refactor(apps): registrar-managed oidc creds, drop mcp client, DRY secret
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 5s
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 5s
Per platform review (danijel):
- keycloak-client-forte-drop: add the secret{} block telling the
registrar where to write the credential Secret + key names
(forte-drop-oidc-credentials, client-id/client-secret). The
forte-helm oidc sidecar consumes that registrar-created Secret —
no manual auth-oidc SealedSecret step (removed that NOTE).
- Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers
the MCP client; no manual config needed.
- Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG*,
S3_*, PASSWORD_GATE_SECRET) so both deployments get identical values
via envSecretName (values extraEnv now carries only APP_MODE).
This commit is contained in:
Sten
@@ -1,27 +0,0 @@
|
||||
# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g.,
|
||||
# Claude Desktop) discover this via /.well-known/oauth-protected-resource and
|
||||
# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp.
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: keycloak-client-forte-drop-mcp
|
||||
namespace: forte-drop
|
||||
labels:
|
||||
keycloak.forteapps.net/client-config: "true"
|
||||
stringData:
|
||||
client.json: |
|
||||
{
|
||||
"clientId": "forte-drop-mcp",
|
||||
"name": "Forte Drop (MCP)",
|
||||
"enabled": true,
|
||||
"protocol": "openid-connect",
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"standardFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": false,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": false,
|
||||
"defaultClientScopes": ["openid","profile","email"],
|
||||
"attributes": {
|
||||
"access.token.lifespan": "3600"
|
||||
}
|
||||
}
|
||||
@@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- forte-drop-mcp.yaml
|
||||
- keycloak-client-forte-drop-mcp.yaml
|
||||
# Note: no auth-oidc Secret needed for type: mcp. The MCP sidecar only validates
|
||||
# tokens against the OIDC issuer (RFC 9728 resource server) and never authenticates
|
||||
# itself, so it doesn't read a client-secret. forte-drop-secrets (shared with the
|
||||
# web deployment) covers PG + S3 creds.
|
||||
# No keycloak-client config + no auth-oidc Secret for mcp mode. The chart's
|
||||
