minio fixes
This commit is contained in:
@@ -10,8 +10,8 @@ stringData:
|
||||
{
|
||||
"clientId": "minio",
|
||||
"name": "MinIO",
|
||||
"redirectUris": ["https://minio.forteapps.net/oauth_callback"],
|
||||
"webOrigins": ["https://minio.forteapps.net"],
|
||||
"redirectUris": ["https://zipline.forteapps.net/oauth_callback"],
|
||||
"webOrigins": ["https://zipline.forteapps.net"],
|
||||
"protocolMappers": [
|
||||
{
|
||||
"name": "minio-policy-mapper",
|
||||
|
||||
@@ -338,7 +338,8 @@ extraDeploy:
|
||||
upsert_secret() {
|
||||
local ns="$1" name="$2" manifest="$3"
|
||||
local code
|
||||
code=$(curl -sf -o /dev/null -w "%{http_code}" \
|
||||
# NOTE: intentionally no -f; we need to capture HTTP 404 without curl exiting 22
|
||||
code=$(curl -s -o /dev/null -w "%{http_code}" \
|
||||
--cacert "$CA_CERT" \
|
||||
-H "Authorization: Bearer ${SA_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
@@ -347,7 +348,7 @@ extraDeploy:
|
||||
if [ "$code" = "200" ]; then
|
||||
echo " Updated secret '${ns}/${name}'"
|
||||
elif [ "$code" = "404" ]; then
|
||||
code=$(curl -sf -o /dev/null -w "%{http_code}" \
|
||||
code=$(curl -s -o /dev/null -w "%{http_code}" \
|
||||
--cacert "$CA_CERT" \
|
||||
-H "Authorization: Bearer ${SA_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
@@ -394,7 +395,7 @@ extraDeploy:
|
||||
|
||||
# Get the client secret from Keycloak
|
||||
local secret_value
|
||||
secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
|
||||
secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
|
||||
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
|
||||
| jq -r '.value')
|
||||
|
||||
@@ -409,7 +410,7 @@ extraDeploy:
|
||||
|
||||
# Write to target namespace (if it exists)
|
||||
local ns_status
|
||||
ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
|
||||
ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
|
||||
--cacert "$CA_CERT" \
|
||||
-H "Authorization: Bearer ${SA_TOKEN}" \
|
||||
"${K8S_API}/api/v1/namespaces/${target_ns}")
|
||||
@@ -433,12 +434,12 @@ extraDeploy:
|
||||
local ns="$1" name="$2" key="$3" value="$4"
|
||||
local patch
|
||||
patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
|
||||
curl -sf -o /dev/null \
|
||||
curl -s -o /dev/null \
|
||||
--cacert "$CA_CERT" \
|
||||
-H "Authorization: Bearer ${SA_TOKEN}" \
|
||||
-H "Content-Type: application/strategic-merge-patch+json" \
|
||||
-X PATCH -d "$patch" \
|
||||
"${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
|
||||
"${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
|
||||
}
|
||||
|
||||
# =============================================
|
||||
|
||||
@@ -39,14 +39,16 @@ ingress:
|
||||
- s3.forteapps.net
|
||||
|
||||
## Native OIDC via Keycloak
|
||||
## TEMPORARILY disabled: the registrar needs time to create minio-oidc-credentials.
|
||||
## Re-enable once `kubectl get secret minio-oidc-credentials -n minio` succeeds.
|
||||
oidc:
|
||||
enabled: true
|
||||
configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
|
||||
clientId: "minio"
|
||||
existingClientSecretName: "minio-oidc-credentials"
|
||||
existingClientSecretKey: "client-secret"
|
||||
claimName: "policy"
|
||||
scopes: "openid,email,profile"
|
||||
redirectUri: "https://zipline.forteapps.net/oauth_callback"
|
||||
claimPrefix: ""
|
||||
comment: ""
|
||||
enabled: false
|
||||
# configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
|
||||
# clientId: "minio"
|
||||
# existingClientSecretName: "minio-oidc-credentials"
|
||||
# existingClientSecretKey: "client-secret"
|
||||
# claimName: "policy"
|
||||
# scopes: "openid,email,profile"
|
||||
# redirectUri: "https://zipline.forteapps.net/oauth_callback"
|
||||
# claimPrefix: ""
|
||||
# comment: ""
|
||||
|
||||
Reference in New Issue
Block a user