add docs and if statement

defenseunicorns · Aug 5, 2024 · 0acc2f7 · 0acc2f7
1 parent ed0d139
commit 0acc2f7
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 15 deletions.
diff --git a/docs/configuration/uds-operator.md b/docs/configuration/uds-operator.md
@@ -168,6 +168,29 @@ variables:
 
 See [configuring Istio Ingress](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates.
 
+### Creating a UDS Package with a Device Flow client
+
+Some applications may not have a web UI / server component to login to and may instead grant OAuth tokens to devices.  This flow is known as the [OAuth 2.0 Device Authorization Grant](https://oauth.net/2/device-flow/) and is supported in a UDS Package with the following configuration:
+
+```yaml
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: fulcio
+  namespace: fulcio-system
+spec:
+  sso:
+  sso:
+    - name: Sigstore Login
+      clientId: sigstore
+      standardFlowEnabled: false
+      publicClient: true
+      attributes:
+        oauth2.device.authorization.grant.enabled: "true"
+```
+
+This configuration does not create a secret in the cluster and instead tells the UDS Operator to create a public client (one that requires no auth secret) that enables the `oauth2.device.authorization.grant.enabled` flow and disables the standard redirect auth flow.  Because this creates a public client configuration that deviates from this is limited - if your application requires both the Device Authorization Grant and the standard flow this is currently not supported without creating two separate clients.
+
 ## Exemption
 
 - **Exemption Scope:**

diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts
@@ -158,22 +158,24 @@ async function syncClient(
   }
 
   // Create or update the client secret
-  const generation = (pkg.metadata?.generation ?? 0).toString();
-  await K8s(kind.Secret).Apply({
-    metadata: {
-      namespace: pkg.metadata!.namespace,
-      // Use the CR secret name if provided, otherwise use the client name
-      name: secretName || name,
-      labels: {
-        "uds/package": pkg.metadata!.name,
-        "uds/generation": generation,
+  if (!client.publicClient) {
+    const generation = (pkg.metadata?.generation ?? 0).toString();
+    await K8s(kind.Secret).Apply({
+      metadata: {
+        namespace: pkg.metadata!.namespace,
+        // Use the CR secret name if provided, otherwise use the client name
+        name: secretName || name,
+        labels: {
+          "uds/package": pkg.metadata!.name,
+          "uds/generation": generation,
+        },
+
+        // Use the CR as the owner ref for each VirtualService
+        ownerReferences: getOwnerRef(pkg),
       },
-
-      // Use the CR as the owner ref for each VirtualService
-      ownerReferences: getOwnerRef(pkg),
-    },
-    data: generateSecretData(client, secretTemplate),
-  });
+      data: generateSecretData(client, secretTemplate),
+    });
+  }
 
   return client;
 }