# auth.type: mcp auto-registers the MCP client; the sidecar is an RFC 9728
|
||||
# resource server that validates tokens (no client-secret of its own).
|
||||
# forte-drop-secrets (shared with web) covers PG + S3 creds.
|
||||
|
||||
@@ -6,12 +6,18 @@ metadata:
|
||||
namespace: forte-drop
|
||||
spec:
|
||||
encryptedData:
|
||||
PASSWORD_GATE_SECRET: AgAlZOSURqrQo7dqylFYetr50dWEgWNWTtBEjwgmIp/aFbr2X29xSD0gHpANIF+eXuZ1zGvTX9j2r4YoXgmcb/MjKMd85mYG7FTa0PFdxSxighvKOS3BWQwb7chgNFHMwiZNQAAMNUD6NjlfLZXS0V2SMI+5zz2siYjt8OfgLKfSx5v8+zDFb+pGrCUuUZlMaqFF2ZmOryYNMYYq69iE2EW8UQcP49tmP4aaPx5wIGq6nIo+Qc/c6L4K83nK5ijHEipkgEs0Z0vDTDT4ZBbV0Qyif+Uc1j0eG9+vvIkHBCrGC0WbLOCXiSwmzYF5U2uTRKUbkiPWfohW1Ds2hqveIwg6oSOhK6B+O9s17QagKenYBEER2WAXLq/BLbFpwwijZcGaVnIYsFLUjcheQVPEdaxIyOPh3/qhDjEBX7PevwDzEyOGB6W54TAndx/Go6+Mnvq4aefTOsD+Jy9Iqc3SI3mDoTCSuDMrgnE4QUlImm+Qtk+qPC35n36B9s7yqsHZISbC4zBGAwk7MFfhwTZ3t4z3WXBjevT1zFfs/NeQaRPlcRtO7656C62qroOITty0rT4JAbz93fanqHlqFmiMrYNUIu3wlbr/NGgMlZ1kRVnwIryVup5vljZmvhRtF+TGMwIA+3zbO9U3NasjScnh5sraOauIf7kVsBYTU/2oKb37HvroyILXd8fbpPq+lZ1ejcvVseC+heOI6hvvH/DYztgFn5s9egzcfauicCijWtk1jn0ym1RzOYBotP0VFhXX5bF1HHoGGwQWC32fgqFWwxJ8
|
||||
PGPASSWORD: AgC5TnoWNEQK13fJHfxM8/ZHRlX85Kd11d8Ig+PgMGcLkxab7fvZJuzg7VX0iksK2UG/c1w1q8fRigMl1WWxmZvW2zM4/BsF45WR99QGt4Z1dhTFHdL5/7OZq2jDMYY5x/7gzCccb2pMAZS7p4rjnJM0EPd7YuMlhXZwIjXcck9Qu8GDpyEu1gg2A1tIfUzjvD+HeTbs6NLy16WHYpMG7Wv4WBNNPO+0k5Z0OwwXmIFSJvSMUHWBg/u2JCJ/1DL0zLyRCdXXOB8VVGok3TFbNscGQqFtFkaaVd0rA4Ao6abrsezcsfZFkcSsfVhATAw+M8ORYRC642BFJjzbhGSbDBsYq7aYyT86MVoqnRJgXK7/K2qzIeT9agM3sJm3ZuRjVCBDGdp/Xo2Rbtely8PH4GwEZI+vRFhTFAj5maduHMt0ZmScusOKuGvr0kFFXKw6XthBT3Arg5Q40upiBtPPrpWhWJYtgT3EfFuXNoc1c1Do7UZ5cmfe51sOBkMZjYk7+8B8a2IejKRflynBcCDQ7r2u76SF18dS5/R7jdOlreyL0yuEiULicKpX8BXPa9dN6Xja8OVPfIHvk0+TwnaYx7YaZDEXlyG0GKv9R3i0wykL1RdDCii6eRSJAp1UFmnCKZJJd9Y6djw7XBAd9G/ux8Vz45XkP+f2Kfgx32HmZsqPq2xaW5DoAeM33uDMfi3Ist+FVRtffuSrTQwBNp76VyhI7YY9MSB5JR1sBUGxGXtAGg==
|
||||
PGUSER: AgAEyIU4lFCV6A7PyRyc2dTuE3HJW/2KkcDWxj1gOe7mtmmnDS6XhOIW0SMuIYOExNR+pUAiwadMmoGGUXj+k0r4VsnMEiG3HplAXr6FERNyxFtW8XnaXFA7++xOH5751fC6W5BIM5MLzt8YQQ6C8mrp4JXnUTm5K1iBjRH6WtggE5WS/tYV/Y5HryQ18fvyU6saHLzwzn1vJzxrFmCU0zsdglkBTfg+WBZh3f4ufOXFVrOQfm4AKjJclTEbMnqO0vupkbj6VRSKh5timPoNpqKuoA7PsD5YOCyiFzgFUnwAybg8hQAPJ8gMimvuEUxArbpd3bQDhQqBi0j9IZ7Z6ht1+DMp2niZfJ+B1S9R31OmERt/DtXjnMeN7/VDCpABmRUvJ7HJ2DVFUCE2S38V4QDXNRUjvmRgT3mEjMYNsoYnuFf9THqHc3Wzvq96hGnDSVEnLdBRp7WoPO++0WVRvBTM21nhqx2zGvw1HN718xpndhJGrDdRtod6DCnWzKsVHi2ndxo9ZsxCn6yLYn8aRjk9ElHlKFOQ8z6LDqMc4Yt7XbPCWysqH4pu0xyJoz7XmM5y6/y1mrXKhMTNdZm+kE3SiXtVJl8lJioQUo4gOjJs8LfOFM5dfU1IPkKW14tEv/DNvQqqZmAzK9qjXcARgaFulvBvMO4xn+PbYRHm0VwOVo0iwrBS0FHNP/+kVWmZ7TZ+BI5LCw==
