fix(infra): runtime OIDC overrides for prod portal/operator login
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 20s
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 24s
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 26s
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s
ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s
ci / build (map[dir:apps/operator name:operator]) (push) Successful in 9s
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 18s
ci / test (push) Successful in 34s
ci / build (map[dir:apps/portal name:portal]) (push) Successful in 6s
ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 6s
ci / deploy (push) Successful in 41s
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 20s
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 24s
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 26s
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s
ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s
ci / build (map[dir:apps/operator name:operator]) (push) Successful in 9s
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 18s
ci / test (push) Successful in 34s
ci / build (map[dir:apps/portal name:portal]) (push) Successful in 6s
ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 6s
ci / deploy (push) Successful in 41s
CI builds the Nuxt images with no env, so nuxt.config bakes empty OIDC client creds and .local Authentik URLs into runtimeConfig — sign-in dead-ended on the app's own /auth/login. Nitro env overrides only apply when the var name matches the runtimeConfig path (oidc.providers.oidc.* -> NUXT_OIDC_PROVIDERS_OIDC_*), so production secrets need that second set of names; the plain NUXT_OIDC_* ones only work in dev. Also pin NUXT_OIDC_TOKEN_KEY/AUTH_SESSION_SECRET so sessions survive pod restarts. Live secrets patched on the cluster accordingly.
This commit is contained in:
Ronni Baslund
@@ -52,6 +52,25 @@ stringData:
|
|||||||
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
|
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
|
||||||
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
|
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
|
||||||
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
|
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
|
||||||
|
# ── Runtime overrides for the BAKED OIDC provider config ────────────────
|
||||||
|
# The prod image is built in CI with no env, so nuxt.config bakes EMPTY
|
||||||
|
# client creds and .local URLs into runtimeConfig. Nitro only overrides
|
||||||
|
# runtimeConfig keys whose env name matches the config path —
|
||||||
|
# oidc.providers.oidc.* → NUXT_OIDC_PROVIDERS_OIDC_*. The plain
|
||||||
|
# NUXT_OIDC_* names above only work in dev (nuxt.config evaluated at
|
||||||
|
# runtime); production needs BOTH sets.
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "REPLACE_same_as_NUXT_OIDC_CLIENT_ID"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-portal/end-session/"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-portal/.well-known/openid-configuration"
|
||||||
|
# Refresh-token encryption + auth-session secret — without them sessions
|
||||||
|
# die on every pod restart (random keys are generated per boot).
|
||||||
|
NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
|
||||||
|
NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
@@ -80,3 +99,16 @@ stringData:
|
|||||||
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
|
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
|
||||||
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
|
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
|
||||||
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
|
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
|
||||||
|
# Runtime overrides for the baked OIDC provider config — see the portal
|
||||||
|
# section above for why production needs the NUXT_OIDC_PROVIDERS_OIDC_*
|
||||||
|
# names in addition to the plain ones.
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "dezky-operator"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-operator/end-session/"
|
||||||
|
NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-operator/.well-known/openid-configuration"
|
||||||
|
NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
|
||||||
|
NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
|
||||||
|
|||||||
Reference in New Issue
Block a user