cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: remove OIDC config from K8s manifests
All checks were successful
CI / build (push) Successful in 1m8s
Details
CI / cleanup-branch (push) Has been skipped
Details
CI / docker (push) Successful in 41s
Details
CI / deploy (push) Successful in 37s
Details
CI / deploy-feature (push) Has been skipped
Details

Browse Source 
OIDC configuration should be managed by the server itself (database-backed),
not injected via K8s secrets. Remove all CAMELEER_OIDC_* env vars from
deployment manifests and the cameleer-oidc secret from CI. The server
defaults to OIDC disabled via application.yml.

This also fixes the Kustomize strategic merge conflict where the feature
overlay tried to set value on an env var that had valueFrom in the base.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-03-17 13:12:41 +01:00
parent 88df324b4b
commit ff3a046f5a
3 changed files with 3 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.gitea/workflows/ci.yml
View File

@@ -222,14 +222,6 @@ jobs:
--from-literal=AUTHENTIK_SECRET_KEY="${AUTHENTIK_SECRET_KEY}" \ --from-literal=AUTHENTIK_SECRET_KEY="${AUTHENTIK_SECRET_KEY}" \
--dry-run=client -o yaml | kubectl apply -f - --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic cameleer-oidc \
--namespace=cameleer \
--from-literal=CAMELEER_OIDC_ENABLED="${CAMELEER_OIDC_ENABLED:-false}" \
--from-literal=CAMELEER_OIDC_ISSUER="${CAMELEER_OIDC_ISSUER}" \
--from-literal=CAMELEER_OIDC_CLIENT_ID="${CAMELEER_OIDC_CLIENT_ID}" \
--from-literal=CAMELEER_OIDC_CLIENT_SECRET="${CAMELEER_OIDC_CLIENT_SECRET}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl apply -f deploy/postgres.yaml kubectl apply -f deploy/postgres.yaml
kubectl -n cameleer rollout status statefulset/postgres --timeout=120s kubectl -n cameleer rollout status statefulset/postgres --timeout=120s
@@ -261,10 +253,6 @@ jobs:
AUTHENTIK_PG_USER: ${{ secrets.AUTHENTIK_PG_USER }} AUTHENTIK_PG_USER: ${{ secrets.AUTHENTIK_PG_USER }}
AUTHENTIK_PG_PASSWORD: ${{ secrets.AUTHENTIK_PG_PASSWORD }} AUTHENTIK_PG_PASSWORD: ${{ secrets.AUTHENTIK_PG_PASSWORD }}
AUTHENTIK_SECRET_KEY: ${{ secrets.AUTHENTIK_SECRET_KEY }} AUTHENTIK_SECRET_KEY: ${{ secrets.AUTHENTIK_SECRET_KEY }}
CAMELEER_OIDC_ENABLED: ${{ secrets.CAMELEER_OIDC_ENABLED }}
CAMELEER_OIDC_ISSUER: ${{ secrets.CAMELEER_OIDC_ISSUER }}
CAMELEER_OIDC_CLIENT_ID: ${{ secrets.CAMELEER_OIDC_CLIENT_ID }}
CAMELEER_OIDC_CLIENT_SECRET: ${{ secrets.CAMELEER_OIDC_CLIENT_SECRET }}
deploy-feature: deploy-feature:
needs: docker needs: docker
@@ -304,7 +292,7 @@ jobs:
run: kubectl create namespace "$BRANCH_NS" --dry-run=client -o yaml | kubectl apply -f - run: kubectl create namespace "$BRANCH_NS" --dry-run=client -o yaml | kubectl apply -f -
- name: Copy secrets from cameleer namespace - name: Copy secrets from cameleer namespace
run: | run: |
for SECRET in gitea-registry postgres-credentials opensearch-credentials cameleer-auth cameleer-oidc; do for SECRET in gitea-registry postgres-credentials opensearch-credentials cameleer-auth; do
kubectl get secret "$SECRET" -n cameleer -o json \ kubectl get secret "$SECRET" -n cameleer -o json \
| jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp, .metadata.managedFields)' \ | jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp, .metadata.managedFields)' \
| kubectl apply -n "$BRANCH_NS" -f - | kubectl apply -n "$BRANCH_NS" -f -

25
deploy/base/server.yaml
View File

@@ -63,30 +63,7 @@ spec:
name: cameleer-auth name: cameleer-auth
key: CAMELEER_JWT_SECRET key: CAMELEER_JWT_SECRET
optional: true optional: true
- name: CAMELEER_OIDC_ENABLED
valueFrom:
secretKeyRef:
name: cameleer-oidc
key: CAMELEER_OIDC_ENABLED
optional: true
- name: CAMELEER_OIDC_ISSUER
valueFrom:
secretKeyRef:
name: cameleer-oidc
key: CAMELEER_OIDC_ISSUER
optional: true
- name: CAMELEER_OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: cameleer-oidc
key: CAMELEER_OIDC_CLIENT_ID
optional: true
- name: CAMELEER_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: cameleer-oidc
key: CAMELEER_OIDC_CLIENT_SECRET
optional: true
resources: resources:
requests: requests:
memory: "256Mi" memory: "256Mi"

4
deploy/overlays/feature/kustomization.yaml
View File

@@ -11,7 +11,7 @@ images:
- name: gitea.siegeln.net/cameleer/cameleer3-server-ui - name: gitea.siegeln.net/cameleer/cameleer3-server-ui
newTag: BRANCH_SHA newTag: BRANCH_SHA
patches: patches:
# Server Deployment: branch-specific schema, index prefix, UI origin, OIDC disabled # Server Deployment: branch-specific schema, index prefix, UI origin
- patch: | - patch: |
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@@ -29,8 +29,6 @@ patches:
value: "cam-BRANCH_SLUG-executions-" value: "cam-BRANCH_SLUG-executions-"
- name: CAMELEER_UI_ORIGIN - name: CAMELEER_UI_ORIGIN
value: "http://BRANCH_SLUG.cameleer.siegeln.net" value: "http://BRANCH_SLUG.cameleer.siegeln.net"
- name: CAMELEER_OIDC_ENABLED
value: "false"
# UI ConfigMap: branch-specific API URL # UI ConfigMap: branch-specific API URL
- target: - target:
kind: ConfigMap kind: ConfigMap