validatedpatterns · mlorenzofr · Mar 27, 2026 · Apr 6, 2026 · Apr 8, 2026 · Feb 12, 2026
diff --git a/charts/qtodo/templates/_helpers.tpl b/charts/qtodo/templates/_helpers.tpl
@@ -8,3 +8,25 @@ Create the image path for the passed in image field
 {{- printf "%s:%s" (tpl .value.name .context) (tpl .value.version .context) -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Generate the URL of the OIDC service
+*/}}
+{{- define "qtodo.oidc.url" }}
+{{- if not .Values.app.oidc.authServerUrl }}
+{{- printf "https://keycloak.%s/realms/%s" .Values.global.localClusterDomain .Values.app.oidc.realm }}
+{{- else }}
+{{- print .Values.app.oidc.authServerUrl }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate the JWT Audience
+*/}}
+{{- define "qtodo.jwt.audience" }}
+{{- if not .Values.app.vault.audience }}
+{{- printf "https://keycloak.%s/realms/%s" .Values.global.localClusterDomain .Values.app.oidc.realm }}
+{{- else }}
+{{- print .Values.app.vault.audience }}
+{{- end }}
+{{- end }}
diff --git a/charts/qtodo/templates/app-config-env.yaml b/charts/qtodo/templates/app-config-env.yaml
@@ -4,15 +4,15 @@ metadata:
   name: qtodo-config-env
   namespace: {{ .Release.Namespace }}
 data:
-{{- if eq .Values.app.spire.enabled true }}
+{{- if eq .Values.app.oidc.enabled true }}
   QUARKUS_OIDC_ENABLED: "true"
-  QUARKUS_OIDC_AUTH_SERVER_URL: "{{ default (printf "https://keycloak.%s/realms/%s" .Values.global.localClusterDomain .Values.app.keycloak.realm) .Values.app.oidc.authServerUrl }}"
+  QUARKUS_OIDC_AUTH_SERVER_URL: "{{ include "qtodo.oidc.url" . }}"
   QUARKUS_OIDC_CLIENT_ID: "{{ .Values.app.oidc.clientId }}"
   QUARKUS_OIDC_APPLICATION_TYPE: "{{ .Values.app.oidc.applicationType }}"
   QUARKUS_HTTP_AUTH_PERMISSION_AUTHENTICATED_PATHS: "{{ .Values.app.oidc.authenticatedPaths }}"
   QUARKUS_HTTP_AUTH_PERMISSION_AUTHENTICATED_POLICY: "{{ .Values.app.oidc.authenticatedPolicy }}"
   QUARKUS_OIDC_AUTHENTICATION_FORCE_REDIRECT_HTTPS_SCHEME: "true"
-{{- if .Values.app.oidc.clientAssertion.enabled }}
+{{- if and .Values.app.oidc.clientAssertion.enabled (not .Values.app.oidc.clientSecret.enabled) }}
   QUARKUS_OIDC_CREDENTIALS_JWT_SOURCE: "bearer"
   QUARKUS_OIDC_CREDENTIALS_JWT_TOKEN_PATH: "{{ .Values.app.oidc.clientAssertion.jwtTokenPath }}"
 {{- end }}

diff --git a/charts/qtodo/templates/app-deployment.yaml b/charts/qtodo/templates/app-deployment.yaml
@@ -55,6 +55,7 @@ spec:
           - name: qtodo-truststore-java
             mountPath: /usr/local/bin
 {{- end }}
+{{- if and .Values.app.oidc.enabled (contains "keycloak" (include "qtodo.oidc.url" .)) }}
       - name: wait-for-keycloak
         image: registry.redhat.io/openshift4/ose-tools-rhel9:latest
         imagePullPolicy: IfNotPresent
@@ -63,7 +64,7 @@ spec:
           - -c
           - |
             echo "Waiting for Keycloak OIDC endpoint to be available..."
-            KEYCLOAK_URL="{{ default (printf "https://keycloak.%s/realms/ztvp/.well-known/openid-configuration" .Values.global.localClusterDomain) .Values.app.oidc.authServerUrl }}/.well-known/openid-configuration"
+            KEYCLOAK_URL="{{ include "qtodo.oidc.url" . }}/.well-known/openid-configuration"
             # Remove duplicate .well-known if authServerUrl already contains realm
             KEYCLOAK_URL=$(echo "$KEYCLOAK_URL" | sed 's|/.well-known/openid-configuration/.well-known/openid-configuration|/.well-known/openid-configuration|')
 
