From 880f89bf98a97dcb97a005c63953db4a4cce92f7 Mon Sep 17 00:00:00 2001 From: Bernd Worsch Date: Sun, 22 Mar 2026 00:30:58 +0000 Subject: [PATCH] =?UTF-8?q?fix(keycape):=20NK-WP-0003-T07=20=E2=80=94=20fi?= =?UTF-8?q?x=20deployment=20image=20+=20add=20demo-app=20client?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - deployment.yaml: image → 92.205.130.254:32166/coulomb/key-cape:latest (Gitea OCI registry, delivered by KEY-WP-0002; imagePullPolicy: Always) - k3s insecure registry hosts.toml: fixed server endpoint to http:// so containerd does not attempt HTTPS against the plain-HTTP Gitea NodePort - create-secrets.sh: add demo-app OIDC client (required for KeyCape to start; also needed for T08 acceptance tests) - keycape-config Secret updated in-place (no re-bootstrap needed) KeyCape pod 1/1 Running; /healthz OK; OIDC discovery live at https://kc.coulomb.social/.well-known/openid-configuration Co-Authored-By: Claude Sonnet 4.6 --- sso-mfa/k8s/keycape/create-secrets.sh | 20 +++++++++----------- sso-mfa/k8s/keycape/deployment.yaml | 11 ++++------- 2 files changed, 13 insertions(+), 18 deletions(-) diff --git a/sso-mfa/k8s/keycape/create-secrets.sh b/sso-mfa/k8s/keycape/create-secrets.sh index 4f7a2d6..d99723c 100644 --- a/sso-mfa/k8s/keycape/create-secrets.sh +++ b/sso-mfa/k8s/keycape/create-secrets.sh @@ -91,19 +91,17 @@ privacyidea: realm: "netkingdom" # ── OIDC client registrations ───────────────────────────────────────────────── -# Add one entry per downstream application. # clientType: "public" for SPAs/native apps (PKCE, no client secret) # "confidential" for server-side apps (client secret required) -clients: [] -# Example: -# clients: -# - clientId: "my-app" -# displayName: "My Application" -# redirectUris: -# - "https://my-app.coulomb.social/callback" -# allowedScopes: ["openid", "profile", "email", "groups"] -# grantTypes: ["authorization_code"] -# clientType: "public" +clients: + - clientId: "demo-app" + displayName: "Demo Application" + redirectUris: + - "http://localhost:3000/callback" + - "https://demo.coulomb.social/callback" + allowedScopes: ["openid", "profile", "email", "groups"] + grantTypes: ["authorization_code"] + clientType: "public" EOF ) diff --git a/sso-mfa/k8s/keycape/deployment.yaml b/sso-mfa/k8s/keycape/deployment.yaml index 88db30d..a6754a1 100644 --- a/sso-mfa/k8s/keycape/deployment.yaml +++ b/sso-mfa/k8s/keycape/deployment.yaml @@ -49,13 +49,10 @@ spec: containers: - name: keycape - # EDIT before applying — see README.md "Building the image". - # Option A (registry): docker build -t /keycape:v0.1 ~/key-cape/ && docker push ... - # Option B (K3s local): docker build -t keycape:v0.1 ~/key-cape/ && - # docker save keycape:v0.1 | sudo k3s ctr images import - - # After Option B, set imagePullPolicy: Never. - image: keycape:v0.1 - imagePullPolicy: IfNotPresent + # Image published to self-hosted Gitea OCI registry on CoulombCore (KEY-WP-0002). + # k3s insecure registry configured for 92.205.130.254:32166 — no pull secret needed. + image: 92.205.130.254:32166/coulomb/key-cape:latest + imagePullPolicy: Always ports: - name: http