Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

feat(apps): forte-drop web + mcp argocd apps (prod) #18

Merged
jorgen.stensrud merged 23 commits from feat/forte-drop-apps into main 2026-06-04 18:47:08 +00:00
Conversation 36 Commits 23 Files Changed 17 +32 -49
5 changed files with 32 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 338b4de3ba - Show all commits

27
apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml
View File

@@ -1,27 +0,0 @@
# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g.,
# Claude Desktop) discover this via /.well-known/oauth-protected-resource and
# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp.
apiVersion: v1
kind: Secret
metadata:
name: keycloak-client-forte-drop-mcp
namespace: forte-drop
labels:
keycloak.forteapps.net/client-config: "true"
stringData:
client.json: |
{
"clientId": "forte-drop-mcp",
"name": "Forte Drop (MCP)",
"enabled": true,
"protocol": "openid-connect",
"clientAuthenticatorType": "client-secret",
"standardFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": false,
"defaultClientScopes": ["openid","profile","email"],
"attributes": {
"access.token.lifespan": "3600"
}
}

9
apps/base/forte-drop-mcp/kustomization.yaml
View File

@@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- forte-drop-mcp.yaml
- keycloak-client-forte-drop-mcp.yaml
# Note: no auth-oidc Secret needed for type: mcp. The MCP sidecar only validates
# tokens against the OIDC issuer (RFC 9728 resource server) and never authenticates
# itself, so it doesn't read a client-secret. forte-drop-secrets (shared with the
# web deployment) covers PG + S3 creds.
# No keycloak-client config + no auth-oidc Secret for mcp mode. The chart's
# auth.type: mcp auto-registers the MCP client; the sidecar is an RFC 9728
# resource server that validates tokens (no client-secret of its own).
# forte-drop-secrets (shared with web) covers PG + S3 creds.

18
apps/base/forte-drop/forte-drop-secrets-sealed.yaml
View File

@@ -6,12 +6,18 @@ metadata:
namespace: forte-drop
gitea_admin commented 2026-05-29 08:35:27 +00:00
Outdated
Review
Copy Link

Remove unnecessary '# added' comment.

  namespace: forte-drop

#ai-review-inline

Remove unnecessary '# added' comment. ```suggestion namespace: forte-drop ``` #ai-review-inline
spec:
gitea_admin commented 2026-05-29 08:35:27 +00:00
Outdated
Review
Copy Link

Remove unnecessary '# added' comment.

spec:

#ai-review-inline

Remove unnecessary '# added' comment. ```suggestion spec: ``` #ai-review-inline
encryptedData:
gitea_admin commented 2026-05-29 08:35:28 +00:00
Outdated
Review
Copy Link

Remove unnecessary '# added' comment.

  encryptedData:

#ai-review-inline

Remove unnecessary '# added' comment. ```suggestion encryptedData: ``` #ai-review-inline
PASSWORD_GATE_SECRET: AgAlZOSURqrQo7dqylFYetr50dWEgWNWTtBEjwgmIp/aFbr2X29xSD0gHpANIF+eXuZ1zGvTX9j2r4YoXgmcb/MjKMd85mYG7FTa0PFdxSxighvKOS3BWQwb7chgNFHMwiZNQAAMNUD6NjlfLZXS0V2SMI+5zz2siYjt8OfgLKfSx5v8+zDFb+pGrCUuUZlMaqFF2ZmOryYNMYYq69iE2EW8UQcP49tmP4aaPx5wIGq6nIo+Qc/c6L4K83nK5ijHEipkgEs0Z0vDTDT4ZBbV0Qyif+Uc1j0eG9+vvIkHBCrGC0WbLOCXiSwmzYF5U2uTRKUbkiPWfohW1Ds2hqveIwg6oSOhK6B+O9s17QagKenYBEER2WAXLq/BLbFpwwijZcGaVnIYsFLUjcheQVPEdaxIyOPh3/qhDjEBX7PevwDzEyOGB6W54TAndx/Go6+Mnvq4aefTOsD+Jy9Iqc3SI3mDoTCSuDMrgnE4QUlImm+Qtk+qPC35n36B9s7yqsHZISbC4zBGAwk7MFfhwTZ3t4z3WXBjevT1zFfs/NeQaRPlcRtO7656C62qroOITty0rT4JAbz93fanqHlqFmiMrYNUIu3wlbr/NGgMlZ1kRVnwIryVup5vljZmvhRtF+TGMwIA+3zbO9U3NasjScnh5sraOauIf7kVsBYTU/2oKb37HvroyILXd8fbpPq+lZ1ejcvVseC+heOI6hvvH/DYztgFn5s9egzcfauicCijWtk1jn0ym1RzOYBotP0VFhXX5bF1HHoGGwQWC32fgqFWwxJ8
PGPASSWORD: AgC5TnoWNEQK13fJHfxM8/ZHRlX85Kd11d8Ig+PgMGcLkxab7fvZJuzg7VX0iksK2UG/c1w1q8fRigMl1WWxmZvW2zM4/BsF45WR99QGt4Z1dhTFHdL5/7OZq2jDMYY5x/7gzCccb2pMAZS7p4rjnJM0EPd7YuMlhXZwIjXcck9Qu8GDpyEu1gg2A1tIfUzjvD+HeTbs6NLy16WHYpMG7Wv4WBNNPO+0k5Z0OwwXmIFSJvSMUHWBg/u2JCJ/1DL0zLyRCdXXOB8VVGok3TFbNscGQqFtFkaaVd0rA4Ao6abrsezcsfZFkcSsfVhATAw+M8ORYRC642BFJjzbhGSbDBsYq7aYyT86MVoqnRJgXK7/K2qzIeT9agM3sJm3ZuRjVCBDGdp/Xo2Rbtely8PH4GwEZI+vRFhTFAj5maduHMt0ZmScusOKuGvr0kFFXKw6XthBT3Arg5Q40upiBtPPrpWhWJYtgT3EfFuXNoc1c1Do7UZ5cmfe51sOBkMZjYk7+8B8a2IejKRflynBcCDQ7r2u76SF18dS5/R7jdOlreyL0yuEiULicKpX8BXPa9dN6Xja8OVPfIHvk0+TwnaYx7YaZDEXlyG0GKv9R3i0wykL1RdDCii6eRSJAp1UFmnCKZJJd9Y6djw7XBAd9G/ux8Vz45XkP+f2Kfgx32HmZsqPq2xaW5DoAeM33uDMfi3Ist+FVRtffuSrTQwBNp76VyhI7YY9MSB5JR1sBUGxGXtAGg==
PGUSER: AgAEyIU4lFCV6A7PyRyc2dTuE3HJW/2KkcDWxj1gOe7mtmmnDS6XhOIW0SMuIYOExNR+pUAiwadMmoGGUXj+k0r4VsnMEiG3HplAXr6FERNyxFtW8XnaXFA7++xOH5751fC6W5BIM5MLzt8YQQ6C8mrp4JXnUTm5K1iBjRH6WtggE5WS/tYV/Y5HryQ18fvyU6saHLzwzn1vJzxrFmCU0zsdglkBTfg+WBZh3f4ufOXFVrOQfm4AKjJclTEbMnqO0vupkbj6VRSKh5timPoNpqKuoA7PsD5YOCyiFzgFUnwAybg8hQAPJ8gMimvuEUxArbpd3bQDhQqBi0j9IZ7Z6ht1+DMp2niZfJ+B1S9R31OmERt/DtXjnMeN7/VDCpABmRUvJ7HJ2DVFUCE2S38V4QDXNRUjvmRgT3mEjMYNsoYnuFf9THqHc3Wzvq96hGnDSVEnLdBRp7WoPO++0WVRvBTM21nhqx2zGvw1HN718xpndhJGrDdRtod6DCnWzKsVHi2ndxo9ZsxCn6yLYn8aRjk9ElHlKFOQ8z6LDqMc4Yt7XbPCWysqH4pu0xyJoz7XmM5y6/y1mrXKhMTNdZm+kE3SiXtVJl8lJioQUo4gOjJs8LfOFM5dfU1IPkKW14tEv/DNvQqqZmAzK9qjXcARgaFulvBvMO4xn+PbYRHm0VwOVo0iwrBS0FHNP/+kVWmZ7TZ+BI5LCw==
S3_ENDPOINT: AgAT2f9jZ8NcpO4S/CE+Arsb0+UsIb1DT4iqVYPxssSip9b/Bdb2mZ2IbzzHHEUtDOSdTIzpHoCaflD1CYrrUevHwu6/ufb44GWG7GaOwHfXUTKOrWUFb/fhXQpXklgEL5txuu48ud2/DekbY2iz3yvKtxffs2otn42nGcPQ/rCcV+AUE0z0q47F1dcicX/enVKeQ/UHszxXU2l7G3Yt3Onxy+ILIc3o/lGuaI8uVX0Zv0wdKUiXpVTy1alm9lJQklNd08/BElPUhKS+2zdIooFvcjz0YRdZrl4gdOzqdw3/2aWsFfkSyE6VhmbQ4pzD5t4H376DCrXFeES/5emvHazZYh4f2RZuiDE1gyHWzC5WMH1ftvHL3Qv6dav9nY8Q/D61Qzwr5dge2Vr69harbvDCMUNDlmu5uxj61lvNkavsGIhmQc1QbHiz5/1RdGi4F8BvBRKyWW1UKDga9QthgUy9JJW0Y9klegWoZIXcTR4BMELExtQCHcNpQhfNXvQzTtNoTNdOF97j1Sat3cOVfH9DveOgOSVkB5U1twGc+LoXF9Vh2aSolk2TNoew3lhHaEcKXrDtuOLWlvSDYOz65JnQUOpQ+ozNfgAKWzoISnS2VcZ0mly1JRmGnHtJMMDGsWepcSRafB7srcxyQaZ4k1u5HQI2Qg8/H7kKgAgYcbEQ2HSYKwjEEaSWIomkBbmmZaq7JXayAJrdsNKQdgtVNZMxFTBR/Krmpi5Z+I26Rob62A==
S3_KEY: AgAUxDq3sxrD9iUNiOfNE+C6TIPMVmVQYchPEW00EyaFhm7ysd9NII2LWHWDcH2zdDYovvGrOmhXnk1O66taKbM9bs1QdTsx2s/sesihPXPQNcTyHbhhSahhRv7/7+V/iNKtVb+6YhRrzCLDNbMLREGrClMo6rJy/IQM5zo8We02yYTETJcVV0+N1MjClkU4yPJy+A+HA5otVWzRfDmwu7rwDUH/PQbzpiB0AaEubXIpRbgrR6j3GKATKr8X4EBjgeUEzG6doIS/9+ZLw4DVzHRhk06RrXW02fu6dg0nPZjcgWYGyfY2vPTQ89G/0lIuZctFI6VcKeMJodY6pDqmGn2SMCA6teR93xFoxmGANGQMa7lqanY2KZc7hXWT2saF5e34nUKJtuvTWZhoEEN2MT8CCQlBVYriBQTjVH1NE0GrHgXJ1MpYF98LaJMl0L0xw47Pk1NlbPAyoamA+prQY83qe6g9PITlqr1xzVhamc02/Yn1xoMXzvfhBX0PFetTdlH1wxaDtpIAsKupdOIuf7NNfvySFToM03ocxvNzXVdqey09wPzAE19hPTfFLMeFjgg8hCTPW0q2yhHwJEd+uH1MhJYwalpTebGGQ7RO3Cs7lNW3Jhe+Ji4haR9NKcfH+O2jioUNz4tNB2UBQIHW9jYEsFFV9fB9j7mauvOa/UhJjYzo/yaUV8NQ7uAVC4CwEiZtuyXciT4pL+zViOPVET6uC1nx+w==
S3_SECRET: AgAvWoqSF/qo6FNEcIaYQ75MJjetpjkMfnviZMcQxxCBbnrO2NPs0bqlcyKG0QSarOnBdbsKBsflxCOBqMweX8XpduKZWCAa0CbF8/PQ+TTcjHGeY9jU0/8bMhG4YnaKSy9XbzHKIMQ+pQvwV5/IF+2FSkgEaFxvMrGDAYoT/mmqT6k/NTIO9IsirDAMaOCkmb56DhN37yFNa94eaFN7jKeqwEsGeS6AB2IV8IWlyUpul4BQfS1BUfhYGPg+4betYTdvuvKSEGZ6fv9wMcUl86B1YD13Fs9D8rLenpsOjSgpflWZDOpq05OIqoeeht87N6kbMF7fKVJwfSCo3FDeEGq4Rp+T8ufYl661ac7Gh7weg4T2JCKjW4aJN/Nv3y4s57XqQXzlXW5zQOHBC6l5hH0XbnwByFnpfuyjG4G0Ssza3kdfDq5rXFnnSBMHCeVQgOEtfrC9gxOUYdCYPnz7o8sTYkP5mGITcnk9I7jn/aSc2hCIF8JPPRuOh415hwhqX4c/rp1IjQhV9dD/0YVyv9JBkn5aGq/HYDZMTn406gFd0f+LQiMZfnVChXBr151+JYPgZhEoDxwZ2+kU5YWLRKthSgOyzZTRIOk5wJKYxNBJVxU5GlsZe1uDzeertwfE8jOKpd3z0gNIzmVTvOuQUwyXDkTPxvpl3ITFHTNAmHw4sugsOu4IpRQOEQUitud3gkYUzAJQ4buUo3h4CV+VN/Of/jZ0t3OuhwDt/4t/w6nKRFJkd2tlkAp3
BASE_DOMAIN: AgAFybdBryVb2AQuGQC8REXzW0YZlyycJp/KeXnROkW71UjDe4qMAWkWszrJWxZMvAPO/tXmibp7jEol6aB5GKG0k3tswWoprTFXLd9CMR2U9SWR3ZCol4npPXo7uOxhBcNSVt+cDXyejSiFTi6goY2oOtbKAJSF9Nv7Z5ePaqhhFni3ntcmM0S1Ad1l3QR7VvyazHFBXfO0b8Z9NgYsUNbGrXWDwoSAZIv3ly3wx90AXn+dXX5FNPtl9CtyAVhHsl3liwQdhEwS2krZZjj7NiQTCfNXp7BSB9ZETpo9KkoV4AZNy1zupd3HpeXHsyhHjq/JqXIAF3iFU0tZTWjhcwnehYdEU5oduwfLCWym5PYgpiQAGiazpkm1Ss3/PYpZYnR2nWv60b1Pa5i79ZiPNi4GL67AiWoJDw6QxV0Kbzi0AvUkZI1E2PeIJvv1w9NKdMRo49xK8LUx2qSTpWeqRP+1kzklHqclTuNVxiWtR2wUgdoLzvU7p5ETu7kPEmaoE8rYw4dKgQvHlMok2Ky2JsELGBkCiYjUN75T+yNlGs5dzbiwtWOja/r0dJ3ZGBQjcK4/BbTLiMYsrxmJTPPF/2zhCOlFY6cfcRMmc7Mwr68mK9m2rTOJQNjBMDoASiqVMmeSqfRSln7JNb1pAeq4xcz9YJMBJhPy2XNiBvRJK3pGIjVcNST0jSpic1X01NJTy7aFbcniZzYnsKJV61AQb+daGEsB1Ib3GnJ+Rv8+9NfvWg==
gitea_admin commented 2026-05-29 08:35:29 +00:00
Outdated
Review
Copy Link

