client cloner

Reviewed-on: #2

cluster-resources/policies/auth-sidecar-injector.yaml

@@ -243,8 +243,8 @@ spec:
             - name: AUTH_OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: auth-oidc
-                  key: client-secret
+                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
+                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
             resources:
               limits:
                 cpu: 50m
@@ -410,8 +410,8 @@ spec:
             - name: AUTH_OAUTH_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: auth-oauth
-                  key: client-secret
+                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret\" || 'auth-oauth' }}"
+                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret-key\" || 'client-secret' }}"
             - name: AUTH_OAUTH_DELEGATION_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:

cluster-resources/policies/keycloak-client-cloner.yaml

@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keycloak-client-config-cloner
+spec:
+  rules:
+  - name: clone-client-config-to-keycloak
+    skipBackgroundRequests: false
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          selector:
+            matchLabels:
+              keycloak.forteapps.net/client-config: "true"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - keycloak
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: "{{request.object.metadata.name}}"
+      namespace: keycloak
+      synchronize: true
+      data:
+        metadata:
+          labels:
+            keycloak.forteapps.net/client-config: "true"
+            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
+          annotations:
+            keycloak.forteapps.net/source-name: "{{request.object.metadata.name}}"
+            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
+        data: "{{request.object.data}}"
+        type: "{{request.object.type}}"

docs/DEVELOPER-GUIDE.md

@@ -9,6 +9,7 @@
 - [Updating an Existing Application](#updating-an-existing-application)
 - [Working with Secrets](#working-with-secrets)
 - [Enabling Authentication for Applications](#enabling-authentication-for-applications)
+- [Adding a New Keycloak Client](#adding-a-new-keycloak-client)
 - [Troubleshooting](#troubleshooting)
 - [Best Practices](#best-practices)
 
