dbf299b1f5
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 9s
The hackathon-zone host never got DNS records (delegated Azure zone, no wildcard); the app launches on drop.forteapps.net instead. Without this the OIDC callback dies on redirect_uri mismatch.
39 lines
1.4 KiB
YAML
39 lines
1.4 KiB
YAML
# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
|
|
# to the keycloak namespace; a CronJob registers the OIDC client in the forte
|
|
# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
|
|
# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
|
|
# registrar-created Secret automatically — no manual SealedSecret step needed.
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: keycloak-client-forte-drop
|
|
namespace: forte-drop
|
|
labels:
|
|
keycloak.forteapps.net/client-config: "true"
|
|
annotations:
|
|
keycloak.forteapps.net/source-namespace: "forte-drop"
|
|
stringData:
|
|
client.json: |
|
|
{
|
|
"clientId": "forte-drop",
|
|
"name": "Forte Drop (web)",
|
|
"enabled": true,
|
|
"protocol": "openid-connect",
|
|
"clientAuthenticatorType": "client-secret",
|
|
"standardFlowEnabled": true,
|
|
"directAccessGrantsEnabled": false,
|
|
"serviceAccountsEnabled": false,
|
|
"publicClient": false,
|
|
"redirectUris": ["https://drop.forteapps.net/auth/callback"],
|
|
"webOrigins": ["https://drop.forteapps.net"],
|
|
"defaultClientScopes": ["openid","email","profile"],
|
|
"secret": {
|
|
"namespace": "forte-drop",
|
|
"name": "forte-drop-oidc-credentials",
|
|
"keys": {
|
|
"clientId": "client-id",
|
|
"clientSecret": "client-secret"
|
|
}
|
|
}
|
|
}
|