Remove unnecessary '# added' comment.

    PASSWORD_GATE_SECRET: AgAlZOSURqrQo7dqylFYetr50dWEgWNWTtBEjwgmIp/aFbr2X29xSD0gHpANIF+eXuZ1zGvTX9j2r4YoXgmcb/MjKMd85mYG7FTa0PFdxSxighvKOS3BWQwb7chgNFHMwiZNQAAMNUD6NjlfLZXS0V2SMI+5zz2siYjt8OfgLKfSx5v8+zDFb+pGrCUuUZlMaqFF2ZmOryYNMYYq69iE2EW8UQcP49tmP4aaPx5wIGq6nIo+Qc/c6L4K83nK5ijHEipkgEs0Z0vDTDT4ZBbV0Qyif+Uc1j0eG9+vvIkHBCrGC0WbLOCXiSwmzYF5U2uTRKUbkiPWfohW1Ds2hqveIwg6oSOhK6B+O9s17QagKenYBEER2WAXLq/BLbFpwwijZcGaVnIYsFLUjcheQVPEdaxIyOPh3/qhDjEBX7PevwDzEyOGB6W54TAndx/Go6+Mnvq4aefTOsD+Jy9Iqc3SI3mDoTCSuDMrgnE4QUlImm+Qtk+qPC35n36B9s7yqsHZISbC4zBGAwk7MFfhwTZ3t4z3WXBjevT1zFfs/NeQaRPlcRtO7656C62qroOITty0rT4JAbz93fanqHlqFmiMrYNUIu3wlbr/NGgMlZ1kRVnwIryVup5vljZmvhRtF+TGMwIA+3zbO9U3NasjScnh5sraOauIf7kVsBYTU/2oKb37HvroyILXd8fbpPq+lZ1ejcvVseC+heOI6hvvH/DYztgFn5s9egzcfauicCijWtk1jn0ym1RzOYBotP0VFhXX5bF1HHoGGwQWC32fgqFWwxJ8

#ai-review-inline

Remove unnecessary '# added' comment. ```suggestion PASSWORD_GATE_SECRET: AgAlZOSURqrQo7dqylFYetr50dWEgWNWTtBEjwgmIp/aFbr2X29xSD0gHpANIF+eXuZ1zGvTX9j2r4YoXgmcb/MjKMd85mYG7FTa0PFdxSxighvKOS3BWQwb7chgNFHMwiZNQAAMNUD6NjlfLZXS0V2SMI+5zz2siYjt8OfgLKfSx5v8+zDFb+pGrCUuUZlMaqFF2ZmOryYNMYYq69iE2EW8UQcP49tmP4aaPx5wIGq6nIo+Qc/c6L4K83nK5ijHEipkgEs0Z0vDTDT4ZBbV0Qyif+Uc1j0eG9+vvIkHBCrGC0WbLOCXiSwmzYF5U2uTRKUbkiPWfohW1Ds2hqveIwg6oSOhK6B+O9s17QagKenYBEER2WAXLq/BLbFpwwijZcGaVnIYsFLUjcheQVPEdaxIyOPh3/qhDjEBX7PevwDzEyOGB6W54TAndx/Go6+Mnvq4aefTOsD+Jy9Iqc3SI3mDoTCSuDMrgnE4QUlImm+Qtk+qPC35n36B9s7yqsHZISbC4zBGAwk7MFfhwTZ3t4z3WXBjevT1zFfs/NeQaRPlcRtO7656C62qroOITty0rT4JAbz93fanqHlqFmiMrYNUIu3wlbr/NGgMlZ1kRVnwIryVup5vljZmvhRtF+TGMwIA+3zbO9U3NasjScnh5sraOauIf7kVsBYTU/2oKb37HvroyILXd8fbpPq+lZ1ejcvVseC+heOI6hvvH/DYztgFn5s9egzcfauicCijWtk1jn0ym1RzOYBotP0VFhXX5bF1HHoGGwQWC32fgqFWwxJ8 ``` #ai-review-inline
PASSWORD_GATE_SECRET: AgDIiAPb7bCpTeORoZXIn7Is/yKT7Qm+qSexgmXuXpe+WaLCJDWM5uOlvxp5tbtK2KD3SNtUDrOJQYfWYBOAPrBMBnSpDr8Ie7/wlJBxXCfROk1TldOU3s5O+5OnFfTDS9rAdcWdZdJ+Bt0aktnpuHJpjdurFca5o8ne5SRwYtGk6mNinCYRcnwMApZ9Y7IxvC9xzOi1QIhoOepMrotRkVJtbrXiclN5cI+P/nU8LaGwM4AEJtO3L8zY5QK30SZ/Tsz20Qo8HHGdIBLhHbhTALrFe8+n+Egda66Vr1DkKgDERW59PeWBd6xHCRGNuAk2ZzUmuiN5DJmWgacAGy9QblMMjhOIGKgiqsd4jx/8wC8FoyxBSstGFajahL2C6oFzCpbp5NiS185znN0ohJXqQzkp5RbcBliSYUZgHC8D1jDGxzcTksD2Hgh2NIAlJOStsfB3fUb6hWIFzxim0lyP9kFM5y92Sf5B1/h6PeHKOi1CMC5RFAEKhoyM4W1W+NxASJeT/NptTehcrjBPxLVKBPh/qgMcuNYNk34EB0asELalYBJ5cxzt31LLiLE/uDxCydXiSk7ACho7LxNffcUUakEwwsJDmjFiCscu83TfZq2vw5/2bgOzUng4XGDBgYwwr/KEHueGX4Keg255R3KqxyiMSKDi4CUEtYShjSsSYwU62rdogOQu20N3HGVn+/CksqKky7GoD958d4PwT5MGJwQhp8EjemBomDxTKNsO+C4moMNZpAEBtPlP65Lc1cfcaLlaFrwP4VtYHLXXBIvMzCC+
gitea_admin commented 2026-05-29 08:35:28 +00:00
Outdated
Review
Copy Link