@@ -1247,6 +1248,202 @@ kubectl logs -n myapp <pod-name> -c authn
 
 ---
 
+## Adding a New Keycloak Client
+
+There are two ways to add an OIDC client, depending on your use case:
+
+| Method | Best for | Who edits the infra repo? |
+|--------|----------|--------------------------|
+| **Self-service** (recommended) | New apps that deploy their own resources | App developer — no infra changes needed |
+| **Legacy (realm JSON)** | Existing clients already defined in forte-realm.json (e.g., Gitea) | Platform engineer |
+
+Both methods are served by the **Keycloak Client Registrar** CronJob, which runs every 2 minutes.
+
+### Self-Service OIDC Client Registration
+
+This is the recommended flow for new applications. Your app deploys a labeled config Secret in its own namespace; the platform handles everything else.
+
+#### How It Works
+
+1. You deploy a Secret with label `keycloak.forteapps.net/client-config: "true"` containing a `client.json` definition
+2. A **Kyverno ClusterPolicy** (`keycloak-client-config-cloner`) clones it to the `keycloak` namespace
+3. The **Client Registrar CronJob** picks it up within 2 minutes:
+   - Registers (or updates) the client in Keycloak
+   - Fetches the auto-generated client secret
+   - Creates a credential Secret in your app's namespace
+   - Annotates the config Secret with sync status
+
+#### Step 1: Create the Config Secret
+
+Deploy this Secret in your application's namespace (e.g., as part of your Helm chart or Kustomize overlay):
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-myapp
+  namespace: myapp
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "myapp",
+      "name": "My Application",
+      "redirectUris": ["https://myapp.forteapps.net/*"],
+      "webOrigins": ["https://myapp.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "myapp",
+        "name": "myapp-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
+```
+
+**`client.json` fields**:
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `clientId` | Yes | Keycloak client ID |
+| `name` | Yes | Display name in Keycloak |
+| `redirectUris` | Yes | Allowed redirect URIs |
+| `webOrigins` | Yes | Allowed web origins (CORS) |
+| `defaultClientScopes` | No | Scopes (default: `["openid", "email", "profile"]`) |
+| `protocolMappers` | No | Custom claim mappers (default: `[]`) |
+| `secret.namespace` | No | Namespace for the credential Secret (default: source namespace) |
+| `secret.name` | No | Name of the credential Secret (default: `<clientId>-oidc-credentials`) |
+| `secret.keys.clientId` | No | Key name for client ID in credential Secret (default: `client-id`) |
+| `secret.keys.clientSecret` | No | Key name for client secret in credential Secret (default: `client-secret`) |
+
+#### Step 2: Reference the Credential Secret
+
+In your application's deployment config, reference the credential Secret that the registrar creates:
+
+```yaml
+env:
+- name: OIDC_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: myapp-oidc-credentials
+      key: client-id
+- name: OIDC_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: myapp-oidc-credentials
+      key: client-secret
+```
+
+#### Step 3: Deploy and Wait
+
+Commit and push your changes. The credential Secret will appear within 2 minutes:
+
+```bash
+# Watch for the credential Secret to be created
+kubectl get secret myapp-oidc-credentials -n myapp -w
+
+# Check registrar logs
+kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
+
+# Check sync status on the config Secret
+kubectl get secret keycloak-client-myapp -n keycloak -o jsonpath='{.metadata.annotations}'
+```
+
+#### Change Detection
+
+The registrar computes a SHA-256 hash of `client.json` and stores it as an annotation. On subsequent runs, it skips processing if:
+- The hash hasn't changed, AND
+- The credential Secret already exists in the target namespace
+
+To force a re-sync, update any field in `client.json` (e.g., add a trailing space to `name`).
+
+### Legacy Method: Realm JSON
+
+Existing clients (like Gitea) are defined directly in `forte-realm.json` inside `keycloak-values.yaml`. The registrar syncs their secrets via client attributes.
+
+#### Step 1: Add Client to Realm Config
+
+In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array in `forte-realm.json`:
+
+```json
+{
+  "clientId": "myapp",
+  "name": "My Application",
+  "enabled": true,
+  "protocol": "openid-connect",
+  "clientAuthenticatorType": "client-secret",
+  "standardFlowEnabled": true,
+  "directAccessGrantsEnabled": false,
+  "publicClient": false,
+  "redirectUris": ["https://myapp.forteapps.net/*"],
+  "webOrigins": ["https://myapp.forteapps.net"],
+  "defaultClientScopes": ["openid", "email", "profile"],
+  "attributes": {
+    "k8s.secret.sync": "true",
+    "k8s.secret.namespace": "myapp",
+    "k8s.secret.name": "myapp-oidc-credentials",
+    "k8s.secret.client-id-key": "key",
+    "k8s.secret.client-secret-key": "secret"
+  }
+}
+```
+
+**Important**:
+- Do **NOT** include a `"secret"` field — Keycloak generates one automatically
+- The `attributes` block tells the registrar where to create the K8s Secret
+- Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`)
+
+#### Step 2: Reference the Secret in Your Application
+
+```yaml
+existingSecret: myapp-oidc-credentials
+```
+
+#### Step 3: Commit and Push
+
+```bash
+cd ~/dev/k8s/launchpad
+git add infra/values/keycloak-values.yaml
+git commit -m "Add myapp Keycloak client with auto-sync"
+git push
+```
+
+ArgoCD will sync the Keycloak config, and the registrar CronJob will pick up the new client within 2 minutes.
+
+#### Legacy Sync Attribute Reference
+
+| Attribute | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
+| `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret |
+| `k8s.secret.name` | Yes | — | Name of the K8s Secret to create |
+| `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret |
+| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret |
+
+### Retrieving Secrets for External Deployments
+
+The registrar always writes a **central copy** of every synced secret to the `secrets` namespace, in addition to the target namespace. This allows operators to retrieve client credentials for applications deployed outside this cluster:
+
+```bash
+# View the central copy
+kubectl get secret gitea-oidc-credentials -n secrets -o yaml
+
+# Extract the client secret for use elsewhere
+kubectl get secret myapp-oidc-credentials -n secrets \
+  -o jsonpath='{.data.client-secret}' | base64 -d
+```
+
+### Registrar Behavior Notes
+
+- The registrar runs as a CronJob every 2 minutes (`concurrencyPolicy: Forbid`)
+- If the target namespace doesn't exist, the target write is skipped with a warning (the central copy still happens)
+- A central copy is **always** written to the `secrets` namespace for every synced client
+- The registrar uses the `keycloak-credentials` secret for admin authentication
+- Created secrets have the label `app.kubernetes.io/managed-by: keycloak-client-registrar`
+
+---
+
 ## Troubleshooting
 
