refactor(apps): registrar-managed oidc creds, drop mcp client, DRY secret
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 5s
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 5s
Per platform review (danijel):
- keycloak-client-forte-drop: add the secret{} block telling the
registrar where to write the credential Secret + key names
(forte-drop-oidc-credentials, client-id/client-secret). The
forte-helm oidc sidecar consumes that registrar-created Secret —
no manual auth-oidc SealedSecret step (removed that NOTE).
- Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers
the MCP client; no manual config needed.
- Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG*,
S3_*, PASSWORD_GATE_SECRET) so both deployments get identical values
via envSecretName (values extraEnv now carries only APP_MODE).
This commit is contained in:
Sten
@@ -1,27 +0,0 @@
|
||||
# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g.,
|
||||
# Claude Desktop) discover this via /.well-known/oauth-protected-resource and
|
||||
# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp.
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: keycloak-client-forte-drop-mcp
|
||||
namespace: forte-drop
|
||||
labels:
|
||||
keycloak.forteapps.net/client-config: "true"
|
||||
stringData:
|
||||
client.json: |
|
||||
{
|
||||
"clientId": "forte-drop-mcp",
|
||||
"name": "Forte Drop (MCP)",
|
||||
"enabled": true,
|
||||
"protocol": "openid-connect",
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"standardFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": false,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": false,
|
||||
"defaultClientScopes": ["openid","profile","email"],
|
||||
"attributes": {
|
||||
"access.token.lifespan": "3600"
|
||||
}
|
||||
}
|
||||
@@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- forte-drop-mcp.yaml
|
||||
- keycloak-client-forte-drop-mcp.yaml
|
||||
# Note: no auth-oidc Secret needed for type: mcp. The MCP sidecar only validates
|
||||
# tokens against the OIDC issuer (RFC 9728 resource server) and never authenticates
|
||||
# itself, so it doesn't read a client-secret. forte-drop-secrets (shared with the
|
||||
# web deployment) covers PG + S3 creds.
|
||||
# No keycloak-client config + no auth-oidc Secret for mcp mode. The chart's
|
||||
# auth.type: mcp auto-registers the MCP client; the sidecar is an RFC 9728
|
||||
# resource server that validates tokens (no client-secret of its own).
|
||||
# forte-drop-secrets (shared with web) covers PG + S3 creds.
|
||||
|
||||
Reference in New Issue
Block a user