Remove unnecessary '# added' comment.

    PGPASSWORD: AgC5TnoWNEQK13fJHfxM8/ZHRlX85Kd11d8Ig+PgMGcLkxab7fvZJuzg7VX0iksK2UG/c1w1q8fRigMl1WWxmZvW2zM4/BsF45WR99QGt4Z1dhTFHdL5/7OZq2jDMYY5x/7gzCccb2pMAZS7p4rjnJM0EPd7YuMlhXZwIjXcck9Qu8GDpyEu1gg2A1tIfUzjvD+HeTbs6NLy16WHYpMG7Wv4WBNNPO+0k5Z0OwwXmIFSJvSMUHWBg/u2JCJ/1DL0zLyRCdXXOB8VVGok3TFbNscGQqFtFkaaVd0rA4Ao6abrsezcsfZFkcSsfVhATAw+M8ORYRC642BFJjzbhGSbDBsYq7aYyT86MVoqnRJgXK7/K2qzIeT9agM3sJm3ZuRjVCBDGdp/Xo2Rbtely8PH4GwEZI+vRFhTFAj5maduHMt0ZmScusOKuGvr0kFFXKw6XthBT3Arg5Q40upiBtPPrpWhWJYtgT3EfFuXNoc1c1Do7UZ5cmfe51sOBkMZjYk7+8B8a2IejKRflynBcCDQ7r2u76SF18dS5/R7jdOlreyL0yuEiULicKpX8BXPa9dN6Xja8OVPfIHvk0+TwnaYx7YaZDEXlyG0GKv9R3i0wykL1RdDCii6eRSJAp1UFmnCKZJJd9Y6djw7XBAd9G/ux8Vz45XkP+f2Kfgx32HmZsqPq2xaW5DoAeM33uDMfi3Ist+FVRtffuSrTQwBNp76VyhI7YY9MSB5JR1sBUGxGXtAGg==