|
||||
S3_ENDPOINT: AgAT2f9jZ8NcpO4S/CE+Arsb0+UsIb1DT4iqVYPxssSip9b/Bdb2mZ2IbzzHHEUtDOSdTIzpHoCaflD1CYrrUevHwu6/ufb44GWG7GaOwHfXUTKOrWUFb/fhXQpXklgEL5txuu48ud2/DekbY2iz3yvKtxffs2otn42nGcPQ/rCcV+AUE0z0q47F1dcicX/enVKeQ/UHszxXU2l7G3Yt3Onxy+ILIc3o/lGuaI8uVX0Zv0wdKUiXpVTy1alm9lJQklNd08/BElPUhKS+2zdIooFvcjz0YRdZrl4gdOzqdw3/2aWsFfkSyE6VhmbQ4pzD5t4H376DCrXFeES/5emvHazZYh4f2RZuiDE1gyHWzC5WMH1ftvHL3Qv6dav9nY8Q/D61Qzwr5dge2Vr69harbvDCMUNDlmu5uxj61lvNkavsGIhmQc1QbHiz5/1RdGi4F8BvBRKyWW1UKDga9QthgUy9JJW0Y9klegWoZIXcTR4BMELExtQCHcNpQhfNXvQzTtNoTNdOF97j1Sat3cOVfH9DveOgOSVkB5U1twGc+LoXF9Vh2aSolk2TNoew3lhHaEcKXrDtuOLWlvSDYOz65JnQUOpQ+ozNfgAKWzoISnS2VcZ0mly1JRmGnHtJMMDGsWepcSRafB7srcxyQaZ4k1u5HQI2Qg8/H7kKgAgYcbEQ2HSYKwjEEaSWIomkBbmmZaq7JXayAJrdsNKQdgtVNZMxFTBR/Krmpi5Z+I26Rob62A==
|
||||
S3_KEY: AgAUxDq3sxrD9iUNiOfNE+C6TIPMVmVQYchPEW00EyaFhm7ysd9NII2LWHWDcH2zdDYovvGrOmhXnk1O66taKbM9bs1QdTsx2s/sesihPXPQNcTyHbhhSahhRv7/7+V/iNKtVb+6YhRrzCLDNbMLREGrClMo6rJy/IQM5zo8We02yYTETJcVV0+N1MjClkU4yPJy+A+HA5otVWzRfDmwu7rwDUH/PQbzpiB0AaEubXIpRbgrR6j3GKATKr8X4EBjgeUEzG6doIS/9+ZLw4DVzHRhk06RrXW02fu6dg0nPZjcgWYGyfY2vPTQ89G/0lIuZctFI6VcKeMJodY6pDqmGn2SMCA6teR93xFoxmGANGQMa7lqanY2KZc7hXWT2saF5e34nUKJtuvTWZhoEEN2MT8CCQlBVYriBQTjVH1NE0GrHgXJ1MpYF98LaJMl0L0xw47Pk1NlbPAyoamA+prQY83qe6g9PITlqr1xzVhamc02/Yn1xoMXzvfhBX0PFetTdlH1wxaDtpIAsKupdOIuf7NNfvySFToM03ocxvNzXVdqey09wPzAE19hPTfFLMeFjgg8hCTPW0q2yhHwJEd+uH1MhJYwalpTebGGQ7RO3Cs7lNW3Jhe+Ji4haR9NKcfH+O2jioUNz4tNB2UBQIHW9jYEsFFV9fB9j7mauvOa/UhJjYzo/yaUV8NQ7uAVC4CwEiZtuyXciT4pL+zViOPVET6uC1nx+w==
|
||||
S3_SECRET: AgAvWoqSF/qo6FNEcIaYQ75MJjetpjkMfnviZMcQxxCBbnrO2NPs0bqlcyKG0QSarOnBdbsKBsflxCOBqMweX8XpduKZWCAa0CbF8/PQ+TTcjHGeY9jU0/8bMhG4YnaKSy9XbzHKIMQ+pQvwV5/IF+2FSkgEaFxvMrGDAYoT/mmqT6k/NTIO9IsirDAMaOCkmb56DhN37yFNa94eaFN7jKeqwEsGeS6AB2IV8IWlyUpul4BQfS1BUfhYGPg+4betYTdvuvKSEGZ6fv9wMcUl86B1YD13Fs9D8rLenpsOjSgpflWZDOpq05OIqoeeht87N6kbMF7fKVJwfSCo3FDeEGq4Rp+T8ufYl661ac7Gh7weg4T2JCKjW4aJN/Nv3y4s57XqQXzlXW5zQOHBC6l5hH0XbnwByFnpfuyjG4G0Ssza3kdfDq5rXFnnSBMHCeVQgOEtfrC9gxOUYdCYPnz7o8sTYkP5mGITcnk9I7jn/aSc2hCIF8JPPRuOh415hwhqX4c/rp1IjQhV9dD/0YVyv9JBkn5aGq/HYDZMTn406gFd0f+LQiMZfnVChXBr151+JYPgZhEoDxwZ2+kU5YWLRKthSgOyzZTRIOk5wJKYxNBJVxU5GlsZe1uDzeertwfE8jOKpd3z0gNIzmVTvOuQUwyXDkTPxvpl3ITFHTNAmHw4sugsOu4IpRQOEQUitud3gkYUzAJQ4buUo3h4CV+VN/Of/jZ0t3OuhwDt/4t/w6nKRFJkd2tlkAp3