 ### Application Not Deploying
@@ -1579,4 +1776,4 @@ Now that you understand the basics:
 - Docs: [Full documentation index](README.md)
 - Help: Contact platform team
 
-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-16

docs/REFERENCE.md

@@ -123,6 +123,7 @@ launchpad/
 │       ├── replicaset-cleaner.yaml
 │       ├── default-ns-blocker.yaml
 │       ├── secret-cloner.yaml
+│       ├── keycloak-client-cloner.yaml
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
@@ -869,6 +870,119 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 
+### Keycloak Client Registrar
+
+**Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
+**Namespace**: `keycloak`
+**Schedule**: `*/2 * * * *` (every 2 minutes)
+
+**Purpose**: Handles two responsibilities:
+1. **Legacy sync** — extracts secrets from Keycloak clients with `k8s.secret.sync: "true"` attribute (same as former PostSync syncer)
+2. **Self-service registration** — processes config Secrets (cloned by Kyverno) to register new OIDC clients and sync their credentials
+
+**How It Works**:
+
+*Legacy path (existing clients like Gitea):*
+1. Authenticates to Keycloak Admin API using admin credentials from `keycloak-credentials` secret
+2. Queries all clients in the `forte` realm
+3. Filters clients with `k8s.secret.sync: "true"` attribute
+4. For each matching client, retrieves the auto-generated secret via Keycloak Admin API
+5. Creates/updates a K8s Secret in the target namespace (from `k8s.secret.namespace` attribute)
+6. Always writes a central copy to the `secrets` namespace
+
+*Self-service path (new clients):*
+1. Lists Secrets in `keycloak` namespace with label `keycloak.forteapps.net/client-config=true`
+2. For each config Secret, parses `client.json` and computes a config hash
+3. Skips if hash matches annotation and credential Secret already exists
+4. Creates or updates the Keycloak client via Admin API
+5. Fetches the generated client secret
+6. Upserts credential Secret in target namespace + central `secrets` namespace
+7. Annotates config Secret with sync status, config hash, and timestamp
+
+**Resources**:
+- `ServiceAccount`: `keycloak-client-registrar` (namespace: `keycloak`)
+- `ClusterRole`: `keycloak-client-registrar` (secrets: get/list/create/update/patch; namespaces: get/list)
+- `ClusterRoleBinding`: `keycloak-client-registrar`
+- `CronJob`: `keycloak-client-registrar`
+
+**Kyverno Policy**: `keycloak-client-config-cloner` — clones labeled Secrets from app namespaces to `keycloak` namespace (see [Kyverno Policies](#kyverno-policies))
+
+**Legacy Client Attributes** (set in `forte-realm.json`):
+
+| Attribute | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
+| `k8s.secret.namespace` | Yes | — | Target K8s namespace |
+| `k8s.secret.name` | Yes | — | Name of the K8s Secret |
+| `k8s.secret.client-id-key` | No | `client-id` | Field name for client ID in the Secret |
+| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for client secret in the Secret |
+
+**Self-Service Config Secret Schema**:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-<app>
+  namespace: <app-namespace>
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "<app>",
+      "name": "<App Name>",
+      "redirectUris": ["https://<app>.forteapps.net/*"],
+      "webOrigins": ["https://<app>.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "<app-namespace>",
+        "name": "<app>-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
+```
+
+**Created Credential Secret Format**:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <target-name>
+  namespace: <target-namespace>
+  labels:
+    app.kubernetes.io/managed-by: keycloak-client-registrar
+type: Opaque
+data:
+  <client-id-key>: <base64-encoded client ID>
+  <client-secret-key>: <base64-encoded client secret>
+```
+
+**Config Secret Annotations** (set by registrar):
+
+| Annotation | Description |
+|-----------|-------------|
+| `keycloak.forteapps.net/config-hash` | SHA-256 hash of client.json for change detection |
+| `keycloak.forteapps.net/sync-status` | `synced` or `error` |
+| `keycloak.forteapps.net/last-sync` | ISO 8601 timestamp of last successful sync |
+
+**Verification**:
+```bash
+# Check CronJob status
+kubectl get cronjobs -n keycloak
+
+# View latest registrar logs
+kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
+
+# Verify created secret
+kubectl get secret <name> -n <namespace> -o yaml
+
+# Check config Secret annotations (self-service)
+kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.annotations}'
+```
+
+**See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
+
 ### Renovate
 
