From 375fbff4b65467b5ecacfb68d8071e01ebe2e8af Mon Sep 17 00:00:00 2001
From: Sten <sten@Sten-sin-MacBook-Pro.local>
Date: Fri, 5 Jun 2026 12:55:45 +0200
Subject: [PATCH] fix(apps): drop duplicate keycloak-client secret (chart owns
 it)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The forteapp chart renders Secret/keycloak-client-forte-drop from
auth.registration values (verified: the live secret is tracked by
the forte-drop Application and carries the correct
drop.forteapps.net redirect). The overlay copy gives the secret two
owners — enterprise-apps and forte-drop self-heal against each
other in a sync loop (the Slack spam). Remove the overlay copy;
the chart is the single source.
---
 .../keycloak-client-forte-drop.yaml           | 38 -------------------
 .../upc-dev/forte-drop/kustomization.yaml     |  1 -
 2 files changed, 39 deletions(-)
 delete mode 100644 apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml

diff --git a/apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml b/apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml
deleted file mode 100644
index 64906dd..0000000
--- a/apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
-# to the keycloak namespace; a CronJob registers the OIDC client in the forte
-# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
-# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
-# registrar-created Secret automatically — no manual SealedSecret step needed.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-forte-drop
-  namespace: forte-drop
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-  annotations:
-    keycloak.forteapps.net/source-namespace: "forte-drop"
-stringData:
-  client.json: |
-    {
-      "clientId": "forte-drop",
-      "name": "Forte Drop (web)",
-      "enabled": true,
-      "protocol": "openid-connect",
-      "clientAuthenticatorType": "client-secret",
-      "standardFlowEnabled": true,
-      "directAccessGrantsEnabled": false,
-      "serviceAccountsEnabled": false,
-      "publicClient": false,
-      "redirectUris": ["https://drop.forteapps.net/auth/callback"],
-      "webOrigins": ["https://drop.forteapps.net"],
-      "defaultClientScopes": ["openid","email","profile"],
-      "secret": {
-        "namespace": "forte-drop",
-        "name": "forte-drop-oidc-credentials",
-        "keys": {
-          "clientId": "client-id",
-          "clientSecret": "client-secret"
-        }
-      }
-    }
diff --git a/apps/overlays/upc-dev/forte-drop/kustomization.yaml b/apps/overlays/upc-dev/forte-drop/kustomization.yaml
index 8dc592b..ed9d17a 100644
--- a/apps/overlays/upc-dev/forte-drop/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop/kustomization.yaml
@@ -2,6 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - forte-drop.yaml
-- keycloak-client-forte-drop.yaml
 - forte-drop-pdb.yaml
 - forte-drop-secrets-sealed.yaml