@@ -87,6 +88,7 @@ spec:
           - name: ztvp-trusted-ca
             mountPath: /etc/pki/ca-trust/extracted/pem
             readOnly: true
+{{- end }}
       - name: init-spiffe-helper
         image: {{ template "qtodo.image" (dict "value" .Values.app.images.spiffeHelper "context" $) }}
         imagePullPolicy: {{ .Values.app.images.spiffeHelper.pullPolicy }}
@@ -123,7 +125,7 @@ spec:
           - name: CREDENTIALS_FILE
             value: /run/secrets/db-credentials/credentials.properties
           - name: JWT_TOKEN_FILE
-            value: /svids/jwt.token
+            value: {{ .Values.app.oidc.clientAssertion.jwtTokenPath }}
           - name: ZTVP_CA_BUNDLE
             value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
         volumeMounts:
@@ -176,7 +178,7 @@ spec:
         - name: CREDENTIALS_FILE
           value: /run/secrets/db-credentials/credentials.properties
         - name: JWT_TOKEN_FILE
-          value: /svids/jwt.token
+          value: {{ .Values.app.oidc.clientAssertion.jwtTokenPath }}
         - name: ZTVP_CA_BUNDLE
           value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
         volumeMounts:
@@ -234,11 +236,11 @@ spec:
 {{- else }}
         - name: QUARKUS_CONFIG_LOCATIONS
           value: file:/run/secrets/db-credentials/credentials.properties
-{{- if not .Values.app.oidc.clientAssertion.enabled }}
+{{- if .Values.app.oidc.clientSecret.enabled }}
         - name: QUARKUS_OIDC_CREDENTIALS_SECRET
           valueFrom:
             secretKeyRef:
-              name: oidc-client-secret
+              name: {{ .Values.app.oidc.clientSecret.name }}
               key: client-secret
 {{- end }}
 {{- if .Values.app.truststore.enabled }}

diff --git a/charts/qtodo/templates/oidc-client-secret-external-secret.yaml b/charts/qtodo/templates/oidc-client-secret-external-secret.yaml
@@ -1,23 +1,23 @@
-{{- if .Values.app.oidcSecret.enabled }}
+{{- if .Values.app.oidc.clientSecret.enabled }}
 apiVersion: "external-secrets.io/v1beta1"
 kind: ExternalSecret
 metadata:
-  name: {{ .Values.app.oidcSecret.name }}
+  name: {{ .Values.app.oidc.clientSecret.name }}
   namespace: {{ .Release.Namespace }}
 spec:
   refreshInterval: 15s
   secretStoreRef:
     name: {{ .Values.global.secretStore.name }}
     kind: {{ .Values.global.secretStore.kind }}
   target:
-    name: {{ .Values.app.oidcSecret.name }}
+    name: {{ .Values.app.oidc.clientSecret.name }}
     template:
       type: Opaque
       data:
-        client-secret: "{{ `{{ .client_secret }}` }}"
+        client-secret: "{{ `{{ .client_secret | trim }}` }}"
   data:
   - secretKey: client_secret
     remoteRef:
-      key: {{ .Values.app.oidcSecret.vaultPath }}
+      key: {{ .Values.app.oidc.clientSecret.vaultPath }}
       property: client-secret
 {{- end }}
diff --git a/charts/qtodo/templates/spiffe-helper-config.yaml b/charts/qtodo/templates/spiffe-helper-config.yaml
@@ -1,5 +1,4 @@
 {{- if eq .Values.app.spire.enabled true }}
-{{- $keycloakRealmUrl := default (printf "https://keycloak.%s/realms/%s" .Values.global.localClusterDomain .Values.app.keycloak.realm) .Values.app.keycloak.realmUrl }}
 kind: ConfigMap
 apiVersion: v1
 metadata:
@@ -16,6 +15,6 @@ data:
     svid_file_name = "svid.pem"
     svid_key_file_name = "svid_key.pem"
     svid_bundle_file_name = "svid_bundle.pem"
-    jwt_svids = [{jwt_audience="{{ $keycloakRealmUrl }}", jwt_svid_file_name="jwt.token"}]
+    jwt_svids = [{jwt_audience="{{ include "qtodo.jwt.audience" . }}", jwt_svid_file_name="jwt.token"}]
     jwt_bundle_file_name  = "jwt_bundle.json"
 {{- end }}
diff --git a/charts/qtodo/values.yaml b/charts/qtodo/values.yaml
@@ -38,20 +38,19 @@ app:
   oidc:
     enabled: false  # Will be enabled when SPIFFE is enabled
     authServerUrl: ""
-    clientId: qtodo-app
+    realm: "ztvp"
+    clientId: "qtodo-app"
     applicationType: "web-app"
     authenticatedPaths: "/*"
     authenticatedPolicy: "authenticated"
     # Federated client assertion using SPIFFE JWT SVID
     clientAssertion:
       enabled: true
       jwtTokenPath: "/svids/jwt.token"
-
-  # Keycloak realm configuration
-  keycloak:
-    realm: "ztvp"
-    # Keycloak realm URL (auto-generated from global.localClusterDomain and realm if empty)
-    realmUrl: ""
+    clientSecret:
+      enabled: false
+      name: "oidc-client-secret"
+      vaultPath: "secret/data/apps/qtodo/qtodo-oidc-client"
 
