From 62a10b93138748199f7b9290729b412480e734be Mon Sep 17 00:00:00 2001 From: Ariel Rolfo Date: Thu, 21 May 2026 20:46:03 -0300 Subject: [PATCH] Add IAM (Keycloak) configuration to credreg-prod ConfigMap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The upcoming production release introduces IAM/Keycloak-backed authentication paths (parse_iam_access_token, role mapping). These read IAM_URL, IAM_CLIENT_ID, IAM_COMMUNITY_CLAIM_NAME, and the three IAM_COMMUNITY_ROLE_* keys — none of which currently exist in the credreg-prod ConfigMap. Without them, IAM token validation in prod degrades silently (ENV.fetch returns nil) or raises on role lookup. Values mirror the sandbox/staging conventions; IAM_URL points to the prod Keycloak realm CE-Prod at login.credentialengine.org. --- .../environments/eks/k8s-manifests-prod/app-configmap.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/terraform/environments/eks/k8s-manifests-prod/app-configmap.yaml b/terraform/environments/eks/k8s-manifests-prod/app-configmap.yaml index 6eedc1ad..13df731f 100644 --- a/terraform/environments/eks/k8s-manifests-prod/app-configmap.yaml +++ b/terraform/environments/eks/k8s-manifests-prod/app-configmap.yaml @@ -16,3 +16,9 @@ data: SWAGGER_ENABLED: "true" API_KEY_VALIDATION_ENDPOINT: https://apps.credentialengine.org/accountsAPI/Organization/ValidateApiKey ELASTICSEARCH_ADDRESS: http://elasticsearch:9200 + IAM_CLIENT_ID: RegistryAPI + IAM_COMMUNITY_CLAIM_NAME: community_name + IAM_COMMUNITY_ROLE_ADMIN: ROLE_ADMINISTRATOR + IAM_COMMUNITY_ROLE_PUBLISHER: ROLE_PUBLISHER + IAM_COMMUNITY_ROLE_READER: ROLE_READER + IAM_URL: https://login.credentialengine.org/realms/CE-Prod