 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -882,7 +996,7 @@ dind:
 ```yaml
 # infra/renovate.yaml + infra/values/renovate-values.yaml
 cronjob:
-  schedule: "@hourly"
+  schedule: "@daily"
   concurrencyPolicy: Forbid
 
 renovate:
@@ -891,12 +1005,24 @@ renovate:
     endpoint: https://git.forteapps.net
     autodiscover: true
     gitAuthor: "Renovate Bot <renovate@forteapps.net>"
+    packageRules:
+      - matchRepositories: ["**/10x"]
+        assignees: ["edvard.unsvag"]
+        reviewers: ["edvard.unsvag"]
+      - matchRepositories: ["**/auth-sidecar"]
+        assignees: ["danijel.simeunovic"]
+        reviewers: ["danijel.simeunovic"]
+      - matchRepositories: ["**/forte-helm"]
+        assignees: ["danijel.simeunovic"]
+        reviewers: ["danijel.simeunovic"]
 
 resources:
-  requests: { cpu: 250m, memory: 512Mi }
-  limits: { cpu: "1", memory: 1Gi }
+  requests: { cpu: 500m, memory: 1Gi }
+  limits: { cpu: "2", memory: 4Gi }
 ```
 
+**Note**: Assignees and reviewers are only applied at PR creation time. Existing PRs must be closed and recreated for new assignment rules to take effect.
+
 **Secrets**: `renovate-env` (SealedSecret in `secrets` namespace, cloned by Kyverno) containing:
 - `RENOVATE_TOKEN` — Gitea PAT with repo write + issue write permissions
 - `RENOVATE_GITHUB_COM_TOKEN` — GitHub PAT (public_repo read-only) for changelog fetching
@@ -947,6 +1073,19 @@ spec:
 
 **Label Requirement**: Secrets must have `allowedToBeCloned: "true"`
 
+### Keycloak Client Config Cloner
+
+**File**: `cluster-resources/policies/keycloak-client-cloner.yaml`
+
+**Purpose**: Clones Secrets labeled `keycloak.forteapps.net/client-config: "true"` from app namespaces to the `keycloak` namespace. This allows apps to declare their OIDC client configuration in their own namespace, which the [Keycloak Client Registrar](#keycloak-client-registrar) then processes.
+
+**Trigger**: Any Secret with label `keycloak.forteapps.net/client-config: "true"` created outside the `keycloak` namespace.
+
+**Behavior**:
+- Generates a copy of the Secret in the `keycloak` namespace with the same name
+- Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
+- `synchronize: true` — changes to the source Secret are reflected in the clone
+
 ### Default Namespace Blocker
 
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
@@ -1528,6 +1667,6 @@ team: platform
 
