add ability to reference OIDC client secret from secret object by olamilekan000 · Pull Request #134 · kcp-dev/kcp-operator

olamilekan000 · 2026-01-02T15:37:28Z

Summary

change adds referencing of OIDC client secret using secret object.

What Type of PR Is This?

/kind feature
/kind api-change

Related Issue(s)

Fixes 130

Release Notes

Added referencing of OIDC secret using k8s secret object.

mjudeikis

This is just api? no implementation yet?

mjudeikis · 2026-01-05T06:39:40Z

+	Name string `json:"name"`
+	// Namespace is the namespace of the secret. If not specified, the secret is assumed to be in the same namespace as the resource.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`


Is there point having namespace here? Can we refer and use secrets cross-namespaces?

Unless there's a strong reason to read cross-namespace resources, I would also vote against opening this can of worms.

@olamilekan000 Can you drop the namespace please?

Although, now that I think about it - it'd just but a blocker in if someone does need to read cross-namespace resources.

Then again, I think it'd be best to reuse the LocalDataKeyRef:

kcp-operator/sdk/apis/operator/v1alpha1/common.go

Lines 73 to 81 in 7b7489f

// LocalDataKeyReference is a reference to a namespace-local object storing

// key-value data, i.e. ConfigMap or Secret.

type LocalDataKeyReference struct {

// Name of the object.

Name string `json:"name"`

// Key in the data.

Key string `json:"key"`

}

okay, will look into this

Just to bring to your attention, the secret field doesn't really have a flag in kcp, it was just there and not being used. I remember having a conversation about it on Slack with @mjudeikis.
These are the options I can see

cc @ntnn @xrstf

@mjudeikis Since you introduced it and also left the field unused in #68: What was your plan for the ClientSecret?

xrstf · 2026-04-01T09:05:49Z

Any updates on this PR?

kcp-ci-bot · 2026-04-04T00:47:48Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xmudrii for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

olamilekan000 · 2026-04-05T22:00:53Z

/retest

xrstf · 2026-04-07T19:44:12Z

And what about the actual implementation?

olamilekan000 · 2026-04-07T21:45:31Z

And what about the actual implementation?

I dropped a message here about it

Signed-off-by: olalekan odukoya <odukoyaonline@gmail.com>

olamilekan000 · 2026-04-08T08:31:10Z

/retest

mjudeikis · 2026-04-17T10:01:58Z

lets close this and just deprecate this secrets field. we dont use it as kube oidc is secretless

olamilekan000 requested review from embik and mjudeikis January 2, 2026 15:37

kcp-ci-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 2, 2026

mjudeikis reviewed Jan 5, 2026

View reviewed changes

ntnn added this to tbd Mar 17, 2026

github-project-automation Bot moved this to Backlog in tbd Mar 17, 2026

ntnn moved this from Backlog to Reviewing in tbd Mar 19, 2026

olamilekan000 force-pushed the refrence-oidc-clientsecret-using-secretref branch from 91f0162 to b4b07a6 Compare April 4, 2026 00:47

olamilekan000 force-pushed the refrence-oidc-clientsecret-using-secretref branch from b4b07a6 to f8f3c6c Compare April 4, 2026 00:49

xrstf reviewed Apr 7, 2026

View reviewed changes

Comment thread sdk/apis/operator/v1alpha1/common.go

olamilekan000 force-pushed the refrence-oidc-clientsecret-using-secretref branch from f8f3c6c to 9fe5a0d Compare April 7, 2026 21:47

add ability to refrence OIDC client secret from secret object

ff64ba1

Signed-off-by: olalekan odukoya <odukoyaonline@gmail.com>

olamilekan000 force-pushed the refrence-oidc-clientsecret-using-secretref branch from 9fe5a0d to ff64ba1 Compare April 7, 2026 21:50

olamilekan000 requested review from mjudeikis, ntnn and xrstf April 7, 2026 21:50

mjudeikis closed this Apr 17, 2026

github-project-automation Bot moved this from Reviewing to Done in tbd Apr 17, 2026

ntnn moved this from Done to Reviewing in tbd Apr 17, 2026

olamilekan000 mentioned this pull request Apr 19, 2026

deprecate ClientSecret in the OIDC Configuration #222

Merged

	// LocalDataKeyReference is a reference to a namespace-local object storing
	// key-value data, i.e. ConfigMap or Secret.
	type LocalDataKeyReference struct {
	// Name of the object.
	Name string `json:"name"`

	// Key in the data.
	Key string `json:"key"`
	}

Conversation

olamilekan000 commented Jan 2, 2026

Summary

What Type of PR Is This?

Related Issue(s)

Release Notes

Uh oh!

mjudeikis left a comment

Choose a reason for hiding this comment

Uh oh!

mjudeikis Jan 5, 2026

Choose a reason for hiding this comment

Uh oh!

xrstf Feb 25, 2026

Choose a reason for hiding this comment

Uh oh!

ntnn Mar 17, 2026

Choose a reason for hiding this comment

Uh oh!

ntnn Mar 17, 2026

Choose a reason for hiding this comment

Uh oh!

ntnn Mar 17, 2026

Choose a reason for hiding this comment

Uh oh!

olamilekan000 Mar 17, 2026

Choose a reason for hiding this comment

Uh oh!

olamilekan000 Apr 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

xrstf Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

xrstf commented Apr 1, 2026

Uh oh!

kcp-ci-bot commented Apr 4, 2026

Uh oh!

olamilekan000 commented Apr 5, 2026

Uh oh!

Uh oh!

xrstf commented Apr 7, 2026

Uh oh!

olamilekan000 commented Apr 7, 2026

Uh oh!

olamilekan000 commented Apr 8, 2026

Uh oh!

mjudeikis commented Apr 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

olamilekan000 Apr 4, 2026 •

edited

Loading