refactor(apps): registrar-managed oidc creds, drop mcp client, DRY secret
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 5s
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 5s
Per platform review (danijel):
- keycloak-client-forte-drop: add the secret{} block telling the
registrar where to write the credential Secret + key names
(forte-drop-oidc-credentials, client-id/client-secret). The
forte-helm oidc sidecar consumes that registrar-created Secret —
no manual auth-oidc SealedSecret step (removed that NOTE).
- Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers
the MCP client; no manual config needed.
- Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG*,
S3_*, PASSWORD_GATE_SECRET) so both deployments get identical values
via envSecretName (values extraEnv now carries only APP_MODE).
This commit is contained in:
Sten
@@ -1,8 +1,8 @@
|
||||
# Labeled config Secret read by the Keycloak Client Registrar. The registrar will
|
||||
# create the OIDC client in the forte realm and write the resulting credentials
|
||||
# back into forte-drop-oidc-credentials Secret in this namespace within ~2 min.
|
||||
# That client-secret then gets manually copied into the auth-oidc SealedSecret
|
||||
# (one-time per cluster; see PR description).
|
||||
# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
|
||||
# to the keycloak namespace; a CronJob registers the OIDC client in the forte
|
||||
# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
|
||||
# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
|
||||
# registrar-created Secret automatically — no manual SealedSecret step needed.
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
@@ -10,6 +10,8 @@ metadata:
|
||||
namespace: forte-drop
|
||||
labels:
|
||||
keycloak.forteapps.net/client-config: "true"
|
||||
annotations:
|
||||
keycloak.forteapps.net/source-namespace: "forte-drop"
|
||||
stringData:
|
||||
client.json: |
|
||||
{
|
||||
@@ -24,5 +26,13 @@ stringData:
|
||||
"publicClient": false,
|
||||
"redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
|
||||
"webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
|
||||
"defaultClientScopes": ["openid","email","profile"]
|
||||
"defaultClientScopes": ["openid","email","profile"],
|
||||
"secret": {
|
||||
"namespace": "forte-drop",
|
||||
"name": "forte-drop-oidc-credentials",
|
||||
"keys": {
|
||||
"clientId": "client-id",
|
||||
"clientSecret": "client-secret"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user