From 39cee1c7fb58ef5dc8bb77bd008827891e43e798 Mon Sep 17 00:00:00 2001 From: Val Redchenko Date: Tue, 26 May 2026 16:03:57 +0100 Subject: [PATCH] chore(k8s): wire prod Keycloak config and real CORS origin Replaces the app.example.com placeholder with the real prod ingress hostname (smartem.diamond.ac.uk) and adds the Keycloak block so the backend will accept tokens once the DLS production Keycloak clients exist. KEYCLOAK_REALM and KEYCLOAK_VERIFY_ISS are intentionally left as TODOs pending confirmation from DLS Keycloak admins. --- k8s/environments/production/configmap.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/k8s/environments/production/configmap.yaml b/k8s/environments/production/configmap.yaml index b64f55a..6b134fa 100644 --- a/k8s/environments/production/configmap.yaml +++ b/k8s/environments/production/configmap.yaml @@ -13,4 +13,13 @@ data: RABBITMQ_PORT: "5672" HTTP_API_PORT: "8000" ADMINER_PORT: "8080" - CORS_ALLOWED_ORIGINS: "https://app.example.com" + CORS_ALLOWED_ORIGINS: "https://smartem.diamond.ac.uk" + # Keycloak OIDC integration. The backend rejects every non-exempt + # request that doesn't carry a valid Bearer token (always-on since + # smartem-decisions#285). KEYCLOAK_ALLOWED_AZP is the comma-separated + # azp allow-list; unset means any valid token from the realm is accepted. + KEYCLOAK_URL: "https://identity.diamond.ac.uk" + KEYCLOAK_ALLOWED_AZP: "SmartEM_User,SmartEM_Agent" + # TODO: confirm with DLS Keycloak admins before go-live + # KEYCLOAK_REALM + # KEYCLOAK_VERIFY_ISS (set "true" once realm is known so the issuer URL can be validated)