# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
# to the keycloak namespace; a CronJob registers the OIDC client in the forte
# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
# registrar-created Secret automatically — no manual SealedSecret step needed.
apiVersion: v1
kind: Secret
metadata:
  name: keycloak-client-forte-drop
  namespace: forte-drop
  labels:
    keycloak.forteapps.net/client-config: "true"
  annotations:
    keycloak.forteapps.net/source-namespace: "forte-drop"
stringData:
  client.json: |
    {
      "clientId": "forte-drop",
      "name": "Forte Drop (web)",
      "enabled": true,
      "protocol": "openid-connect",
      "clientAuthenticatorType": "client-secret",
      "standardFlowEnabled": true,
      "directAccessGrantsEnabled": false,
      "serviceAccountsEnabled": false,
      "publicClient": false,
      "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
      "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
      "defaultClientScopes": ["openid","email","profile"],
      "secret": {
        "namespace": "forte-drop",
        "name": "forte-drop-oidc-credentials",
        "keys": {
          "clientId": "client-id",
          "clientSecret": "client-secret"
        }
      }
    }