From d6e61c5663c462b6fbf8e852f85ff8a5f28bc21f Mon Sep 17 00:00:00 2001 From: Sten Date: Thu, 28 May 2026 16:47:38 +0200 Subject: [PATCH] feat(apps): forte-drop web + mcp ArgoCD applications MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two ArgoCD apps from the same forte-drop image: - forte-drop (web): admin + public drops, sidecar in oidc mode, ingress drop-k8s.hackathon.forteapps.net. - forte-drop-mcp (mcp): MCP-over-HTTP, sidecar in mcp mode, ingress mcp.drop-k8s.hackathon.forteapps.net. Plus two labeled Keycloak client config Secrets — the registrar creates the OIDC clients in the forte realm within ~2 min. Sealed secrets (forte-drop-secrets + auth-oidc) added in a follow-up commit by the maintainer: cd /Users/sten/dev/work/forte_k8/launchpad kubeseal --format=yaml \ --controller-name=sealed-secrets-controller \ --controller-namespace=kube-system \ < private/forte-drop-secrets.yaml \ > apps/base/forte-drop/forte-drop-secrets-sealed.yaml # auth-oidc: wait for registrar, copy client-secret into private/, # then seal as apps/base/forte-drop/auth-oidc-sealed.yaml. # (mcp deployment is sidecar type=mcp — no auth-oidc Secret needed; # only the web deployment requires it.) --- apps/base/forte-drop-mcp/forte-drop-mcp.yaml | 37 +++++++++++++++++++ .../keycloak-client-forte-drop-mcp.yaml | 27 ++++++++++++++ apps/base/forte-drop-mcp/kustomization.yaml | 6 +++ apps/base/forte-drop/forte-drop.yaml | 37 +++++++++++++++++++ .../keycloak-client-forte-drop.yaml | 28 ++++++++++++++ apps/base/forte-drop/kustomization.yaml | 7 ++++ apps/base/kustomization.yaml | 2 + 7 files changed, 144 insertions(+) create mode 100644 apps/base/forte-drop-mcp/forte-drop-mcp.yaml create mode 100644 apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml create mode 100644 apps/base/forte-drop-mcp/kustomization.yaml create mode 100644 apps/base/forte-drop/forte-drop.yaml create mode 100644 apps/base/forte-drop/keycloak-client-forte-drop.yaml create mode 100644 apps/base/forte-drop/kustomization.yaml diff --git a/apps/base/forte-drop-mcp/forte-drop-mcp.yaml b/apps/base/forte-drop-mcp/forte-drop-mcp.yaml new file mode 100644 index 0000000..0465bdb --- /dev/null +++ b/apps/base/forte-drop-mcp/forte-drop-mcp.yaml @@ -0,0 +1,37 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: forte-drop-mcp + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" + notifications.argoproj.io/subscribe.on-sync-succeeded.slack: "" + notifications.argoproj.io/subscribe.on-sync-failed.slack: "" + notifications.argoproj.io/subscribe.on-degraded.slack: "" + labels: + app.kubernetes.io/name: forte-drop-mcp + app.kubernetes.io/part-of: apps + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git + path: forteapp + targetRevision: HEAD + helm: + valueFiles: + - $values/forte-drop-mcp/values.yaml + - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git + targetRevision: HEAD + ref: values + destination: + server: https://kubernetes.default.svc + namespace: forte-drop + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml b/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml new file mode 100644 index 0000000..228062a --- /dev/null +++ b/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml @@ -0,0 +1,27 @@ +# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g., +# Claude Desktop) discover this via /.well-known/oauth-protected-resource and +# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp. +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-forte-drop-mcp + namespace: forte-drop + labels: + keycloak.forteapps.net/client-config: "true" +stringData: + client.json: | + { + "clientId": "forte-drop-mcp", + "name": "Forte Drop (MCP)", + "enabled": true, + "protocol": "openid-connect", + "clientAuthenticatorType": "client-secret", + "standardFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "defaultClientScopes": ["openid","profile","email"], + "attributes": { + "access.token.lifespan": "3600" + } + } diff --git a/apps/base/forte-drop-mcp/kustomization.yaml b/apps/base/forte-drop-mcp/kustomization.yaml new file mode 100644 index 0000000..9d5338b --- /dev/null +++ b/apps/base/forte-drop-mcp/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- forte-drop-mcp.yaml +- keycloak-client-forte-drop-mcp.yaml +# - auth-oidc-sealed.yaml # added in follow-up commit diff --git a/apps/base/forte-drop/forte-drop.yaml b/apps/base/forte-drop/forte-drop.yaml new file mode 100644 index 0000000..08610ba --- /dev/null +++ b/apps/base/forte-drop/forte-drop.yaml @@ -0,0 +1,37 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: forte-drop + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" + notifications.argoproj.io/subscribe.on-sync-succeeded.slack: "" + notifications.argoproj.io/subscribe.on-sync-failed.slack: "" + notifications.argoproj.io/subscribe.on-degraded.slack: "" + labels: + app.kubernetes.io/name: forte-drop + app.kubernetes.io/part-of: apps + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git + path: forteapp + targetRevision: HEAD + helm: + valueFiles: + - $values/forte-drop/values.yaml + - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git + targetRevision: HEAD + ref: values + destination: + server: https://kubernetes.default.svc + namespace: forte-drop + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/base/forte-drop/keycloak-client-forte-drop.yaml b/apps/base/forte-drop/keycloak-client-forte-drop.yaml new file mode 100644 index 0000000..b7d6e85 --- /dev/null +++ b/apps/base/forte-drop/keycloak-client-forte-drop.yaml @@ -0,0 +1,28 @@ +# Labeled config Secret read by the Keycloak Client Registrar. The registrar will +# create the OIDC client in the forte realm and write the resulting credentials +# back into forte-drop-oidc-credentials Secret in this namespace within ~2 min. +# That client-secret then gets manually copied into the auth-oidc SealedSecret +# (one-time per cluster; see PR description). +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-forte-drop + namespace: forte-drop + labels: + keycloak.forteapps.net/client-config: "true" +stringData: + client.json: | + { + "clientId": "forte-drop", + "name": "Forte Drop (web)", + "enabled": true, + "protocol": "openid-connect", + "clientAuthenticatorType": "client-secret", + "standardFlowEnabled": true, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"], + "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"], + "defaultClientScopes": ["openid","email","profile"] + } diff --git a/apps/base/forte-drop/kustomization.yaml b/apps/base/forte-drop/kustomization.yaml new file mode 100644 index 0000000..feda2e9 --- /dev/null +++ b/apps/base/forte-drop/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- forte-drop.yaml +- keycloak-client-forte-drop.yaml +# - forte-drop-secrets-sealed.yaml # added in follow-up commit +# - auth-oidc-sealed.yaml # added in follow-up commit (after Keycloak registrar creates client_secret) diff --git a/apps/base/kustomization.yaml b/apps/base/kustomization.yaml index a501fbf..b494209 100644 --- a/apps/base/kustomization.yaml +++ b/apps/base/kustomization.yaml @@ -6,3 +6,5 @@ resources: - musicman - ts-mcp - argo-mcp +- forte-drop +- forte-drop-mcp