 ---
 
-**Last Updated**: 2026-04-14
+**Last Updated**: 2026-04-16
 **Maintained By**: Platform Team
 **Version**: 1.0.0

infra/keycloak.yaml

@@ -40,3 +40,9 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jsonPointers:
+    - /spec/jobTemplate/spec/template/spec/containers/0/args

infra/values/gitea-values.yaml

@@ -29,6 +29,7 @@ gitea:
       ALLOW_ONLY_EXTERNAL_REGISTRATION: true
       ENABLE_BASIC_AUTHENTICATION: true
       ENABLE_PASSWORD_SIGNIN_FORM: false
+      ENABLE_NOTIFY_MAIL: true
 
     openid:
       ENABLE_OPENID_SIGNIN: false
@@ -67,11 +68,14 @@ gitea:
 
     mailer:
       ENABLED: true
-      PROTOCOL: smtps
+      PROTOCOL: smtp+starttls
       SMTP_ADDR: smtp.office365.com
       SMTP_PORT: 587
       FROM: "noreply@fortedigital.com"
 
+    admin:
+      DEFAULT_EMAIL_NOTIFICATIONS: enabled
+
   # -- SMTP credentials injected from secret (USER and PASSWD)
   additionalConfigFromEnvs:
   - name: GITEA__mailer__USER
@@ -88,7 +92,7 @@ gitea:
   oauth:
   - name: "Forte"
     provider: "openidConnect"
-    existingSecret: gitea-credentials
+    existingSecret: gitea-oidc-credentials
     key: gitea
     autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
     scopes: "openid email profile organization"

