fix(auth): restore keycloak sign-in for NodePort access

Trust external host for Auth.js, provide missing frontend auth env/secrets, and submit a proper CSRF-backed sign-in POST so browser login reaches Keycloak reliably.
2026-03-13 06:52:18 +01:00
parent d4f09295be
commit 9cb80e4517
3 changed files with 58 additions and 3 deletions
--- a/infra/k8s/base/frontend-deployment.yaml
+++ b/infra/k8s/base/frontend-deployment.yaml
@@ -62,3 +62,31 @@ spec:
            configMapKeyRef:
              name: workclub-config
              key: keycloak-url
+        - name: NEXT_PUBLIC_KEYCLOAK_ISSUER
+          valueFrom:
+            configMapKeyRef:
+              name: workclub-config
+              key: keycloak-authority
+        - name: NEXTAUTH_URL
+          value: "http://192.168.240.200:30080"
+        - name: AUTH_TRUST_HOST
+          value: "true"
+        - name: NEXTAUTH_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: workclub-secrets
+              key: nextauth-secret
+        - name: KEYCLOAK_CLIENT_ID
+          value: "workclub-app"
+        - name: KEYCLOAK_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: workclub-secrets
+              key: keycloak-client-secret
+        - name: KEYCLOAK_ISSUER
+          valueFrom:
+            configMapKeyRef:
+              name: workclub-config
+              key: keycloak-authority
+        - name: KEYCLOAK_ISSUER_INTERNAL
+          value: "http://workclub-keycloak/realms/workclub"
--- a/infra/k8s/overlays/dev/secrets.yaml
+++ b/infra/k8s/overlays/dev/secrets.yaml
@@ -9,3 +9,5 @@ stringData:
  keycloak-db-password: "keycloakpass"
  keycloak-admin-username: "admin"
  keycloak-admin-password: "adminpassword"
+  keycloak-client-secret: "dev-secret-workclub-api-change-in-production"
+  nextauth-secret: "dev-secret-change-in-production-use-openssl-rand-base64-32"