create oidcapp

2026-05-14 15:19:53 -05:00
parent bb6ee40741
commit 2ed75599bc
2 changed files with 77 additions and 4 deletions
--- a/ops/chart/values.yaml
+++ b/ops/chart/values.yaml
@@ -27,14 +27,25 @@ controllers:
            value: "https://dev.api.corredorconect.com/workload/api/v1"
          - name: NUXT_PUBLIC_DOCUMENT_API_BASE
            value: "https://dev.api.corredorconect.com/document/api/v1"
-          - name: AUTH_SECRET
-            value: 0d85a9ed917254fc14c51a7e57e58f515574938d81f5a5146d407284c020b541
          - name: AUTH_ORIGIN
            value: https://dev.corredorconect.com/api/auth
          - name: ZITADEL_DOMAIN
            value: https://id.corredorconect.com
          - name: ZITADEL_CLIENT_ID
-            value: 371939070261068337
+            valueFrom:
+              secretKeyRef:
+                name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-oidcapp-client-secret'
+                key: clientId
+          - name: ZITADEL_PROJECT_ID
+            valueFrom:
+              secretKeyRef:
+                name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-oidcapp-client-secret'
+                key: projectId
+          - name: AUTH_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
+                key: auth-secret
        ports:
          - name: http
            containerPort: 3000
@@ -71,3 +82,65 @@ service:
 ingress:
  main:
    enabled: false
+
+rawResources:
+  password-generator:
+    enabled: true
+    apiVersion: generators.external-secrets.io/v1alpha1
+    kind: Password
+    suffix: password-generator 
+    spec:
+      spec:
+        length: 32
+        noUpper: false
+        allowRepeat: true
+        secretKeys:
+          - auth-secret
+
+  external-secret:
+    enabled: true
+    apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    suffix: secrets
+    spec:
+      spec:
+        refreshInterval: 0s
+        secretStoreRef:
+          name: cluster-secrets-store
+          kind: ClusterSecretStore
+        target:
+          name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
+          creationPolicy: Owner
+        dataFrom:
+          - sourceRef:
+              generatorRef:
+                apiVersion: generators.external-secrets.io/v1alpha1
+                kind: Password
+                name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-password-generator'
+  oidcapp: 
+    apiVersion: zitadel.github.com/v1alpha1
+    kind: OIDCApp
+    suffix: oidcapp
+    spec:
+      spec:
+        oidcAppName: policy-ui
+        projectRef:
+          name: seguros-dev
+          namespace: zitadel-resources-operator
+        appType: OIDC_APP_TYPE_WEB
+        authMethodType: OIDC_AUTH_METHOD_TYPE_NONE
+        redirectUris:
+          - https://dev.corredorconect.com/api/auth/callback/zitadel
+        postLogoutRedirectUris:
+          - https://dev.corredorconect.com/
+        responseTypes:
+          - OIDC_RESPONSE_TYPE_CODE
+        grantTypes:
+          - OIDC_GRANT_TYPE_AUTHORIZATION_CODE
+        accessTokenRoleAssertion: true
+        accessTokenType: OIDC_TOKEN_TYPE_JWT
+        idTokenRoleAssertion: true
+        idTokenUserinfoAssertion: true
+        clockSkew: 5s
+        devMode: false
+        skipNativeAppSuccessPage: false