#ai-review-inline

Remove unnecessary '# added' comment. ```suggestion PGPASSWORD: AgC5TnoWNEQK13fJHfxM8/ZHRlX85Kd11d8Ig+PgMGcLkxab7fvZJuzg7VX0iksK2UG/c1w1q8fRigMl1WWxmZvW2zM4/BsF45WR99QGt4Z1dhTFHdL5/7OZq2jDMYY5x/7gzCccb2pMAZS7p4rjnJM0EPd7YuMlhXZwIjXcck9Qu8GDpyEu1gg2A1tIfUzjvD+HeTbs6NLy16WHYpMG7Wv4WBNNPO+0k5Z0OwwXmIFSJvSMUHWBg/u2JCJ/1DL0zLyRCdXXOB8VVGok3TFbNscGQqFtFkaaVd0rA4Ao6abrsezcsfZFkcSsfVhATAw+M8ORYRC642BFJjzbhGSbDBsYq7aYyT86MVoqnRJgXK7/K2qzIeT9agM3sJm3ZuRjVCBDGdp/Xo2Rbtely8PH4GwEZI+vRFhTFAj5maduHMt0ZmScusOKuGvr0kFFXKw6XthBT3Arg5Q40upiBtPPrpWhWJYtgT3EfFuXNoc1c1Do7UZ5cmfe51sOBkMZjYk7+8B8a2IejKRflynBcCDQ7r2u76SF18dS5/R7jdOlreyL0yuEiULicKpX8BXPa9dN6Xja8OVPfIHvk0+TwnaYx7YaZDEXlyG0GKv9R3i0wykL1RdDCii6eRSJAp1UFmnCKZJJd9Y6djw7XBAd9G/ux8Vz45XkP+f2Kfgx32HmZsqPq2xaW5DoAeM33uDMfi3Ist+FVRtffuSrTQwBNp76VyhI7YY9MSB5JR1sBUGxGXtAGg== ``` #ai-review-inline
PGDATABASE: AgCCkY7AUaoy2V+fRXrEeLODlHOTXWXmWCW6MBWEY1J32QrN0bWUmwDdTxv5KHchbhH8lra9bABNOGfRcz59GIg8fH3fwTWOE8luh9cD50QkphjZPe9eGXc6YzheG0CG5hDnUoiJjnP9/l5cZc6sRxAo7for/bbLa0zja3VMzI+NMhVVRZT01G5R/Aoyf+B/TGm4mYbMyWAIgEEfjl50yIkc4WscfQrRkbxAtBF2qFuS3OL95TYSRULBAt0f3Z2WpCdS2b/pUyHJuuoi8aTo1a9QLFMrUdxVi6ydIKaMcx8xR8DlXQLOOdtIQu4TrgzGX2MgHwrbWuf/SFO5IWB/6/JI3yubo+i88M9LwPKsGeslcquoBG3Ibqlnmw8pcPrXUwBq2BowjAqpGsxdiR5XIi2j8QnpA8dTmFARX9CWKHoXFH5+uxx7SSTPG+izlGtVspsu5xx3F8MZ6eStInCyBimTVrn74+IvMPEBrj7wThO6Bl9EA3POkTRf6AmjuPItTgZK8lfXY/t0qDN5zApeB051+jSGZ0/o4PaY414vCm/+OteuCAI4ooCpDOwG3QD52VtpmoAvGjtuWExrvCHMW+hTIxsNbYJ+2SE1oQy8n8J5kKK+AU/SnYf/VEpbawHrpU48g6sDUHQzzPhoLN41j67qopmfRZAo1r5Tb4n7MnEOF3Yi7aT3lE6JvB3gZUSRqnDYSWObTg==
PGHOST: AgCWDPCQ4P+vPKQXmzNspODUJYVidwQDzFRxY8JDj5JYW1u+2xK8LqE2uWWYCW3YjF+H6yJoH6gu35KqOtjm0E23zMlknwZwkK+L93J/nrnNZHCznoub9jEzaAsTRhytvuIUBPQnFulP/t9Q04RjmR9c14puS7VS/tM57/cLq5zq/BiSYL3Wx2lblE7Xn6k44+8robPP3YkmlOuqziM1li/qevB/jxRV9YFjIpCz6D7WG6Kkx9CA6fzgalMJ5ErUVTJOuLDDty3qKd+9mg4WCLahjyzhPq/rIPUFE77EBDCulnnlMyvOSPSP7pMzkaNR1Ce3cOxOYAZ5mO2u5Y5pXt34V8iPe87N85KHQNZTu1Mu5ELMLdhEYOlO5ZX2x/RsdEuriWz1NW8MC57pEUGE/XrFhDe6x80eHi++qDRat2d04rTBOtlceZMmPVxs8tTa3VaD4PepekSogddLVooscLL7lYIpyR0Q6qOA1NdF2uOpx7hf6QLY1HeD4V8RSVVxV9uK5lUTrnBjtU/aUwnGs0xKxVNdBEKwG5Kh7qdsgyBiEa9V4Y2ElteGHave4J7xzimdASrbgMnlgIfcMuo94eX/0M0BAmpD4bEByMCWbcFgAfNnIOpXLZvoEfZ3DxVysmCzD+0nq+CEatdOjKp11EKbtf3H4PgnKqWDe2p8FNPXhev60CMhFvXS/QYg9fe2YJt/wqcN5MstCej4IuiOJkuFJ0UhZ/F5760xhuPYCUWP1suIVZM=
PGPASSWORD: AgBH32G+EUtc3jzGCA9bf27TCbzgK9xz+r4dqd0QQJL9xHbqgOARGVVaQ88AOkWV5VgYjqc/GFp51jLzVOHxgLdkqO/oCBuX9ajQEoGfq24AxFnaB7fh+Vlc3/N9yhT8lWoxHmHjyMVeX75g/9KvhNaRKBgiWQNHlt1C2FNh1h3U/aMfWVJIENmKKH2A5sxWe5haB7nynZc9r1QXBQKa7XVpuxAFXDHz3j3cFyR5Qflp+ac2APEM1/xbiaZDgkBtBd6dsDoCP56Dr1m91kaRGgbeX6WmRJ/Y89WAp4yt3QVfa8uGL1+DrBBMcfB1nAQKA45eZjPE6zTOEHxgTETCcmXJQiOzttDmBHRkIClOLLipgGDJwMqtgQoEMoJKjXMC0rsRy0NVRmibZa310R3PQjuHrQXxRD9ZAXkYg3opwLKeKi07b/7mvLHr7hU81fkBGnqNm/6heOSAqDZfRdregbBbcI/go72aypn2vQ5R+ozCdfwcp1tGla8FGpkI+zAdBKihp5Yo21VZ83FlIMq2JHF2+tv58C+LFeyqL1nr6BUmGKUQ+lEOnRzGYo1sbO5wBChc6yP3ZbzZYfxfvXAdfDY7vZUsareOC4uyR1wDnIiJgQ4kqmAKf7HulJJatKNgsvbmukj7c6lHLsfFRg5pwLO6iese9TZgtima2wkdcRpHSdt4ycnyHbwrEZ4kepfFlN1pGUl573/3l2cOdzO+WLCqV96P5myL6OOmCTxOaLdSyA==
PGPORT: AgCXyGjhlTcq3ffD+ZZZxe5gvqRLQl2MYGl7SfJDjw4LMdr3iojAeQNdYZIeZN4Bec9thhz1DI/Bc5Iiw5TiB3MAAvl/XtQM/T23JrSlUsfqECuHKQGw5kkgeVCds4j4d/IHFt9yBv4W4+ogcL5TZIGGgMiKa/99T77xgE4OqjeqqC+bpFuLObiKt5sYcqcHl2DDshTy4xeukfdA2yI3N9Tq7zfbLpZUKHWWe1gE+FbA0s+QA1ZCYv9uEtu/E5BWOYxE0u4GKhMDfMpguks0CNnIoRpovY3vmOxzFtqa7RpPoQrQtEN2Xtizu/G8K8p+mZLQ0cf3KX0rwp8tAsVKWrp8FYOy6+2OLYlhmDl1hK+M15czaL60DVBqiRIlQFdj9K+s5KQ0qfsG9m4v2WPSeCLEKwcsyLyq9vzXbDKwcMN2DOMOan8VDo04UZzkfdZa3lztfw7MWIdpvB0+cpgK3mdbbPCqSIQ8UTjeSVBgEz4EPUds81W8gqAgmeVKpUQplgFuLNwCTnCkuMSNiA93D3dgGccXzXiDrIBIcLzxHAWr0XEjISyD/pmNEowbDvXB5yRlNi1ZB5AHsRPurUYs4XtZN5ar+sxyex78tG18OkcBbABatBp3ol28Rs1LEN+HJupzNl4XDUx35/j3t/FPcw9PkcF+hzaQL7aWj4EDEWfjlzz5FEBlU5N6sd078tB79TpasuIk