   spire:
     enabled: true   # Enable SPIFFE + OIDC integration by default
@@ -62,17 +61,11 @@ app:
   vault:
     url: ""
     role: "qtodo"
+    # JWT Audience (auto-generated if not set)
+    # audience: "api://client-id"
     # QTodo secrets path (app-level isolation)
     secretPath: "secret/data/apps/qtodo/qtodo-db"
 
-  # OIDC External Secret configuration
-  # Disabled when using federated client assertion (no client secret needed)
-  oidcSecret:
-    enabled: false
-    name: "oidc-client-secret"
-    # QTodo OIDC secret path (app-level isolation)
-    vaultPath: "secret/data/apps/qtodo/qtodo-oidc-client"
-
   # Truststore configuration for Java CA certificates (PKCS12 format)
   truststore:
     enabled: true

diff --git a/charts/supply-chain/files/rhtas.sh b/charts/supply-chain/files/rhtas.sh
@@ -88,9 +88,28 @@ sign_artifact() {
   log_msg "REKOR_URL: ${REKOR_URL}"
   log_msg "bundle: ${bundle}"
 
+  if [ -v OIDC_CLIENT_ID ]; then
+    log_msg "OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}"
+  fi
+  if [ -v OIDC_ISSUER ]; then
+    log_msg "OIDC_ISSUER: ${OIDC_ISSUER}"
+  fi
+  if [ -v OIDC_IDENTITY ]; then
+    log_msg "OIDC_IDENTITY: ${OIDC_IDENTITY}"
+  fi
+  if [ -v OIDC_CLIENT_SECRET_FILE ]; then
+    log_msg "OIDC_CLIENT_SECRET_FILE: ${OIDC_CLIENT_SECRET_FILE}"
+    if ! [ -f "${OIDC_CLIENT_SECRET_FILE}" ]; then
+      log_msg "ERROR: ${OIDC_CLIENT_SECRET_FILE} not found"
+      exit 1
+    fi
+  fi
+
   cosign sign-blob "${1}" \
     --fulcio-url "${FULCIO_URL}" \
     --rekor-url "${REKOR_URL}" \
+    ${OIDC_CLIENT_ID:+"--oidc-client-id=${OIDC_CLIENT_ID}"} \
+    ${OIDC_CLIENT_SECRET_FILE:+"--oidc-client-secret-file=${OIDC_CLIENT_SECRET_FILE}"} \
     --bundle "${bundle}" \
     --yes
 }
@@ -107,9 +126,28 @@ sign_image() {
   log_msg "REKOR_URL: ${REKOR_URL}"
   log_msg "image_ref: ${image_ref}"
 
+  if [ -v OIDC_CLIENT_ID ]; then
+    log_msg "OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}"
+  fi
+  if [ -v OIDC_ISSUER ]; then
+    log_msg "OIDC_ISSUER: ${OIDC_ISSUER}"
+  fi
+  if [ -v OIDC_IDENTITY ]; then
+    log_msg "OIDC_IDENTITY: ${OIDC_IDENTITY}"
+  fi
+  if [ -v OIDC_CLIENT_SECRET_FILE ]; then
+    log_msg "OIDC_CLIENT_SECRET_FILE: ${OIDC_CLIENT_SECRET_FILE}"
+    if ! [ -f "${OIDC_CLIENT_SECRET_FILE}" ]; then
+      log_msg "ERROR: ${OIDC_CLIENT_SECRET_FILE} not found"
+      exit 1
+    fi
+  fi
+
   cosign sign "${image_ref}" \
     --fulcio-url "${FULCIO_URL}" \
     --rekor-url "${REKOR_URL}" \
+    ${OIDC_CLIENT_ID:+"--oidc-client-id=${OIDC_CLIENT_ID}"} \
+    ${OIDC_CLIENT_SECRET_FILE:+"--oidc-client-secret-file=${OIDC_CLIENT_SECRET_FILE}"} \
     --yes
 }