From 0acc2f7b38cdea65dc357b0c05c89bd175cfdf24 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Mon, 5 Aug 2024 13:32:07 -0600 Subject: [PATCH] add docs and if statement --- docs/configuration/uds-operator.md | 23 +++++++++++++ .../controllers/keycloak/client-sync.ts | 32 ++++++++++--------- 2 files changed, 40 insertions(+), 15 deletions(-) diff --git a/docs/configuration/uds-operator.md b/docs/configuration/uds-operator.md index 87d340d70..bc4163428 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/configuration/uds-operator.md @@ -168,6 +168,29 @@ variables: See [configuring Istio Ingress](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates. +### Creating a UDS Package with a Device Flow client + +Some applications may not have a web UI / server component to login to and may instead grant OAuth tokens to devices. This flow is known as the [OAuth 2.0 Device Authorization Grant](https://oauth.net/2/device-flow/) and is supported in a UDS Package with the following configuration: + +```yaml +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: fulcio + namespace: fulcio-system +spec: + sso: + sso: + - name: Sigstore Login + clientId: sigstore + standardFlowEnabled: false + publicClient: true + attributes: + oauth2.device.authorization.grant.enabled: "true" +``` + +This configuration does not create a secret in the cluster and instead tells the UDS Operator to create a public client (one that requires no auth secret) that enables the `oauth2.device.authorization.grant.enabled` flow and disables the standard redirect auth flow. Because this creates a public client configuration that deviates from this is limited - if your application requires both the Device Authorization Grant and the standard flow this is currently not supported without creating two separate clients. + ## Exemption - **Exemption Scope:** diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index ddc17d264..169fd2a66 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -158,22 +158,24 @@ async function syncClient( } // Create or update the client secret - const generation = (pkg.metadata?.generation ?? 0).toString(); - await K8s(kind.Secret).Apply({ - metadata: { - namespace: pkg.metadata!.namespace, - // Use the CR secret name if provided, otherwise use the client name - name: secretName || name, - labels: { - "uds/package": pkg.metadata!.name, - "uds/generation": generation, + if (!client.publicClient) { + const generation = (pkg.metadata?.generation ?? 0).toString(); + await K8s(kind.Secret).Apply({ + metadata: { + namespace: pkg.metadata!.namespace, + // Use the CR secret name if provided, otherwise use the client name + name: secretName || name, + labels: { + "uds/package": pkg.metadata!.name, + "uds/generation": generation, + }, + + // Use the CR as the owner ref for each VirtualService + ownerReferences: getOwnerRef(pkg), }, - - // Use the CR as the owner ref for each VirtualService - ownerReferences: getOwnerRef(pkg), - }, - data: generateSecretData(client, secretTemplate), - }); + data: generateSecretData(client, secretTemplate), + }); + } return client; }