studio/cli
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 4 Wiki Activity

fix: use predictable client_id via pre-seeded K8s secret

Browse Source 
Pre-create oidc-sunbeam-cli secret with CLIENT_ID=sunbeam-cli before
hydra-maester reconciles. No cluster access needed at login time.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-20 15:08:59 +00:00
parent 1029ff0747
commit 3a5e1c62ba
1 changed files with 4 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/auth.rs
View File

@@ -273,18 +273,10 @@ async fn refresh_token(cached: &AuthTokens) -> Result<AuthTokens> {
/// Try to read the client_id from K8s secret `oidc-sunbeam-cli` in `ory` namespace. /// Try to read the client_id from K8s secret `oidc-sunbeam-cli` in `ory` namespace.
/// Falls back to the default client ID. /// Falls back to the default client ID.
async fn resolve_client_id() -> String { async fn resolve_client_id() -> String {
// Try reading from K8s secret — silently fall back if cluster is unreachable. // The OAuth2Client is pre-created with a known client_id matching
// The tracing ERROR from kube client init is noisy; suppress by not even trying // DEFAULT_CLIENT_ID ("sunbeam-cli") via a pre-seeded K8s secret.
// when we know the cluster isn't configured. // No cluster access needed.
let host = crate::config::get_production_host(); DEFAULT_CLIENT_ID.to_string()
if host.is_empty() && crate::kube::ssh_host().is_empty() {
// No cluster configured, skip K8s lookup
return DEFAULT_CLIENT_ID.to_string();
}
match crate::kube::kube_get_secret_field("ory", "oidc-sunbeam-cli", "client_id").await {
Ok(id) if !id.is_empty() => id,
_ => DEFAULT_CLIENT_ID.to_string(),
}
} }
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------