|
||||
BASE_DOMAIN: AgAFybdBryVb2AQuGQC8REXzW0YZlyycJp/KeXnROkW71UjDe4qMAWkWszrJWxZMvAPO/tXmibp7jEol6aB5GKG0k3tswWoprTFXLd9CMR2U9SWR3ZCol4npPXo7uOxhBcNSVt+cDXyejSiFTi6goY2oOtbKAJSF9Nv7Z5ePaqhhFni3ntcmM0S1Ad1l3QR7VvyazHFBXfO0b8Z9NgYsUNbGrXWDwoSAZIv3ly3wx90AXn+dXX5FNPtl9CtyAVhHsl3liwQdhEwS2krZZjj7NiQTCfNXp7BSB9ZETpo9KkoV4AZNy1zupd3HpeXHsyhHjq/JqXIAF3iFU0tZTWjhcwnehYdEU5oduwfLCWym5PYgpiQAGiazpkm1Ss3/PYpZYnR2nWv60b1Pa5i79ZiPNi4GL67AiWoJDw6QxV0Kbzi0AvUkZI1E2PeIJvv1w9NKdMRo49xK8LUx2qSTpWeqRP+1kzklHqclTuNVxiWtR2wUgdoLzvU7p5ETu7kPEmaoE8rYw4dKgQvHlMok2Ky2JsELGBkCiYjUN75T+yNlGs5dzbiwtWOja/r0dJ3ZGBQjcK4/BbTLiMYsrxmJTPPF/2zhCOlFY6cfcRMmc7Mwr68mK9m2rTOJQNjBMDoASiqVMmeSqfRSln7JNb1pAeq4xcz9YJMBJhPy2XNiBvRJK3pGIjVcNST0jSpic1X01NJTy7aFbcniZzYnsKJV61AQb+daGEsB1Ib3GnJ+Rv8+9NfvWg==
|
||||
PASSWORD_GATE_SECRET: AgDIiAPb7bCpTeORoZXIn7Is/yKT7Qm+qSexgmXuXpe+WaLCJDWM5uOlvxp5tbtK2KD3SNtUDrOJQYfWYBOAPrBMBnSpDr8Ie7/wlJBxXCfROk1TldOU3s5O+5OnFfTDS9rAdcWdZdJ+Bt0aktnpuHJpjdurFca5o8ne5SRwYtGk6mNinCYRcnwMApZ9Y7IxvC9xzOi1QIhoOepMrotRkVJtbrXiclN5cI+P/nU8LaGwM4AEJtO3L8zY5QK30SZ/Tsz20Qo8HHGdIBLhHbhTALrFe8+n+Egda66Vr1DkKgDERW59PeWBd6xHCRGNuAk2ZzUmuiN5DJmWgacAGy9QblMMjhOIGKgiqsd4jx/8wC8FoyxBSstGFajahL2C6oFzCpbp5NiS185znN0ohJXqQzkp5RbcBliSYUZgHC8D1jDGxzcTksD2Hgh2NIAlJOStsfB3fUb6hWIFzxim0lyP9kFM5y92Sf5B1/h6PeHKOi1CMC5RFAEKhoyM4W1W+NxASJeT/NptTehcrjBPxLVKBPh/qgMcuNYNk34EB0asELalYBJ5cxzt31LLiLE/uDxCydXiSk7ACho7LxNffcUUakEwwsJDmjFiCscu83TfZq2vw5/2bgOzUng4XGDBgYwwr/KEHueGX4Keg255R3KqxyiMSKDi4CUEtYShjSsSYwU62rdogOQu20N3HGVn+/CksqKky7GoD958d4PwT5MGJwQhp8EjemBomDxTKNsO+C4moMNZpAEBtPlP65Lc1cfcaLlaFrwP4VtYHLXXBIvMzCC+
|
||||
PGDATABASE: AgCCkY7AUaoy2V+fRXrEeLODlHOTXWXmWCW6MBWEY1J32QrN0bWUmwDdTxv5KHchbhH8lra9bABNOGfRcz59GIg8fH3fwTWOE8luh9cD50QkphjZPe9eGXc6YzheG0CG5hDnUoiJjnP9/l5cZc6sRxAo7for/bbLa0zja3VMzI+NMhVVRZT01G5R/Aoyf+B/TGm4mYbMyWAIgEEfjl50yIkc4WscfQrRkbxAtBF2qFuS3OL95TYSRULBAt0f3Z2WpCdS2b/pUyHJuuoi8aTo1a9QLFMrUdxVi6ydIKaMcx8xR8DlXQLOOdtIQu4TrgzGX2MgHwrbWuf/SFO5IWB/6/JI3yubo+i88M9LwPKsGeslcquoBG3Ibqlnmw8pcPrXUwBq2BowjAqpGsxdiR5XIi2j8QnpA8dTmFARX9CWKHoXFH5+uxx7SSTPG+izlGtVspsu5xx3F8MZ6eStInCyBimTVrn74+IvMPEBrj7wThO6Bl9EA3POkTRf6AmjuPItTgZK8lfXY/t0qDN5zApeB051+jSGZ0/o4PaY414vCm/+OteuCAI4ooCpDOwG3QD52VtpmoAvGjtuWExrvCHMW+hTIxsNbYJ+2SE1oQy8n8J5kKK+AU/SnYf/VEpbawHrpU48g6sDUHQzzPhoLN41j67qopmfRZAo1r5Tb4n7MnEOF3Yi7aT3lE6JvB3gZUSRqnDYSWObTg==
