Secret Templating
By default, UDS generates a secret for the Single Sign-On (SSO) client that encapsulates all client contents as an opaque secret. In this setup, each key within the secret corresponds to its own environment variable or file, based on the method used to mount the secret. If customization of the secret rendering is required, basic templating can be achieved using the secretTemplate
property. Below are examples showing this functionality. To see how templating works, please see the Regex website.
apiVersion: uds.dev/v1alpha1kind: Packagemetadata: name: grafana namespace: grafanaspec: sso: - name: My Keycloak Client clientId: demo-client redirectUris: - "https://demo.uds.dev/login" # Customize the name of the generated secret secretName: my-cool-auth-client secretTemplate: # Raw text examples rawTextClientId: "clientField(clientId)" rawTextClientSecret: "clientField(secret)"
# JSON example auth.json: | { "client_id": "clientField(clientId)", "client_secret": "clientField(secret)", "defaultScopes": clientField(defaultClientScopes).json(), "redirect_uri": "clientField(redirectUris)[0]", "bearerOnly": clientField(bearerOnly), }
# Properties example auth.properties: | client-id=clientField(clientId) client-secret=clientField(secret) default-scopes=clientField(defaultClientScopes) redirect-uri=clientField(redirectUris)[0]
# YAML example (uses JSON for the defaultScopes array) auth.yaml: | client_id: clientField(clientId) client_secret: clientField(secret) default_scopes: clientField(defaultClientScopes).json() redirect_uri: clientField(redirectUris)[0] bearer_only: clientField(bearerOnly)
Secret Pod Reload
Section titled “Secret Pod Reload”UDS Core provides a Secret Pod Reload mechanism that can restart pods or deployments when secrets are updated. This is useful for SSO client secrets when they need to be updated.
To enable automatic pod reload when a secret changes, add the uds.dev/pod-reload: "true"
label to your secret.
Example SSO Secret with Pod Reload
Section titled “Example SSO Secret with Pod Reload”apiVersion: uds.dev/v1alpha1kind: Packagemetadata: name: my-app namespace: my-namespacespec: sso: - name: My App clientId: my-app-client redirectUris: - "https://my-app.example.com/callback" secretName: my-app-secret # To enable pod reload for this secret, add these labels and annotations secretLabels: uds.dev/pod-reload: "true" secretAnnotations: uds.dev/pod-reload-selector: 'app=my-app' # Target a specific pod(s) to reload secretTemplate: config.json: | { "client_id": "clientField(clientId)", "client_secret": "clientField(secret)" }
When this secret is updated (for example, when rotating the client secret), all pods with the label app=my-app
will be automatically restarted to pick up the new secret value.