feat(podfetch): enable sso

lucas-dclrcq · Dec 31, 2024 · 59cd356 · 59cd356
1 parent d040a33
commit 59cd356
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/kubernetes/apps/media/podfetch/app/externalsecret.yaml b/kubernetes/apps/media/podfetch/app/externalsecret.yaml
@@ -2,6 +2,30 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
+metadata:
+  name: podfetch
+spec:
+  secretStoreRef:
+    name: hashicorp-vault
+    kind: ClusterSecretStore
+  target:
+    name: podfetch-secret
+    template:
+      type: Opaque
+      data:
+        OIDC_AUTH: "true"
+        OIDC_AUTHORITY: "https://sso.${SECRET_DOMAIN}/application/o/podfetch/"
+        OIDC_CLIENT_ID: '{{ .PODFETCH_CLIENT_ID }}'
+        OIDC_REDIRECT_URI: "https://podcasts.${SECRET_DOMAIN}/ui/login"
+        OIDC_SCOPE: "openid profile email"
+        OIDC_JWKS: "https://sso.${SECRET_DOMAIN}/application/o/podfetch/jwks/"
+  dataFrom:
+    - extract:
+        key: media/podfetch/config
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
   name: podfetch-db
 spec:

diff --git a/kubernetes/apps/media/podfetch/app/helmrelease.yaml b/kubernetes/apps/media/podfetch/app/helmrelease.yaml
@@ -43,6 +43,8 @@ spec:
               SERVER_URL: "https://podcasts.${SECRET_DOMAIN}"
 
             envFrom:
+              - secretRef:
+                  name: podfetch-secret
               - secretRef:
                   name: podfetch-db-secret