From 3a5e1c62ba2ca1f1bc98e7ffd8c5f7750fde7665 Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Fri, 20 Mar 2026 15:08:59 +0000 Subject: [PATCH] fix: use predictable client_id via pre-seeded K8s secret Pre-create oidc-sunbeam-cli secret with CLIENT_ID=sunbeam-cli before hydra-maester reconciles. No cluster access needed at login time. --- src/auth.rs | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/src/auth.rs b/src/auth.rs index 8453fd3..523b3a5 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -273,18 +273,10 @@ async fn refresh_token(cached: &AuthTokens) -> Result { /// Try to read the client_id from K8s secret `oidc-sunbeam-cli` in `ory` namespace. /// Falls back to the default client ID. async fn resolve_client_id() -> String { - // Try reading from K8s secret — silently fall back if cluster is unreachable. - // The tracing ERROR from kube client init is noisy; suppress by not even trying - // when we know the cluster isn't configured. - let host = crate::config::get_production_host(); - if host.is_empty() && crate::kube::ssh_host().is_empty() { - // No cluster configured, skip K8s lookup - return DEFAULT_CLIENT_ID.to_string(); - } - match crate::kube::kube_get_secret_field("ory", "oidc-sunbeam-cli", "client_id").await { - Ok(id) if !id.is_empty() => id, - _ => DEFAULT_CLIENT_ID.to_string(), - } + // The OAuth2Client is pre-created with a known client_id matching + // DEFAULT_CLIENT_ID ("sunbeam-cli") via a pre-seeded K8s secret. + // No cluster access needed. + DEFAULT_CLIENT_ID.to_string() } // ---------------------------------------------------------------------------