From b155e34fe687da6c75ea0e31789cd69763fbfb85 Mon Sep 17 00:00:00 2001 From: Ronni Baslund Date: Wed, 10 Jun 2026 13:24:29 +0200 Subject: [PATCH] fix(infra): runtime OIDC overrides for prod portal/operator login MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI builds the Nuxt images with no env, so nuxt.config bakes empty OIDC client creds and .local Authentik URLs into runtimeConfig — sign-in dead-ended on the app's own /auth/login. Nitro env overrides only apply when the var name matches the runtimeConfig path (oidc.providers.oidc.* -> NUXT_OIDC_PROVIDERS_OIDC_*), so production secrets need that second set of names; the plain NUXT_OIDC_* ones only work in dev. Also pin NUXT_OIDC_TOKEN_KEY/AUTH_SESSION_SECRET so sessions survive pod restarts. Live secrets patched on the cluster accordingly. --- .../fleet/apps/secrets.example.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/infrastructure/production/fleet/apps/secrets.example.yaml b/infrastructure/production/fleet/apps/secrets.example.yaml index 7e204ee..5b94f3a 100644 --- a/infrastructure/production/fleet/apps/secrets.example.yaml +++ b/infrastructure/production/fleet/apps/secrets.example.yaml @@ -52,6 +52,25 @@ stringData: NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu" # nuxt-oidc-auth session encryption secret (openssl rand -hex 32). NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32" + # ── Runtime overrides for the BAKED OIDC provider config ──────────────── + # The prod image is built in CI with no env, so nuxt.config bakes EMPTY + # client creds and .local URLs into runtimeConfig. Nitro only overrides + # runtimeConfig keys whose env name matches the config path — + # oidc.providers.oidc.* → NUXT_OIDC_PROVIDERS_OIDC_*. The plain + # NUXT_OIDC_* names above only work in dev (nuxt.config evaluated at + # runtime); production needs BOTH sets. + NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "REPLACE_same_as_NUXT_OIDC_CLIENT_ID" + NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET" + NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback" + NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/" + NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/" + NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/" + NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-portal/end-session/" + NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-portal/.well-known/openid-configuration" + # Refresh-token encryption + auth-session secret — without them sessions + # die on every pod restart (random keys are generated per boot). + NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32" + NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24" --- apiVersion: v1 kind: Secret @@ -80,3 +99,16 @@ stringData: NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu" # nuxt-oidc-auth session encryption secret (openssl rand -hex 32). NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32" + # Runtime overrides for the baked OIDC provider config — see the portal + # section above for why production needs the NUXT_OIDC_PROVIDERS_OIDC_* + # names in addition to the plain ones. + NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "dezky-operator" + NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET" + NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback" + NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/" + NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/" + NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/" + NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-operator/end-session/" + NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-operator/.well-known/openid-configuration" + NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32" + NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"