infra/values/keycloak-values.yaml

@@ -72,13 +72,19 @@ keycloakConfigCli:
             "enabled": true,
             "protocol": "openid-connect",
             "clientAuthenticatorType": "client-secret",
-            "secret": "382ed413580cb79d0f54813e5da87007b28fe766a8903d378b9e1c266405a784",
             "standardFlowEnabled": true,
             "directAccessGrantsEnabled": false,
             "publicClient": false,
             "redirectUris": ["https://git.forteapps.net/*"],
             "webOrigins": ["https://git.forteapps.net"],
             "defaultClientScopes": ["openid", "email", "profile"],
+            "attributes": {
+              "k8s.secret.sync": "true",
+              "k8s.secret.namespace": "gitea",
+              "k8s.secret.name": "gitea-oidc-credentials",
+              "k8s.secret.client-id-key": "key",
+              "k8s.secret.client-secret-key": "secret"
+            },
             "protocolMappers": [
               {
                 "name": "email_verified",
@@ -97,3 +103,356 @@ keycloakConfigCli:
           }
         ]
       }
+
+extraDeploy:
+# -- ServiceAccount for the client registrar CronJob
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: keycloak-client-registrar
+    namespace: keycloak
+
+# -- ClusterRole granting access to secrets and namespaces
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: keycloak-client-registrar
+  rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list"]
+
+# -- ClusterRoleBinding for the registrar ServiceAccount
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: keycloak-client-registrar
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: keycloak-client-registrar
+  subjects:
+  - kind: ServiceAccount
+    name: keycloak-client-registrar
+    namespace: keycloak
+
+# -- CronJob: registers Keycloak clients and syncs secrets
+- apiVersion: batch/v1
+  kind: CronJob
+  metadata:
+    name: keycloak-client-registrar
+    namespace: keycloak
+  spec:
+    schedule: "*/2 * * * *"
+    concurrencyPolicy: Forbid
+    successfulJobsHistoryLimit: 1
+    failedJobsHistoryLimit: 3
+    jobTemplate:
+      spec:
+        backoffLimit: 3
+        template:
+          spec:
+            serviceAccountName: keycloak-client-registrar
+            restartPolicy: Never
+            containers:
+            - name: registrar
+              image: alpine:3.20
+              command: ["/bin/sh", "-c"]
+              args:
+              - |
+                set -e
+                apk add --no-cache curl jq > /dev/null 2>&1
+
+                KEYCLOAK_URL="http://keycloak:80"
+                REALM="forte"
+                K8S_API="https://kubernetes.default.svc"
+                SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+                CA_CERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+                CENTRAL_NS="secrets"
+
+                # --- Authenticate to Keycloak Admin API ---
+                ADMIN_USER="admin"
+                ADMIN_PASS=$(cat /secrets/admin-password)
+
+                echo "Authenticating to Keycloak..."
+                TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
+                  -d "client_id=admin-cli" \
+                  -d "username=${ADMIN_USER}" \
+                  -d "password=${ADMIN_PASS}" \
+                  -d "grant_type=password" | jq -r '.access_token')
+
+                if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
+                  echo "ERROR: Failed to authenticate to Keycloak"
+                  exit 1
+                fi
+
+                # --- Helper functions ---
+
+                # Upsert a K8s Secret: try PUT (update), fall back to POST (create)
+                upsert_secret() {
+                  local ns="$1" name="$2" manifest="$3"
+                  local code
+                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    --cacert "$CA_CERT" \
+                    -H "Authorization: Bearer ${SA_TOKEN}" \
+                    -H "Content-Type: application/json" \
+                    -X PUT -d "$manifest" \
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}")
+                  if [ "$code" = "200" ]; then
+                    echo "  Updated secret '${ns}/${name}'"
+                  elif [ "$code" = "404" ]; then
+                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                      --cacert "$CA_CERT" \
+                      -H "Authorization: Bearer ${SA_TOKEN}" \
+                      -H "Content-Type: application/json" \
+                      -X POST -d "$manifest" \
+                      "${K8S_API}/api/v1/namespaces/${ns}/secrets")
+                    if [ "$code" = "201" ]; then
+                      echo "  Created secret '${ns}/${name}'"
+                    else
+                      echo "  ERROR: Failed to create secret '${ns}/${name}' (HTTP ${code})"
+                      return 1
+                    fi
+                  else
+                    echo "  ERROR: Failed to update secret '${ns}/${name}' (HTTP ${code})"
+                    return 1
+                  fi
+                }
+
+                # Build a credential Secret JSON manifest
+                build_credential_secret() {
+                  local ns="$1" name="$2" id_key="$3" secret_key="$4" b64_id="$5" b64_secret="$6"
+                  cat <<MANIFEST
+                {
+                  "apiVersion": "v1",
+                  "kind": "Secret",
+                  "metadata": {
+                    "name": "${name}",
+                    "namespace": "${ns}",
+                    "labels": {
+                      "app.kubernetes.io/managed-by": "keycloak-client-registrar"
+                    }
+                  },
+                  "type": "Opaque",
+                  "data": {
+                    "${id_key}": "${b64_id}",
+                    "${secret_key}": "${b64_secret}"
