foot
commented
1 year ago Yes, right now there is an implicit and probably undoc'd behaviour where all config should specified in either but not both of:
- cli flags
- oidc secret
If secret is found, everything specified on the cli will be ignored.
Solutions:
- Doc this better (given)
- Panic if both are provided (fail fast with a good error)
- Merge the cli/env and secret configs? Could be harder to debug sometimes, but might be a more desired behaviour, specify scopes/claims etc in "config" / env / flags and read secrets (clientSecret (and clientId ?)) from a secret.
makkes
Describe the bug
When using OIDC then providing custom scopes via the
--custom-oidc-scopesflag to the gitops-server binary doesn't result in the server actually requesting the scopes defined in the flag value.Environment
To Reproduce
oidc-authSecret with valid OIDC parametersgitops create dashboard wego --password=foo --export | yq e 'select(.kind == "HelmRelease") as $hr | select(.kind != "HelmRelease") as $o |$hr.spec.values.additionalArgs=["--custom-oidc-scopes=foo,bar"] | ($hr, $o)' | k apply -f-k -n flux-system port-forward svc/wego-weave-gitops 9001scopeURL query parameter doesn't have any of the values provided through the--custom-oidc-scopesflagExpected behavior
The server should requests the scopes provided in the flag value.
Actual Behavior
The scopes provided in the flag value aren't used.
Additional Context (screenshots, logs, etc)
The reason for this happening is this line where the value is always overridden.