|
||||
PGHOST: AgCWDPCQ4P+vPKQXmzNspODUJYVidwQDzFRxY8JDj5JYW1u+2xK8LqE2uWWYCW3YjF+H6yJoH6gu35KqOtjm0E23zMlknwZwkK+L93J/nrnNZHCznoub9jEzaAsTRhytvuIUBPQnFulP/t9Q04RjmR9c14puS7VS/tM57/cLq5zq/BiSYL3Wx2lblE7Xn6k44+8robPP3YkmlOuqziM1li/qevB/jxRV9YFjIpCz6D7WG6Kkx9CA6fzgalMJ5ErUVTJOuLDDty3qKd+9mg4WCLahjyzhPq/rIPUFE77EBDCulnnlMyvOSPSP7pMzkaNR1Ce3cOxOYAZ5mO2u5Y5pXt34V8iPe87N85KHQNZTu1Mu5ELMLdhEYOlO5ZX2x/RsdEuriWz1NW8MC57pEUGE/XrFhDe6x80eHi++qDRat2d04rTBOtlceZMmPVxs8tTa3VaD4PepekSogddLVooscLL7lYIpyR0Q6qOA1NdF2uOpx7hf6QLY1HeD4V8RSVVxV9uK5lUTrnBjtU/aUwnGs0xKxVNdBEKwG5Kh7qdsgyBiEa9V4Y2ElteGHave4J7xzimdASrbgMnlgIfcMuo94eX/0M0BAmpD4bEByMCWbcFgAfNnIOpXLZvoEfZ3DxVysmCzD+0nq+CEatdOjKp11EKbtf3H4PgnKqWDe2p8FNPXhev60CMhFvXS/QYg9fe2YJt/wqcN5MstCej4IuiOJkuFJ0UhZ/F5760xhuPYCUWP1suIVZM=
|
||||
PGPASSWORD: AgBH32G+EUtc3jzGCA9bf27TCbzgK9xz+r4dqd0QQJL9xHbqgOARGVVaQ88AOkWV5VgYjqc/GFp51jLzVOHxgLdkqO/oCBuX9ajQEoGfq24AxFnaB7fh+Vlc3/N9yhT8lWoxHmHjyMVeX75g/9KvhNaRKBgiWQNHlt1C2FNh1h3U/aMfWVJIENmKKH2A5sxWe5haB7nynZc9r1QXBQKa7XVpuxAFXDHz3j3cFyR5Qflp+ac2APEM1/xbiaZDgkBtBd6dsDoCP56Dr1m91kaRGgbeX6WmRJ/Y89WAp4yt3QVfa8uGL1+DrBBMcfB1nAQKA45eZjPE6zTOEHxgTETCcmXJQiOzttDmBHRkIClOLLipgGDJwMqtgQoEMoJKjXMC0rsRy0NVRmibZa310R3PQjuHrQXxRD9ZAXkYg3opwLKeKi07b/7mvLHr7hU81fkBGnqNm/6heOSAqDZfRdregbBbcI/go72aypn2vQ5R+ozCdfwcp1tGla8FGpkI+zAdBKihp5Yo21VZ83FlIMq2JHF2+tv58C+LFeyqL1nr6BUmGKUQ+lEOnRzGYo1sbO5wBChc6yP3ZbzZYfxfvXAdfDY7vZUsareOC4uyR1wDnIiJgQ4kqmAKf7HulJJatKNgsvbmukj7c6lHLsfFRg5pwLO6iese9TZgtima2wkdcRpHSdt4ycnyHbwrEZ4kepfFlN1pGUl573/3l2cOdzO+WLCqV96P5myL6OOmCTxOaLdSyA==
|
||||
PGPORT: AgCXyGjhlTcq3ffD+ZZZxe5gvqRLQl2MYGl7SfJDjw4LMdr3iojAeQNdYZIeZN4Bec9thhz1DI/Bc5Iiw5TiB3MAAvl/XtQM/T23JrSlUsfqECuHKQGw5kkgeVCds4j4d/IHFt9yBv4W4+ogcL5TZIGGgMiKa/99T77xgE4OqjeqqC+bpFuLObiKt5sYcqcHl2DDshTy4xeukfdA2yI3N9Tq7zfbLpZUKHWWe1gE+FbA0s+QA1ZCYv9uEtu/E5BWOYxE0u4GKhMDfMpguks0CNnIoRpovY3vmOxzFtqa7RpPoQrQtEN2Xtizu/G8K8p+mZLQ0cf3KX0rwp8tAsVKWrp8FYOy6+2OLYlhmDl1hK+M15czaL60DVBqiRIlQFdj9K+s5KQ0qfsG9m4v2WPSeCLEKwcsyLyq9vzXbDKwcMN2DOMOan8VDo04UZzkfdZa3lztfw7MWIdpvB0+cpgK3mdbbPCqSIQ8UTjeSVBgEz4EPUds81W8gqAgmeVKpUQplgFuLNwCTnCkuMSNiA93D3dgGccXzXiDrIBIcLzxHAWr0XEjISyD/pmNEowbDvXB5yRlNi1ZB5AHsRPurUYs4XtZN5ar+sxyex78tG18OkcBbABatBp3ol28Rs1LEN+HJupzNl4XDUx35/j3t/FPcw9PkcF+hzaQL7aWj4EDEWfjlzz5FEBlU5N6sd078tB79TpasuIk
