Per platform review (danijel):
- keycloak-client-forte-drop: add the secret{} block telling the
registrar where to write the credential Secret + key names
(forte-drop-oidc-credentials, client-id/client-secret). The
forte-helm oidc sidecar consumes that registrar-created Secret —
no manual auth-oidc SealedSecret step (removed that NOTE).
- Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers
the MCP client; no manual config needed.
- Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG*,
S3_*, PASSWORD_GATE_SECRET) so both deployments get identical values
via envSecretName (values extraEnv now carries only APP_MODE).
Two ArgoCD apps from the same forte-drop image:
- forte-drop (web): admin + public drops, sidecar in oidc mode,
ingress drop-k8s.hackathon.forteapps.net.
- forte-drop-mcp (mcp): MCP-over-HTTP, sidecar in mcp mode,
ingress mcp.drop-k8s.hackathon.forteapps.net.
Plus two labeled Keycloak client config Secrets — the registrar
creates the OIDC clients in the forte realm within ~2 min.
Sealed secrets (forte-drop-secrets + auth-oidc) added in a
follow-up commit by the maintainer:
cd /Users/sten/dev/work/forte_k8/launchpad
kubeseal --format=yaml \
--controller-name=sealed-secrets-controller \
--controller-namespace=kube-system \
< private/forte-drop-secrets.yaml \
> apps/base/forte-drop/forte-drop-secrets-sealed.yaml
# auth-oidc: wait for registrar, copy client-secret into private/,
# then seal as apps/base/forte-drop/auth-oidc-sealed.yaml.
# (mcp deployment is sidecar type=mcp — no auth-oidc Secret needed;
# only the web deployment requires it.)
