morucci
commented
1 year ago Hi, thanks for the feedback
There no plan to change the way the OIDC Client ID is passed to Monocle, however if you'd like to propose a change to add the feature to override the Client ID from the config file via an environment variable that would be a nice contribution.
Regarding the flow you described, you might need to wrap the Monocle deployment instructions (kubectl commands) into a script and override the Client ID, just after the OIDC secret resource is created by the operator. For instance by fetching the secret data, un-base64 then update the Monocle config file used to generate the configMap.
benlangfeld
TristanCacqueray
In our use case, OIDC client credentials are automatically issued via a Kubenetes operator along with the deployment of the client application (Monocle or other). The operator places both the Client ID and Client Secret in a kubernetes Secret resource.
In Monocle it's possible to configure the Client Secret via environment variable, but the Client ID must be provided in a config file mounted into the Pod. At the time at which the ConfigMap resource containing the Monocle configuration is constructed and passed to
kubectl apply, the Client ID is not known nor predictable, pending the creation of the Secret resource by the OIDC client operator.If Monocle were to accept the OIDC Client ID via an environment variable the way it does with the Client Secret, this problem would be resolved.