PGUSER: AgDH9oSzu61NVOUlK7Evr278VuOx7ZxZgdsk+kdJmwpBGX7r5gmPrdomh/mqLYTuLokkanFiTfchRWHc76FvjbA/KxqwCq1qsZbW+dXrRtx/z1wQApKxNUJ7JolwMwP7tHE6QlGzO2mWj6RUROnhKpNybJXVvC3E5sSyz2QWC9hjamQP997RGA9yiiT/OShC7I6drFYR5cRDtpjW7Sy46qhMwlCRppiKh3wOV7qIAa0aPQE3Rfcg2WpK2ugRL1N+SiVnM+wPQwYVLiDaVF40vP40Kari99hIgmhcbjPeGG3kGX5VLww9KGm7iryrW3Yx45L/CCh1arUUpjkK2FGLVKtb3+YmDadnOA/I8Rr5kebhoMc93E3U3+mDfQA3cO/23xgpOJEGRCQwBlN9mazqkdq4zQkb4+nuxsdyQcxYtncgxhfCcZ0mXnbX2aW2kYcxKqa/jNjBcEpGMvos7dq6QzNq2nHrITo15S74M0292CAje2NFvKURA/KZnT26dDw3e5xa74E1nI/tBJEHWrUwRXpPu7naCZ2sZMxQV6ixQMuDakx3YamXZmMwgFO2FZ6ZL9BDDsbV4+JAsNwEaHGIIaTbE28R/xPIcUqcxrQV4ZWmHnJXFGyJ0XXxJ57GGjs7QwvvzAm+9WGYtlSC6H/8rX8uZIQLr3llVbJMuLpIv45i3p0Nkx8jyxGSG3rNQ4l3K0rjly2qZg==
S3_BUCKET: AgBcx2UvWafkVQ4fc+Xuc+gCLm5O5DceYSYBslL1bd8p4hKI/2hJF9z9UoLyAedyyrx8pHizcugkcIccrV1iyfQod2lDrivVJCy3qHz0mrQ6ZCOAk9ApNJTYUn+x/AYZL9EKVj/vfEzSwOTqlri6H53aUrZr8lv01TqLcrZDeG+jv64psydYKmSESkPl0iQ9DOx2sGkowNYbiTjux+ED9yXDMDdzojhMepbuUHhjNr7V7Z2NpX8+pNVz2o8o/oIA0zAJs3+C02018N3cyJ9P9BP2/qR6N31aykyI4P6GU5WlL0CDGKaheYy9ukM5x8SoU87yZBHLUxN0MhrMVKoFswU6CwTG/A8Gjkp84ce2cvlnuXP6JEMlqgSb+O+SeCH8+kwL9A87xmb42OOXSGokS188/2/13b6S733WL81B0RX1X1pOfWybpJzDhgiOC3Pjn18ItVHjKw3FlY6kwk1+P1vbZoRl343avRdyQyJam28A9UvZeTG+ac7drRTDndKYKGP8IWg/A32MEFSiKHsvnRQoYE7KORyzJxp610L1+w46KOUF5VF2afch02Jt4uLcmCOyUb6LdcWln3Jiz+wydJI1HK1RPio5oUT5d5se3K3DCa+GffbPMorHe/SdzqaBH2+uBcQn+wZO7JC1ei7hz4U1xdV41gkG1uq7Xz49ymW6P7G6qUr65MtvD73iMRlnJt/mdkw5UQ==
S3_ENDPOINT: AgDA5n96LeW1spJfmm7f9lcus5Ndv/91HAlhOfv0YwP+9R8rQhKF1sEL9Oi7Fpd4VJCQi9vDbeWYjGOMtsMqsLJivcZK6367rdSqL/YpKax9SkDgU+UG5Bpr5SDv4p5C3/J4+GPkZV+BduJQlNVPycTrdM80VBK8aALCNs7gGxy68v6mMgI90MpTp84ZeWgtJ7ZpTySivpwgycwcezldJTYDDjOvVfbK79trsRzDtjbAZzbDn0M8At4LYAfY7JTqcdCRHSGnzyg+81CX2jjyMOH0K55SsIqPEBdXqvh+VmC+jPyFMzfAN5hA8+otWTXfI7VucxAMZtRUiLU3I4/kIO60OkVjEf/SWrJv3nKb85aVfvRZ9k/A7kJ/ysKTXz2/iSAHU1DHTJlMW7SfhXciotx1p3BWOREF0QAQvrNCURFP+eZogBCIuiP38fD0gHkhG2BZkAY/OVZTr17a3F02kwemAuJ85hgUf0iwFV+/LD6X2OiqM85lnac/3B5Qp7UQf+Enn5RTqd90Pk/7QtAf/zTDmfxiWTkwpKXeQ62xcnHL9dQnUmDDs16eJZd04AJGgT8yrC//2lVOht7u6KuyG/+JXRxLBXAkGkr68lHBBuGmeVZ/t7ChL2Asyfu/uUTl9E1BOUfNvZXxwyLgqueL0Uw/MGLgswBsP6pYNGraMF+K5v7dse8cUxpyqk3s1C1zqoAhkehsCBtTjI+hF90G9Nh6mVSocoH12znt7fgUnwNbpg==
S3_KEY: AgAiciTM2ZNVlU1M1CNNXLkhCEYYbO7q5+Mp/DoC4OHBgIDKVfHurH39Dniuwxe6DcvE3vG2glRyTxQEg/ASLcwa7HBwBAwXe3wl1tRGM5Bp40/Vq935BXpkhcdp2fSoup8lPEbKS8q+L5LOqUlx7jmnkHXbI1tasz63KE8O9RUFDdQ8Gxy3nn/u4xkvibYxwmo60ApLKYgOu/ODPEETrWBcITHAVFUxbA8Kr9X9mPm3VpfrnFcUlxsCFr/zZwE/Y01eWdi8GGafb+apDPKMd7mAsLHFcPIQlpkHVT1M21qwwntZg9yV0RBACNu5BVPUgbmtUOQeWYMXn3FE+NJ7ajfdKAUCcEUV/f4s00b0S7jJTJwOUixDquMKSfu00AwDRCs8UcouikZe110uWnfEF3tVE0xQGF/3ItLni9VugBz7wQv7ACvmwnHmX5ZcjE0hxYcIS7ABWgHOZxgWoRWPao8eNAATipafcVIG1szl5ZMNTmAqHFyp2dlNU3zaiW6fz4q4CU7SrlhsrtqYM788qHvpJvDpFdF/i6oitH9CgpwmdCpH6YbBXxatnkWq9bqjEFcSZGDfDyT+iZaoPwhiOfaEoCyKlZ9RLLaK3E8zFcCDRXHnvnkqPtP/+VG30xz9pIat2EVB1N4b/kVIrr+fIM28mwk0vkC/tU8T55GF5BZr7VaYedHM9DVcQ4OJl7Ctrc9Ki8PXrne8gywyomA0F+YY9lxdDw==
S3_REGION: AgAAHTbNQ3gGnvg67ck2N5zSKKhMwR1j6pi/tZzYMEPK8jSnDTBkLYAt6ZVRtdsO+dG9kjnMsc/xTUMxJspbvQkgLSd9mG5FzJ37rBn+azCCSTDYBKq2ddGK1Yf/9w7MxOgN8aCyD4QCFOzR0EI49GbVYQynxDD5BwYuf7y4t2xCYt5wRGsjyNAmH3202Z90XKUkts8Na1hyD+xrrtrAtNfugyZqKo2WUSsHu82TD+cu5xZI51oQ9w9Mh9LaH3nfn/X5S+t17TjYvI7/c6hOwCVv10OdoaZa+SzqOvy7XxnqAShAYkPqJKfWhjecE1b9c/Cun32X4MRI0GBWyA02z4nR+WBbaVmasicx6hchVn8/wZeKMIl68F5LE7184MKKPNNwqsYslwFhuWq8dEw3TaVvnWgx3+cSMiX15SBwcLtE2UzJp+jjN/dpQ2MM0+6uV1GK4mNso5JAwGpUUUi2i+V1Ng7uXipI+5J9w6K0IMg1puGqFyahby42saSuH6vuPnjSx+2dXQTlgbl2SvCBoCgyOOJs4q5IafEvupAmRCNzx2HHv8/z6CFbSQZITQ3plmyNGLFXjynVw/6Q1PD4z3Pows4uVcYOEPbC0UoaXVgwgdBWa2N44BUhpdbqJUCyKuapLigpjKujG43jmdLzuk6gaPeH7SJTZKr624vs9hrGhzQYKdl6FZOQhmCFRDKXVCUiH2Z2pfwd3oo=
S3_SECRET: AgCcVQ7YtBAGpKBm+rE/hQBHrFlX5O0JO94xkZeoAppA9Tf8YR/PguZRGBWgLdNEJRI8C08lRRCUX3PY68jTySyjamb32iQkslOXGjAfnULeNGoGg05nLY2ZDYCEom6ieL8cc2xfbrV3yHoPQ7yVz9vcLjh1vATxyfdkqMapl8FpvQf0k0Zecmw3rLWE9y6vAn6Gb+/CWTnuhcW/8uDykmjIBTDQQddWshaZi+HosHyDbNxlnGj4U8mie68wytpS+Unp1gIWWE0hvelqO/3OUEEBB1OYMLV2DW8v86HXAE1Ix9jiCpSbyB+UzjOlrE/p4fJpeG4FtUC+/5ibRSxxgQRQYklKFJmdRDYWUnOngjgcT/Ewe41mTrpCUvb+jtir68pYLmVrLoha7S60w1YQHNkDAN2GftOyBjkkt6MtUDNzvNkfnKqKGUWyDSC27yfJdE/9k/4lDxQs0Sp20kIuz66/culBpg/s/oPSNs4SolCqG3GVLlKL775uqwLLuDN3txlPLb+Ex5vZAUapke+rn2zXzJVc1qlPfI/96vSEy6cx58LXdBadmBXn6c4Uy2MDa66EwsxOMXxzGLTd7AGkd5oeQVYfVPdTfGV5zx1AdzQhP3u/DD5FhKeWGDOr21iYB2jNm/P/hw0nFP2pf83W4/jLzPvuth1LF/WLF8cjclnGbcep2Kxrh/Xq0LmufofuVJyEI9/fl6onl5KIa6ZnVBJ8TsQesXJtNEKt9cPHiCvBKfLj5C+a4FlY
template:
metadata:
name: forte-drop-secrets