|
||||
PGUSER: AgDH9oSzu61NVOUlK7Evr278VuOx7ZxZgdsk+kdJmwpBGX7r5gmPrdomh/mqLYTuLokkanFiTfchRWHc76FvjbA/KxqwCq1qsZbW+dXrRtx/z1wQApKxNUJ7JolwMwP7tHE6QlGzO2mWj6RUROnhKpNybJXVvC3E5sSyz2QWC9hjamQP997RGA9yiiT/OShC7I6drFYR5cRDtpjW7Sy46qhMwlCRppiKh3wOV7qIAa0aPQE3Rfcg2WpK2ugRL1N+SiVnM+wPQwYVLiDaVF40vP40Kari99hIgmhcbjPeGG3kGX5VLww9KGm7iryrW3Yx45L/CCh1arUUpjkK2FGLVKtb3+YmDadnOA/I8Rr5kebhoMc93E3U3+mDfQA3cO/23xgpOJEGRCQwBlN9mazqkdq4zQkb4+nuxsdyQcxYtncgxhfCcZ0mXnbX2aW2kYcxKqa/jNjBcEpGMvos7dq6QzNq2nHrITo15S74M0292CAje2NFvKURA/KZnT26dDw3e5xa74E1nI/tBJEHWrUwRXpPu7naCZ2sZMxQV6ixQMuDakx3YamXZmMwgFO2FZ6ZL9BDDsbV4+JAsNwEaHGIIaTbE28R/xPIcUqcxrQV4ZWmHnJXFGyJ0XXxJ57GGjs7QwvvzAm+9WGYtlSC6H/8rX8uZIQLr3llVbJMuLpIv45i3p0Nkx8jyxGSG3rNQ4l3K0rjly2qZg==
|
||||
S3_BUCKET: AgBcx2UvWafkVQ4fc+Xuc+gCLm5O5DceYSYBslL1bd8p4hKI/2hJF9z9UoLyAedyyrx8pHizcugkcIccrV1iyfQod2lDrivVJCy3qHz0mrQ6ZCOAk9ApNJTYUn+x/AYZL9EKVj/vfEzSwOTqlri6H53aUrZr8lv01TqLcrZDeG+jv64psydYKmSESkPl0iQ9DOx2sGkowNYbiTjux+ED9yXDMDdzojhMepbuUHhjNr7V7Z2NpX8+pNVz2o8o/oIA0zAJs3+C02018N3cyJ9P9BP2/qR6N31aykyI4P6GU5WlL0CDGKaheYy9ukM5x8SoU87yZBHLUxN0MhrMVKoFswU6CwTG/A8Gjkp84ce2cvlnuXP6JEMlqgSb+O+SeCH8+kwL9A87xmb42OOXSGokS188/2/13b6S733WL81B0RX1X1pOfWybpJzDhgiOC3Pjn18ItVHjKw3FlY6kwk1+P1vbZoRl343avRdyQyJam28A9UvZeTG+ac7drRTDndKYKGP8IWg/A32MEFSiKHsvnRQoYE7KORyzJxp610L1+w46KOUF5VF2afch02Jt4uLcmCOyUb6LdcWln3Jiz+wydJI1HK1RPio5oUT5d5se3K3DCa+GffbPMorHe/SdzqaBH2+uBcQn+wZO7JC1ei7hz4U1xdV41gkG1uq7Xz49ymW6P7G6qUr65MtvD73iMRlnJt/mdkw5UQ==
|
||||
S3_ENDPOINT: AgDA5n96LeW1spJfmm7f9lcus5Ndv/91HAlhOfv0YwP+9R8rQhKF1sEL9Oi7Fpd4VJCQi9vDbeWYjGOMtsMqsLJivcZK6367rdSqL/YpKax9SkDgU+UG5Bpr5SDv4p5C3/J4+GPkZV+BduJQlNVPycTrdM80VBK8aALCNs7gGxy68v6mMgI90MpTp84ZeWgtJ7ZpTySivpwgycwcezldJTYDDjOvVfbK79trsRzDtjbAZzbDn0M8At4LYAfY7JTqcdCRHSGnzyg+81CX2jjyMOH0K55SsIqPEBdXqvh+VmC+jPyFMzfAN5hA8+otWTXfI7VucxAMZtRUiLU3I4/kIO60OkVjEf/SWrJv3nKb85aVfvRZ9k/A7kJ/ysKTXz2/iSAHU1DHTJlMW7SfhXciotx1p3BWOREF0QAQvrNCURFP+eZogBCIuiP38fD0gHkhG2BZkAY/OVZTr17a3F02kwemAuJ85hgUf0iwFV+/LD6X2OiqM85lnac/3B5Qp7UQf+Enn5RTqd90Pk/7QtAf/zTDmfxiWTkwpKXeQ62xcnHL9dQnUmDDs16eJZd04AJGgT8yrC//2lVOht7u6KuyG/+JXRxLBXAkGkr68lHBBuGmeVZ/t7ChL2Asyfu/uUTl9E1BOUfNvZXxwyLgqueL0Uw/MGLgswBsP6pYNGraMF+K5v7dse8cUxpyqk3s1C1zqoAhkehsCBtTjI+hF90G9Nh6mVSocoH12znt7fgUnwNbpg==