+                  }
+                }
+                MANIFEST
+                }
+
+                # Sync credentials to target + central namespace
+                sync_credentials() {
+                  local client_id="$1" client_uuid="$2" target_ns="$3" target_name="$4" id_key="$5" secret_key="$6"
+
+                  # Get the client secret from Keycloak
+                  local secret_value
+                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
+                    | jq -r '.value')
+
+                  if [ -z "$secret_value" ] || [ "$secret_value" = "null" ]; then
+                    echo "  WARNING: No secret found for client '${client_id}', skipping"
+                    return 0
+                  fi
+
+                  local b64_id b64_secret
+                  b64_id=$(printf '%s' "$client_id" | base64 | tr -d '\n')
+                  b64_secret=$(printf '%s' "$secret_value" | base64 | tr -d '\n')
+
+                  # Write to target namespace (if it exists)
+                  local ns_status
+                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    --cacert "$CA_CERT" \
+                    -H "Authorization: Bearer ${SA_TOKEN}" \
+                    "${K8S_API}/api/v1/namespaces/${target_ns}")
+
+                  if [ "$ns_status" = "200" ]; then
+                    local manifest
+                    manifest=$(build_credential_secret "$target_ns" "$target_name" "$id_key" "$secret_key" "$b64_id" "$b64_secret")
+                    upsert_secret "$target_ns" "$target_name" "$manifest" || return 1
+                  else
+                    echo "  WARNING: Namespace '${target_ns}' does not exist, skipping target"
+                  fi
+
+                  # Always write a central copy to the secrets namespace
+                  local central_manifest
+                  central_manifest=$(build_credential_secret "$CENTRAL_NS" "$target_name" "$id_key" "$secret_key" "$b64_id" "$b64_secret")
+                  upsert_secret "$CENTRAL_NS" "$target_name" "$central_manifest" || return 1
+                }
+
+                # Annotate a K8s Secret with sync status
+                annotate_secret() {
+                  local ns="$1" name="$2" key="$3" value="$4"
+                  local patch
+                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
+                  curl -sf -o /dev/null \
+                    --cacert "$CA_CERT" \
+                    -H "Authorization: Bearer ${SA_TOKEN}" \
+                    -H "Content-Type: application/strategic-merge-patch+json" \
+                    -X PATCH -d "$patch" \
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
+                }
+
+                # =============================================
+                # LEGACY PATH — sync existing realm clients
+                # =============================================
+                echo "=== Legacy sync: clients with k8s.secret.sync=true ==="
+
+                CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                  "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
+
+                SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
+                COUNT=$(echo "$SYNC_CLIENTS" | jq 'length')
+                echo "Found ${COUNT} legacy client(s) with sync enabled"
+
+                echo "$SYNC_CLIENTS" | jq -c '.[]' | while read -r CLIENT; do
+                  CLIENT_ID=$(echo "$CLIENT" | jq -r '.clientId')
+                  CLIENT_UUID=$(echo "$CLIENT" | jq -r '.id')
+                  TARGET_NS=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.namespace"]')
+                  TARGET_NAME=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.name"]')
+                  ID_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-id-key"] // "client-id"')
+                  SECRET_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-secret-key"] // "client-secret"')
+
+                  echo "Processing legacy client '${CLIENT_ID}' -> '${TARGET_NS}/${TARGET_NAME}' (keys: ${ID_KEY}, ${SECRET_KEY})"
+                  sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$TARGET_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY"
+                done
+
+                # =============================================
+                # NEW PATH — self-service config Secrets
+                # =============================================
+                echo ""
+                echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="
+
+                CONFIG_SECRETS=$(curl -sf \
+                  --cacert "$CA_CERT" \
+                  -H "Authorization: Bearer ${SA_TOKEN}" \
+                  "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
+
+                CONFIG_COUNT=$(echo "$CONFIG_SECRETS" | jq '.items | length')
+                echo "Found ${CONFIG_COUNT} config Secret(s) to process"
+
+                echo "$CONFIG_SECRETS" | jq -c '.items[]' | while read -r CONFIG_SECRET; do
+                  CONFIG_NAME=$(echo "$CONFIG_SECRET" | jq -r '.metadata.name')
+                  SOURCE_NS=$(echo "$CONFIG_SECRET" | jq -r '.metadata.annotations["keycloak.forteapps.net/source-namespace"] // .metadata.labels["keycloak.forteapps.net/source-namespace"] // "unknown"')
+
+                  # Decode client.json from the Secret data
+                  CLIENT_JSON_B64=$(echo "$CONFIG_SECRET" | jq -r '.data["client.json"] // empty')
+                  if [ -z "$CLIENT_JSON_B64" ]; then
+                    echo "WARNING: Config Secret '${CONFIG_NAME}' missing client.json field, skipping"
+                    continue
+                  fi
+                  CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)
+
+                  CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
+                  echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"