22
apps/base/forte-drop/keycloak-client-forte-drop.yaml
View File

@@ -1,8 +1,8 @@
# Labeled config Secret read by the Keycloak Client Registrar. The registrar will
# create the OIDC client in the forte realm and write the resulting credentials
# back into forte-drop-oidc-credentials Secret in this namespace within ~2 min.
# That client-secret then gets manually copied into the auth-oidc SealedSecret
# (one-time per cluster; see PR description).
# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
# to the keycloak namespace; a CronJob registers the OIDC client in the forte
# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
# registrar-created Secret automatically — no manual SealedSecret step needed.
apiVersion: v1
kind: Secret
metadata:
@@ -10,6 +10,8 @@ metadata:
namespace: forte-drop
labels:
keycloak.forteapps.net/client-config: "true"
annotations:
keycloak.forteapps.net/source-namespace: "forte-drop"
stringData:
client.json: |
{
@@ -24,5 +26,13 @@ stringData:
"publicClient": false,
gitea_admin commented 2026-05-29 08:34:05 +00:00
Outdated
Review
Copy Link

Hardcoded URL in webOrigins should be templated or moved to values to support different environments.

#ai-review-inline

Hardcoded URL in webOrigins should be templated or moved to values to support different environments. #ai-review-inline
"redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
"webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
danijel.simeunovic commented 2026-05-29 10:41:56 +00:00
Outdated
Review
Copy Link

Det du mangler her er hvor du vil at Secret skal bli laget og med hvilke keys:

      "secret": {
        "namespace": "myapp",                # Where to create credential Secret
        "name": "myapp-oidc-credentials",    # Name of credential Secret
        "keys": {
          "clientId": "client-id",           # Key name for client ID
          "clientSecret": "client-secret"    # Key name for client secret
        }
      }
Det du mangler her er hvor du vil at `Secret` skal bli laget og med hvilke keys: ``` "secret": { "namespace": "myapp", # Where to create credential Secret "name": "myapp-oidc-credentials", # Name of credential Secret "keys": { "clientId": "client-id", # Key name for client ID "clientSecret": "client-secret" # Key name for client secret } } ```
danijel.simeunovic commented 2026-05-29 10:45:06 +00:00
Outdated
Review
Copy Link

Detaljert forklaring, hvis interessant:

What a Developer Should Push

A developer deploying a new application must create a Config Secret in their application's namespace. This Secret contains the desired Keycloak client configuration.

