Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

refactor(apps): registrar-managed oidc creds, drop mcp client, DRY secret

Browse Source 
Per platform review (danijel):
- keycloak-client-forte-drop: add the secret{} block telling the
  registrar where to write the credential Secret + key names
  (forte-drop-oidc-credentials, client-id/client-secret). The
  forte-helm oidc sidecar consumes that registrar-created Secret —
  no manual auth-oidc SealedSecret step (removed that NOTE).
- Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers
  the MCP client; no manual config needed.
- Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG*,
  S3_*, PASSWORD_GATE_SECRET) so both deployments get identical values
  via envSecretName (values extraEnv now carries only APP_MODE).
This commit is contained in:
Sten
2026-05-29 14:05:29 +02:00
committed by Danijel Simeunovic
parent d83cbdc7ca
commit e49c0928d2
5 changed files with 32 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/base/forte-drop/kustomization.yaml
View File

@@ -6,8 +6,3 @@ resources:
- keycloak-client-forte-drop.yaml
- forte-drop-pdb.yaml
- forte-drop-secrets-sealed.yaml
# NOTE: the web sidecar's auth-oidc SealedSecret is added in a follow-up commit,
# once the Keycloak registrar has created forte-drop-oidc-credentials post-deploy
# (see PR description for the one-time seal step). It is intentionally NOT a
# resource here yet — sealing it requires the registrar-generated client-secret.