Support client-credentials OIDC clients via serviceAccountsEnabled#668
Merged
Conversation
ensure_client hardcoded serviceAccountsEnabled: false, so no values- declared client could use the OAuth client-credentials grant. Pass it through from the per-client spec like the other flow flags, guarded to confidential clients (Keycloak does not support service accounts on public clients). Documented in values.yaml with a kiosk example. First consumer: Polyptic display walls fetching Grafana JWTs unattended (Grafana [auth.jwt] + url_login). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
cc9338b to
f5c7f66
Compare
AlexGodbehere
added a commit
that referenced
this pull request
Jul 9, 2026
# Document v6.0.0 in the release notes ## Summary `docs/reference/release-notes.md` had not been touched since v3.4.0, so v4 and v5 were never written up and v6 had nothing at all. This adds a `v6.0.0` section covering the changes an operator has to act on when upgrading from v5.1.0, and notes the v4/v5 gap rather than pretending it isn't there. ## Why v6 is a major release Three independently sufficient reasons, documented in that order of importance: 1. **Nanosecond timestamps (#659).** The Sparkplug `uint64` timestamp field now carries nanoseconds where it carried milliseconds. New code treats values below 1e15 as milliseconds, so a v6 central service reads a v5 edge agent fine. The reverse silently corrupts data: a v5 historian reading a v6 edge agent writes points dated tens of millions of years in the future. This dictates an upgrade order, which the notes spell out. It also makes ACS deliberately non-compliant with the Sparkplug B spec, which matters to any external consumer. 2. **Grafana authentication replaced (#646).** `auth.proxy` and the `basic-auth` middleware are gone, Keycloak is deployed by default, and Grafana roles now come from Factory+ permission grants. 3. **ConfigDB permissions tightened.** Creating a subclass now needs `WriteSuperclasses` on the target class (#638), and Files needs `ReadMembers` (#654). Plus the v1 ConfigDB dump format being removed, and the ISA-95 hierarchy becoming a controlled vocabulary. ## Manual upgrade steps documented - DNS and TLS for three new external hosts (`openid`, `i3x`, `data-access` are all enabled by default). - Grafana role grants via `serviceSetup.config.grafanaPermissions`, and a warning that v5 proxy-created accounts may not be reclaimed under the new UPN-based usernames. - `WriteSuperclasses` for any local principal that creates subclasses. - Converting any out-of-repo v1 dumps. - Building the ISA-95 vocabulary, now via "Import from Devices" rather than by hand (#667). Also covers `serviceAccountsEnabled` (#668, opt-in, no action) and records that MetaDB ships disabled and incomplete and should stay that way. ## Notes for the reviewer Every factual claim was checked against the code on `main` rather than against the PR descriptions. One claim I could **not** settle and have flagged in the notes as something to test: whether existing Grafana user rows created by v5's proxy auth are reclaimed by the new federated logins, or whether those users land as fresh Viewer accounts. The reclaim machinery exists (`oauth_allow_insecure_email_lookup`, `email_attribute_path: preferred_username`) but only fires when the old username matches the Kerberos UPN. Worth testing on staging before tagging, because the failure is quiet. `edge-openprotocol` is in the tree and the CI image build but is not in `values.yaml` and not in the driver list, so it cannot be selected in the Manager. I left it out of the notes; you may want to decide whether it belongs in the v6 changelog at all.
AlexGodbehere
added a commit
that referenced
this pull request
Jul 9, 2026
## What Bumps the default Grafana image from **10.0.1** (June 2023, out of support since 2024) to **13.1.0** (current stable), and documents the operator-facing consequences in the v6.0.0 release notes. ## Why - Two majors of security fixes on a network-facing, credential-holding component. - The newer `[auth.jwt]` support is what machine-to-machine consumers (#668) use to sign in with tokens — including the dev-mode JWKS exemption needed on non-TLS test deployments (the https-scheme check is unconditional in 10.0.1; verified conditional in 12.x/13.1.0 source). - Removes per-deployment drift: existing dev clusters already override the tag upwards. ## Breaking changes documented (from the Grafana 10 baseline) - **One-way dashboard schema migration** in v13 — snapshot the Grafana PV before upgrading; no downgrade after. - **AngularJS plugin removal** (disabled in 11, gone in 12) — core panels fine, legacy Graph/Table auto-migrate, third-party Angular plugins stop rendering. - **`viewPanel` deep-link format change** (11) — single-panel bookmarks/kiosk URLs need re-copying; whole-dashboard links unchanged. - Image renderer plugin + legacy alerting removed upstream — ACS deploys neither. Not touched: the Grafana Helm chart dependency stays at 6.52.4; this is an image bump only. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
ensure_clientin acs-service-setup hardcodedserviceAccountsEnabled: false, so no client declared inserviceSetup.config.openidClientscould use the OAuth client-credentials grant. This passes the flag through from the per-client values spec, exactly like the other flow flags (standardFlowEnabled,directAccessGrantsEnabled,deviceAuthorizationFlowEnabled), and documents it invalues.yamlwith an example.Guarded to confidential clients: Keycloak does not support service accounts on public clients, so
publicClient: truewins and the flag is ignored.Why
Machine-to-machine consumers need a way to obtain tokens from the realm with no human login. First consumer: Polyptic display walls fetching Grafana JWTs unattended (Grafana
[auth.jwt]+url_login) — an operator declares:and the existing machinery does the rest — the chart already generates a stable client secret for any enabled non-builtin entry (
keycloak-clientsSecret), and service-setup already applies per-client overrides idempotently.Notes
🤖 Generated with Claude Code