drop.yaml - forte-drop-pdb.yaml - forte-drop-secrets-sealed.yaml - -# NOTE: the web sidecar's auth-oidc SealedSecret is added in a follow-up commit, -# once the Keycloak registrar has created forte-drop-oidc-credentials post-deploy -# (see PR description for the one-time seal step). It is intentionally NOT a -# resource here yet — sealing it requires the registrar-generated client-secret.