The Format

Kubernetes Secret YAML:

apiVersion: v1
kind: Secret
metadata:
  name: keycloak-client-<app-name>          # Any descriptive name
  namespace: <app-namespace>                 # Your app's namespace (e.g., "myapp")
  labels:
    keycloak.forteapps.net/client-config: "true"  # REQUIRED - triggers processing
  annotations:
    keycloak.forteapps.net/source-namespace: "myapp"  # Optional - tracks ownership
stringData:
  client.json: |                             # REQUIRED - the client configuration
    {
      "clientId": "myapp",                   # Pre-determined by developer
      "name": "My Application",              # Display name in Keycloak UI
      "redirectUris": ["https://myapp.forteapps.net/*"],
      "webOrigins": ["https://myapp.forteapps.net"],
      "defaultClientScopes": ["openid", "email", "profile"],
      "protocolMappers": [],
      "secret": {
        "namespace": "myapp",                # Where to create credential Secret
        "name": "myapp-oidc-credentials",    # Name of credential Secret
        "keys": {
          "clientId": "client-id",           # Key name for client ID
          "clientSecret": "client-secret"    # Key name for client secret
        }
      }
    }

How It Works: Client ID vs Client Secret

Client ID (Pre-determined by Developer):

  • The developer chooses clientId (e.g., "myapp")
  • This becomes the public identifier for the OIDC client
  • Used in OAuth flows, login redirects, token requests
  • Stored in the credential Secret under the specified key (default: client-id)

Client Secret (Generated by Keycloak):

  • Keycloak auto-generates a cryptographically secure secret

  • The CronJob fetches it via: GET /admin/realms/forte/clients/{uuid}/client-secret

  • The CronJob then creates/updates TWO Secrets:

    1. Target Namespace Secret (myapp/myapp-oidc-credentials):

    apiVersion: v1
kind: Secret
metadata:
  name: myapp-oidc-credentials
  namespace: myapp
  labels:
    app.kubernetes.io/managed-by: keycloak-client-registrar
type: Opaque
data:
  client-id: bXlhcHA=           # base64("myapp") - from client.json
  client-secret: <base64>        # Generated by Keycloak

    2. Central Backup Secret (secrets/myapp-oidc-credentials):

    • Identical content
    • Always created even if target namespace doesn't exist
    • Used for external deployments, disaster recovery, auditing

Developer Workflow

  1. Create Config Secret in your Helm chart or Kustomize (in your app's namespace)

  2. Deploy - Kyverno policy clones it to keycloak namespace automatically

  3. Wait - CronJob picks it up within 2 minutes

  4. Reference the generated credential Secret in your Deployment:

    env:
- name: OIDC_CLIENT_ID
  valueFrom:
    secretKeyRef:
      name: myapp-oidc-credentials
      key: client-id
- name: OIDC_CLIENT_SECRET
  valueFrom:
    secretKeyRef:
      name: myapp-oidc-credentials
      key: client-secret

Change Detection

The CronJob computes a SHA256 hash of client.json. If unchanged and credential Secret exists, it skips processing. To force re-sync, modify any field in client.json (e.g., add trailing space to name).

Detaljert forklaring, hvis interessant: ### What a Developer Should Push A developer deploying a new application must create a __Config Secret__ in their application's namespace. This Secret contains the desired Keycloak client configuration. ### The Format __Kubernetes Secret YAML:__ ```yaml apiVersion: v1 kind: Secret metadata: name: keycloak-client-<app-name> # Any descriptive name namespace: <app-namespace> # Your app's namespace (e.g., "myapp") labels: keycloak.forteapps.net/client-config: "true" # REQUIRED - triggers processing annotations: keycloak.forteapps.net/source-namespace: "myapp" # Optional - tracks ownership stringData: client.json: | # REQUIRED - the client configuration { "clientId": "myapp", # Pre-determined by developer "name": "My Application", # Display name in Keycloak UI "redirectUris": ["https://myapp.forteapps.net/*"], "webOrigins": ["https://myapp.forteapps.net"], "defaultClientScopes": ["openid", "email", "profile"], "protocolMappers": [], "secret": { "namespace": "myapp", # Where to create credential Secret "name": "myapp-oidc-credentials", # Name of credential Secret "keys": { "clientId": "client-id", # Key name for client ID "clientSecret": "client-secret" # Key name for client secret } } } ``` ### How It Works: Client ID vs Client Secret __Client ID (Pre-determined by Developer):__ - The developer chooses `clientId` (e.g., `"myapp"`) - This becomes the public identifier for the OIDC client - Used in OAuth flows, login redirects, token requests - Stored in the credential Secret under the specified key (default: `client-id`) __Client Secret (Generated by Keycloak):__ - Keycloak auto-generates a cryptographically secure secret - The CronJob fetches it via: `GET /admin/realms/forte/clients/{uuid}/client-secret` - The CronJob then creates/updates __TWO__ Secrets: __1. Target Namespace Secret__ (`myapp/myapp-oidc-credentials`): ```yaml apiVersion: v1 kind: Secret metadata: name: myapp-oidc-credentials namespace: myapp labels: app.kubernetes.io/managed-by: keycloak-client-registrar type: Opaque data: client-id: bXlhcHA= # base64("myapp") - from client.json client-secret: <base64> # Generated by Keycloak ``` __2. Central Backup Secret__ (`secrets/myapp-oidc-credentials`): - Identical content - Always created even if target namespace doesn't exist - Used for external deployments, disaster recovery, auditing ### Developer Workflow 1. __Create Config Secret__ in your Helm chart or Kustomize (in your app's namespace) 2. __Deploy__ - Kyverno policy clones it to `keycloak` namespace automatically 3. __Wait__ - CronJob picks it up within 2 minutes 4. __Reference__ the generated credential Secret in your Deployment: ```yaml env: - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: name: myapp-oidc-credentials key: client-id - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: myapp-oidc-credentials key: client-secret ``` ### Change Detection The CronJob computes a SHA256 hash of `client.json`. If unchanged and credential Secret exists, it skips processing. To force re-sync, modify any field in `client.json` (e.g., add trailing space to `name`).
"defaultClientScopes": ["openid","email","profile"]
"defaultClientScopes": ["openid","email","profile"],
"secret": {
"namespace": "forte-drop",
"name": "forte-drop-oidc-credentials",
"keys": {
"clientId": "client-id",
"clientSecret": "client-secret"
}
}
}

5
apps/base/forte-drop/kustomization.yaml
View File

@@ -6,8 +6,3 @@ resources:
- keycloak-client-forte-drop.yaml
- forte-drop-pdb.yaml
- forte-drop-secrets-sealed.yaml
# NOTE: the web sidecar's auth-oidc SealedSecret is added in a follow-up commit,
# once the Keycloak registrar has created forte-drop-oidc-credentials post-deploy
# (see PR description for the one-time seal step). It is intentionally NOT a
# resource here yet — sealing it requires the registrar-generated client-secret.