fix(keycape): NK-WP-0003-T07 — fix deployment image + add demo-app client

- deployment.yaml: image → 92.205.130.254:32166/coulomb/key-cape:latest (Gitea OCI registry, delivered by KEY-WP-0002; imagePullPolicy: Always) - k3s insecure registry hosts.toml: fixed server endpoint to http:// so containerd does not attempt HTTPS against the plain-HTTP Gitea NodePort - create-secrets.sh: add demo-app OIDC client (required for KeyCape to start; also needed for T08 acceptance tests) - keycape-config Secret updated in-place (no re-bootstrap needed) KeyCape pod 1/1 Running; /healthz OK; OIDC discovery live at https://kc.coulomb.social/.well-known/openid-configuration Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 00:30:58 +00:00
parent d0629e7f20
commit 880f89bf98
2 changed files with 13 additions and 18 deletions
--- a/sso-mfa/k8s/keycape/create-secrets.sh
+++ b/sso-mfa/k8s/keycape/create-secrets.sh
@@ -91,19 +91,17 @@ privacyidea:
  realm: "netkingdom"

 # ── OIDC client registrations ─────────────────────────────────────────────────
-# Add one entry per downstream application.
 # clientType: "public" for SPAs/native apps (PKCE, no client secret)
 #             "confidential" for server-side apps (client secret required)
-clients: []
-# Example:
-# clients:
-#   - clientId: "my-app"
-#     displayName: "My Application"
-#     redirectUris:
-#       - "https://my-app.coulomb.social/callback"
-#     allowedScopes: ["openid", "profile", "email", "groups"]
-#     grantTypes: ["authorization_code"]
-#     clientType: "public"
+clients:
+  - clientId: "demo-app"
+    displayName: "Demo Application"
+    redirectUris:
+      - "http://localhost:3000/callback"
+      - "https://demo.coulomb.social/callback"
+    allowedScopes: ["openid", "profile", "email", "groups"]
+    grantTypes: ["authorization_code"]
+    clientType: "public"
 EOF
 )

--- a/sso-mfa/k8s/keycape/deployment.yaml
+++ b/sso-mfa/k8s/keycape/deployment.yaml
@@ -49,13 +49,10 @@ spec:

      containers:
        - name: keycape
-          # EDIT before applying — see README.md "Building the image".
-          # Option A (registry):  docker build -t <registry>/keycape:v0.1 ~/key-cape/ && docker push ...
-          # Option B (K3s local): docker build -t keycape:v0.1 ~/key-cape/ &&
-          #                       docker save keycape:v0.1 | sudo k3s ctr images import -
-          # After Option B, set imagePullPolicy: Never.
-          image: keycape:v0.1
-          imagePullPolicy: IfNotPresent
+          # Image published to self-hosted Gitea OCI registry on CoulombCore (KEY-WP-0002).
+          # k3s insecure registry configured for 92.205.130.254:32166 — no pull secret needed.
+          image: 92.205.130.254:32166/coulomb/key-cape:latest
+          imagePullPolicy: Always

          ports:
            - name: http