From ff3a046f5a6ee90e5c688e8e489a52e13cc2ca1d Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 17 Mar 2026 13:12:41 +0100
Subject: [PATCH] refactor: remove OIDC config from K8s manifests

OIDC configuration should be managed by the server itself (database-backed),
not injected via K8s secrets. Remove all CAMELEER_OIDC_* env vars from
deployment manifests and the cameleer-oidc secret from CI. The server
defaults to OIDC disabled via application.yml.

This also fixes the Kustomize strategic merge conflict where the feature
overlay tried to set value on an env var that had valueFrom in the base.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml                    | 14 +-----------
 deploy/base/server.yaml                    | 25 +---------------------
 deploy/overlays/feature/kustomization.yaml |  4 +---
 3 files changed, 3 insertions(+), 40 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 4d070483..e63eed7c 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -222,14 +222,6 @@ jobs:
             --from-literal=AUTHENTIK_SECRET_KEY="${AUTHENTIK_SECRET_KEY}" \
             --dry-run=client -o yaml | kubectl apply -f -
 
-          kubectl create secret generic cameleer-oidc \
-            --namespace=cameleer \
-            --from-literal=CAMELEER_OIDC_ENABLED="${CAMELEER_OIDC_ENABLED:-false}" \
-            --from-literal=CAMELEER_OIDC_ISSUER="${CAMELEER_OIDC_ISSUER}" \
-            --from-literal=CAMELEER_OIDC_CLIENT_ID="${CAMELEER_OIDC_CLIENT_ID}" \
-            --from-literal=CAMELEER_OIDC_CLIENT_SECRET="${CAMELEER_OIDC_CLIENT_SECRET}" \
-            --dry-run=client -o yaml | kubectl apply -f -
-
           kubectl apply -f deploy/postgres.yaml
           kubectl -n cameleer rollout status statefulset/postgres --timeout=120s
 
@@ -261,10 +253,6 @@ jobs:
           AUTHENTIK_PG_USER: ${{ secrets.AUTHENTIK_PG_USER }}
           AUTHENTIK_PG_PASSWORD: ${{ secrets.AUTHENTIK_PG_PASSWORD }}
           AUTHENTIK_SECRET_KEY: ${{ secrets.AUTHENTIK_SECRET_KEY }}
-          CAMELEER_OIDC_ENABLED: ${{ secrets.CAMELEER_OIDC_ENABLED }}
-          CAMELEER_OIDC_ISSUER: ${{ secrets.CAMELEER_OIDC_ISSUER }}
-          CAMELEER_OIDC_CLIENT_ID: ${{ secrets.CAMELEER_OIDC_CLIENT_ID }}
-          CAMELEER_OIDC_CLIENT_SECRET: ${{ secrets.CAMELEER_OIDC_CLIENT_SECRET }}
 
   deploy-feature:
     needs: docker
@@ -304,7 +292,7 @@ jobs:
         run: kubectl create namespace "$BRANCH_NS" --dry-run=client -o yaml | kubectl apply -f -
       - name: Copy secrets from cameleer namespace
         run: |
-          for SECRET in gitea-registry postgres-credentials opensearch-credentials cameleer-auth cameleer-oidc; do
+          for SECRET in gitea-registry postgres-credentials opensearch-credentials cameleer-auth; do
             kubectl get secret "$SECRET" -n cameleer -o json \
               | jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp, .metadata.managedFields)' \
               | kubectl apply -n "$BRANCH_NS" -f -
diff --git a/deploy/base/server.yaml b/deploy/base/server.yaml
index bad69a22..bdf52a77 100644
--- a/deploy/base/server.yaml
+++ b/deploy/base/server.yaml
@@ -63,30 +63,7 @@ spec:
                   name: cameleer-auth
                   key: CAMELEER_JWT_SECRET
                   optional: true
-            - name: CAMELEER_OIDC_ENABLED
-              valueFrom:
-                secretKeyRef:
-                  name: cameleer-oidc
-                  key: CAMELEER_OIDC_ENABLED
-                  optional: true
-            - name: CAMELEER_OIDC_ISSUER
-              valueFrom:
-                secretKeyRef:
-                  name: cameleer-oidc
-                  key: CAMELEER_OIDC_ISSUER
-                  optional: true
-            - name: CAMELEER_OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: cameleer-oidc
-                  key: CAMELEER_OIDC_CLIENT_ID
-                  optional: true
-            - name: CAMELEER_OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: cameleer-oidc
-                  key: CAMELEER_OIDC_CLIENT_SECRET
-                  optional: true
+
           resources:
             requests:
               memory: "256Mi"
diff --git a/deploy/overlays/feature/kustomization.yaml b/deploy/overlays/feature/kustomization.yaml
index 2aec4aad..91ab5b37 100644
--- a/deploy/overlays/feature/kustomization.yaml
+++ b/deploy/overlays/feature/kustomization.yaml
@@ -11,7 +11,7 @@ images:
   - name: gitea.siegeln.net/cameleer/cameleer3-server-ui
     newTag: BRANCH_SHA
 patches:
-  # Server Deployment: branch-specific schema, index prefix, UI origin, OIDC disabled
+  # Server Deployment: branch-specific schema, index prefix, UI origin
   - patch: |
       apiVersion: apps/v1
       kind: Deployment
@@ -29,8 +29,6 @@ patches:
                     value: "cam-BRANCH_SLUG-executions-"
                   - name: CAMELEER_UI_ORIGIN
                     value: "http://BRANCH_SLUG.cameleer.siegeln.net"
-                  - name: CAMELEER_OIDC_ENABLED
-                    value: "false"
   # UI ConfigMap: branch-specific API URL
   - target:
       kind: ConfigMap