Jørgen Stensrud
b713ec853c
## Summary
ArgoCD Applications + Keycloak clients + sealed secret for forte-drop **web + mcp** (PROD).
## What changed
- **forte-drop** + **forte-drop-mcp** ArgoCD Applications (two-source: forte-helm chart + helm-prod-values).
- **namespace.yaml** — explicit `forte-drop` Namespace at sync-wave -1, `Prune=false` (avoids first-sync race for namespaced resources; doesn't cascade-delete on base removal).
- **keycloak-client-forte-drop** + **keycloak-client-forte-drop-mcp** — labeled config Secrets; the registrar creates the OIDC clients in the `forte` realm within ~2 min.
- **forte-drop-secrets** SealedSecret — UpCloud S3 creds (existing drops bucket) + PG creds + PASSWORD_GATE_SECRET. Consumed by both deployments + the pg-backup CronJob.
- **forte-drop-web PDB** — minAvailable 1 (selector verified against the live forteapp chart's pod labels).
- Wired into `apps/overlays/upc-dev` (NOT base → stays out of upc-prod).
## Post-merge manual step (one-time)
`auth-oidc` SealedSecret for the web sidecar is still commented out — it needs the `client-secret` the Keycloak registrar writes to `forte-drop-oidc-credentials` after first sync:
```bash
CLIENT_SECRET=$(kubectl -n forte-drop get secret forte-drop-oidc-credentials -o jsonpath='{.data.client-secret}' | base64 -d)
kubectl create secret generic auth-oidc -n forte-drop \
--from-literal=client-secret="$CLIENT_SECRET" \
--from-literal=cookie-secret="$(openssl rand -hex 32)" \
--dry-run=client -o yaml > private/auth-oidc.yaml
kubeseal --format=yaml --controller-name=sealed-secrets-controller --controller-namespace=kube-system \
< private/auth-oidc.yaml > apps/base/forte-drop/auth-oidc-sealed.yaml
# uncomment in kustomization, commit, push
```
## Depends on
- launchpad PR #17 (postgres + namespace via CreateNamespace).
- helm-prod-values forte-drop PR (values).
## Review
- [x] codex: namespace first-sync race → fixed (explicit namespace, sync-wave -1).
- [x] Keycloak registrar unblocked (stale chibisafe/minio config secrets removed; registrar green).
🤖 Generated with Claude Code
Co-authored-by: Sten <sten@Sten-sin-MacBook-Pro.local>
Co-authored-by: Sten <sten@Mac.domain_not_set.invalid>
Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Reviewed-on: #18
Reviewed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
39 lines
1.4 KiB
YAML
39 lines
1.4 KiB
YAML
# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
|
|
# to the keycloak namespace; a CronJob registers the OIDC client in the forte
|
|
# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
|
|
# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
|
|
# registrar-created Secret automatically — no manual SealedSecret step needed.
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: keycloak-client-forte-drop
|
|
namespace: forte-drop
|
|
labels:
|
|
keycloak.forteapps.net/client-config: "true"
|
|
annotations:
|
|
keycloak.forteapps.net/source-namespace: "forte-drop"
|
|
stringData:
|
|
client.json: |
|
|
{
|
|
"clientId": "forte-drop",
|
|
"name": "Forte Drop (web)",
|
|
"enabled": true,
|
|
"protocol": "openid-connect",
|
|
"clientAuthenticatorType": "client-secret",
|
|
"standardFlowEnabled": true,
|
|
"directAccessGrantsEnabled": false,
|
|
"serviceAccountsEnabled": false,
|
|
"publicClient": false,
|
|
"redirectUris": ["https://drop.forteapps.net/auth/callback"],
|
|
"webOrigins": ["https://drop.forteapps.net"],
|
|
"defaultClientScopes": ["openid","email","profile"],
|
|
"secret": {
|
|
"namespace": "forte-drop",
|
|
"name": "forte-drop-oidc-credentials",
|
|
"keys": {
|
|
"clientId": "client-id",
|
|
"clientSecret": "client-secret"
|
|
}
|
|
}
|
|
}
|