+
+                  # Compute config hash for change detection
+                  CONFIG_HASH=$(printf '%s' "$CLIENT_JSON" | sha256sum | cut -d' ' -f1)
+                  EXISTING_HASH=$(echo "$CONFIG_SECRET" | jq -r '.metadata.annotations["keycloak.forteapps.net/config-hash"] // ""')
+
+                  # Extract secret delivery config from client.json
+                  CRED_NS=$(echo "$CLIENT_JSON" | jq -r '.secret.namespace // "'"${SOURCE_NS}"'"')
+                  CRED_NAME=$(echo "$CLIENT_JSON" | jq -r '.secret.name // "'"${CLIENT_ID}"'-oidc-credentials"')
+                  CRED_ID_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientId // "client-id"')
+                  CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
+
+                  # Check if credential Secret already exists in target namespace
+                  CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    --cacert "$CA_CERT" \
+                    -H "Authorization: Bearer ${SA_TOKEN}" \
+                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
+
+                  # Skip if hash matches and credential Secret exists
+                  if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
+                    echo "  No changes detected, skipping"
+                    continue
+                  fi
+
+                  # Build Keycloak client representation (strip our secret delivery config)
+                  KC_CLIENT=$(echo "$CLIENT_JSON" | jq '{
+                    clientId: .clientId,
+                    name: .name,
+                    enabled: true,
+                    protocol: "openid-connect",
+                    clientAuthenticatorType: "client-secret",
+                    standardFlowEnabled: true,
+                    directAccessGrantsEnabled: false,
+                    publicClient: false,
+                    redirectUris: .redirectUris,
+                    webOrigins: .webOrigins,
+                    defaultClientScopes: .defaultClientScopes,
+                    protocolMappers: (.protocolMappers // [])
+                  }')
+
+                  # Check if client already exists
+                  EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
+                    | jq -r '.[0].id // empty')
+
+                  if [ -n "$EXISTING" ]; then
+                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
+                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
+                      -H "Authorization: Bearer ${TOKEN}" \
+                      -H "Content-Type: application/json" \
+                      -X PUT -d "$KC_CLIENT" \
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
+                    if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
+                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
+                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
+                      continue
+                    fi
+                    CLIENT_UUID="$EXISTING"
+                  else
+                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
+                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
+                      -H "Authorization: Bearer ${TOKEN}" \
+                      -H "Content-Type: application/json" \
+                      -X POST -d "$KC_CLIENT" \
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
+                    if [ "$HTTP_CODE" != "201" ]; then
+                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
+                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
+                      continue
+                    fi
+                    # Fetch the newly created client's UUID
+                    CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
+                      | jq -r '.[0].id')
+                  fi
+
+                  # Sync credentials to target namespace
+                  sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$CRED_NS" "$CRED_NAME" "$CRED_ID_KEY" "$CRED_SECRET_KEY"
+
+                  # Annotate config Secret with hash and sync status
+                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/config-hash" "$CONFIG_HASH"
+                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "synced"
+                  TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/last-sync" "$TIMESTAMP"
+                  echo "  Synced successfully"
+                done
+
+                echo ""
+                echo "Client registrar run complete"
+              volumeMounts:
+              - name: keycloak-credentials
+                mountPath: /secrets
+                readOnly: true
+              resources:
+                requests:
+                  cpu: 50m
+                  memory: 64Mi
+                limits:
+                  cpu: 200m
+                  memory: 128Mi
+            volumes:
+            - name: keycloak-credentials
+              secret:
+                secretName: keycloak-credentials
+                items:
+                - key: admin-password
+                  path: admin-password

infra/values/renovate-values.yaml

@@ -13,15 +13,18 @@ renovate:
       "packageRules": [
         {
           "matchRepositories": ["**/10x"],
-          "assignees": ["edvard.unsvag"]
+          "assignees": ["edvard.unsvag"],
+          "reviewers": ["edvard.unsvag"]
         },
         {
           "matchRepositories": ["**/auth-sidecar"],
-          "assignees": ["danijel.simeunovic"]
+          "assignees": ["danijel.simeunovic"],
+          "reviewers": ["danijel.simeunovic"]
         },
         {
           "matchRepositories": ["**/forte-helm"],
-          "assignees": ["danijel.simeunovic"]
+          "assignees": ["danijel.simeunovic"],
+          "reviewers": ["danijel.simeunovic"]
         }
       ]
     }