|
||||
S3_KEY: AgAiciTM2ZNVlU1M1CNNXLkhCEYYbO7q5+Mp/DoC4OHBgIDKVfHurH39Dniuwxe6DcvE3vG2glRyTxQEg/ASLcwa7HBwBAwXe3wl1tRGM5Bp40/Vq935BXpkhcdp2fSoup8lPEbKS8q+L5LOqUlx7jmnkHXbI1tasz63KE8O9RUFDdQ8Gxy3nn/u4xkvibYxwmo60ApLKYgOu/ODPEETrWBcITHAVFUxbA8Kr9X9mPm3VpfrnFcUlxsCFr/zZwE/Y01eWdi8GGafb+apDPKMd7mAsLHFcPIQlpkHVT1M21qwwntZg9yV0RBACNu5BVPUgbmtUOQeWYMXn3FE+NJ7ajfdKAUCcEUV/f4s00b0S7jJTJwOUixDquMKSfu00AwDRCs8UcouikZe110uWnfEF3tVE0xQGF/3ItLni9VugBz7wQv7ACvmwnHmX5ZcjE0hxYcIS7ABWgHOZxgWoRWPao8eNAATipafcVIG1szl5ZMNTmAqHFyp2dlNU3zaiW6fz4q4CU7SrlhsrtqYM788qHvpJvDpFdF/i6oitH9CgpwmdCpH6YbBXxatnkWq9bqjEFcSZGDfDyT+iZaoPwhiOfaEoCyKlZ9RLLaK3E8zFcCDRXHnvnkqPtP/+VG30xz9pIat2EVB1N4b/kVIrr+fIM28mwk0vkC/tU8T55GF5BZr7VaYedHM9DVcQ4OJl7Ctrc9Ki8PXrne8gywyomA0F+YY9lxdDw==
|
||||
S3_REGION: AgAAHTbNQ3gGnvg67ck2N5zSKKhMwR1j6pi/tZzYMEPK8jSnDTBkLYAt6ZVRtdsO+dG9kjnMsc/xTUMxJspbvQkgLSd9mG5FzJ37rBn+azCCSTDYBKq2ddGK1Yf/9w7MxOgN8aCyD4QCFOzR0EI49GbVYQynxDD5BwYuf7y4t2xCYt5wRGsjyNAmH3202Z90XKUkts8Na1hyD+xrrtrAtNfugyZqKo2WUSsHu82TD+cu5xZI51oQ9w9Mh9LaH3nfn/X5S+t17TjYvI7/c6hOwCVv10OdoaZa+SzqOvy7XxnqAShAYkPqJKfWhjecE1b9c/Cun32X4MRI0GBWyA02z4nR+WBbaVmasicx6hchVn8/wZeKMIl68F5LE7184MKKPNNwqsYslwFhuWq8dEw3TaVvnWgx3+cSMiX15SBwcLtE2UzJp+jjN/dpQ2MM0+6uV1GK4mNso5JAwGpUUUi2i+V1Ng7uXipI+5J9w6K0IMg1puGqFyahby42saSuH6vuPnjSx+2dXQTlgbl2SvCBoCgyOOJs4q5IafEvupAmRCNzx2HHv8/z6CFbSQZITQ3plmyNGLFXjynVw/6Q1PD4z3Pows4uVcYOEPbC0UoaXVgwgdBWa2N44BUhpdbqJUCyKuapLigpjKujG43jmdLzuk6gaPeH7SJTZKr624vs9hrGhzQYKdl6FZOQhmCFRDKXVCUiH2Z2pfwd3oo=
|
||||
S3_SECRET: AgCcVQ7YtBAGpKBm+rE/hQBHrFlX5O0JO94xkZeoAppA9Tf8YR/PguZRGBWgLdNEJRI8C08lRRCUX3PY68jTySyjamb32iQkslOXGjAfnULeNGoGg05nLY2ZDYCEom6ieL8cc2xfbrV3yHoPQ7yVz9vcLjh1vATxyfdkqMapl8FpvQf0k0Zecmw3rLWE9y6vAn6Gb+/CWTnuhcW/8uDykmjIBTDQQddWshaZi+HosHyDbNxlnGj4U8mie68wytpS+Unp1gIWWE0hvelqO/3OUEEBB1OYMLV2DW8v86HXAE1Ix9jiCpSbyB+UzjOlrE/p4fJpeG4FtUC+/5ibRSxxgQRQYklKFJmdRDYWUnOngjgcT/Ewe41mTrpCUvb+jtir68pYLmVrLoha7S60w1YQHNkDAN2GftOyBjkkt6MtUDNzvNkfnKqKGUWyDSC27yfJdE/9k/4lDxQs0Sp20kIuz66/culBpg/s/oPSNs4SolCqG3GVLlKL775uqwLLuDN3txlPLb+Ex5vZAUapke+rn2zXzJVc1qlPfI/96vSEy6cx58LXdBadmBXn6c4Uy2MDa66EwsxOMXxzGLTd7AGkd5oeQVYfVPdTfGV5zx1AdzQhP3u/DD5FhKeWGDOr21iYB2jNm/P/hw0nFP2pf83W4/jLzPvuth1LF/WLF8cjclnGbcep2Kxrh/Xq0LmufofuVJyEI9/fl6onl5KIa6ZnVBJ8TsQesXJtNEKt9cPHiCvBKfLj5C+a4FlY
