d6e61c5663
Two ArgoCD apps from the same forte-drop image:
- forte-drop (web): admin + public drops, sidecar in oidc mode,
ingress drop-k8s.hackathon.forteapps.net.
- forte-drop-mcp (mcp): MCP-over-HTTP, sidecar in mcp mode,
ingress mcp.drop-k8s.hackathon.forteapps.net.
Plus two labeled Keycloak client config Secrets — the registrar
creates the OIDC clients in the forte realm within ~2 min.
Sealed secrets (forte-drop-secrets + auth-oidc) added in a
follow-up commit by the maintainer:
cd /Users/sten/dev/work/forte_k8/launchpad
kubeseal --format=yaml \
--controller-name=sealed-secrets-controller \
--controller-namespace=kube-system \
< private/forte-drop-secrets.yaml \
> apps/base/forte-drop/forte-drop-secrets-sealed.yaml
# auth-oidc: wait for registrar, copy client-secret into private/,
# then seal as apps/base/forte-drop/auth-oidc-sealed.yaml.
# (mcp deployment is sidecar type=mcp — no auth-oidc Secret needed;
# only the web deployment requires it.)
28 lines
889 B
YAML
28 lines
889 B
YAML
# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g.,
|
|
# Claude Desktop) discover this via /.well-known/oauth-protected-resource and
|
|
# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp.
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: keycloak-client-forte-drop-mcp
|
|
namespace: forte-drop
|
|
labels:
|
|
keycloak.forteapps.net/client-config: "true"
|
|
stringData:
|
|
client.json: |
|
|
{
|
|
"clientId": "forte-drop-mcp",
|
|
"name": "Forte Drop (MCP)",
|
|
"enabled": true,
|
|
"protocol": "openid-connect",
|
|
"clientAuthenticatorType": "client-secret",
|
|
"standardFlowEnabled": false,
|
|
"directAccessGrantsEnabled": false,
|
|
"serviceAccountsEnabled": false,
|
|
"publicClient": false,
|
|
"defaultClientScopes": ["openid","profile","email"],
|
|
"attributes": {
|
|
"access.token.lifespan": "3600"
|
|
}
|
|
}
|