|
||||
template:
|
||||
metadata:
|
||||
name: forte-drop-secrets
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
# Labeled config Secret read by the Keycloak Client Registrar. The registrar will
|
||||
# create the OIDC client in the forte realm and write the resulting credentials
|
||||
# back into forte-drop-oidc-credentials Secret in this namespace within ~2 min.
|
||||
# That client-secret then gets manually copied into the auth-oidc SealedSecret
|
||||
# (one-time per cluster; see PR description).
|
||||
# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
|
||||
# to the keycloak namespace; a CronJob registers the OIDC client in the forte
|
||||
# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
|
||||
# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
|
||||
# registrar-created Secret automatically — no manual SealedSecret step needed.
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
@@ -10,6 +10,8 @@ metadata:
|
||||
namespace: forte-drop
|
||||
labels:
|
||||
keycloak.forteapps.net/client-config: "true"
|
||||
annotations:
|
||||
keycloak.forteapps.net/source-namespace: "forte-drop"
|
||||
stringData:
|
||||
client.json: |
|
||||
{
|
||||
@@ -24,5 +26,13 @@ stringData:
|
||||
"publicClient": false,
|
||||
"redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
|
||||
"webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
|
||||
"defaultClientScopes": ["openid","email","profile"]
|
||||
"defaultClientScopes": ["openid","email","profile"],
|
||||
"secret": {
|
||||
"namespace": "forte-drop",
|
||||
"name": "forte-drop-oidc-credentials",
|
||||
"keys": {
|
||||
"clientId": "client-id",
|
||||
"clientSecret": "client-secret"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,8 +6,3 @@ resources:
|
||||
- keycloak-client-forte-drop.yaml
|
||||
- forte-drop-pdb.yaml
|
||||
- forte-drop-secrets-sealed.yaml
|
||||
|
||||
# NOTE: the web sidecar's auth-oidc SealedSecret is added in a follow-up commit,
|
||||
# once the Keycloak registrar has created forte-drop-oidc-credentials post-deploy
|
||||
# (see PR description for the one-time seal step). It is intentionally NOT a
|
||||
# resource here yet — sealing it requires the registrar-generated client-secret.
|
||||
|
||||
Reference in New Issue
Block a user