Skip to content

Support client-credentials OIDC clients via serviceAccountsEnabled#668

Merged
AlexGodbehere merged 1 commit into
mainfrom
ago/kiosk-client-credentials
Jul 9, 2026
Merged

Support client-credentials OIDC clients via serviceAccountsEnabled#668
AlexGodbehere merged 1 commit into
mainfrom
ago/kiosk-client-credentials

Conversation

@AlexGodbehere

Copy link
Copy Markdown
Contributor

What

ensure_client in acs-service-setup hardcoded serviceAccountsEnabled: false, so no client declared in serviceSetup.config.openidClients could use the OAuth client-credentials grant. This passes the flag through from the per-client values spec, exactly like the other flow flags (standardFlowEnabled, directAccessGrantsEnabled, deviceAuthorizationFlowEnabled), and documents it in values.yaml with an example.

Guarded to confidential clients: Keycloak does not support service accounts on public clients, so publicClient: true wins and the flag is ignored.

Why

Machine-to-machine consumers need a way to obtain tokens from the realm with no human login. First consumer: Polyptic display walls fetching Grafana JWTs unattended (Grafana [auth.jwt] + url_login) — an operator declares:

serviceSetup:
  config:
    openidClients:
      polyptic-kiosk:
        enabled: true
        name: Polyptic kiosk
        serviceAccountsEnabled: true
        standardFlowEnabled: false   # no browser flow

and the existing machinery does the rest — the chart already generates a stable client secret for any enabled non-builtin entry (keycloak-clients Secret), and service-setup already applies per-client overrides idempotently.

Notes

  • No chart template changes; the spec flows to service-setup verbatim, so this is service-setup code + values docs only.
  • Pure service clients get the F+ claim mappers like every other client; the mappers are harmless for a service account with no F+ principal.

🤖 Generated with Claude Code

ensure_client hardcoded serviceAccountsEnabled: false, so no values-
declared client could use the OAuth client-credentials grant. Pass it
through from the per-client spec like the other flow flags, guarded to
confidential clients (Keycloak does not support service accounts on
public clients). Documented in values.yaml with a kiosk example.

First consumer: Polyptic display walls fetching Grafana JWTs
unattended (Grafana [auth.jwt] + url_login).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@AlexGodbehere AlexGodbehere force-pushed the ago/kiosk-client-credentials branch from cc9338b to f5c7f66 Compare July 9, 2026 08:00
@AlexGodbehere AlexGodbehere merged commit d992760 into main Jul 9, 2026
1 check passed
@AlexGodbehere AlexGodbehere deleted the ago/kiosk-client-credentials branch July 9, 2026 08:01
AlexGodbehere added a commit that referenced this pull request Jul 9, 2026
# Document v6.0.0 in the release notes

## Summary

`docs/reference/release-notes.md` had not been touched since v3.4.0, so
v4 and v5 were never written up and v6 had nothing at all. This adds a
`v6.0.0` section covering the changes an operator has to act on when
upgrading from v5.1.0, and notes the v4/v5 gap rather than pretending it
isn't there.

## Why v6 is a major release

Three independently sufficient reasons, documented in that order of
importance:

1. **Nanosecond timestamps (#659).** The Sparkplug `uint64` timestamp
field now carries nanoseconds where it carried milliseconds. New code
treats values below 1e15 as milliseconds, so a v6 central service reads
a v5 edge agent fine. The reverse silently corrupts data: a v5 historian
reading a v6 edge agent writes points dated tens of millions of years in
the future. This dictates an upgrade order, which the notes spell out.
It also makes ACS deliberately non-compliant with the Sparkplug B spec,
which matters to any external consumer.
2. **Grafana authentication replaced (#646).** `auth.proxy` and the
`basic-auth` middleware are gone, Keycloak is deployed by default, and
Grafana roles now come from Factory+ permission grants.
3. **ConfigDB permissions tightened.** Creating a subclass now needs
`WriteSuperclasses` on the target class (#638), and Files needs
`ReadMembers` (#654).

Plus the v1 ConfigDB dump format being removed, and the ISA-95 hierarchy
becoming a controlled vocabulary.

## Manual upgrade steps documented

- DNS and TLS for three new external hosts (`openid`, `i3x`,
`data-access` are all enabled by default).
- Grafana role grants via `serviceSetup.config.grafanaPermissions`, and
a warning that v5 proxy-created accounts may not be reclaimed under the
new UPN-based usernames.
- `WriteSuperclasses` for any local principal that creates subclasses.
- Converting any out-of-repo v1 dumps.
- Building the ISA-95 vocabulary, now via "Import from Devices" rather
than by hand (#667).

Also covers `serviceAccountsEnabled` (#668, opt-in, no action) and
records that MetaDB ships disabled and incomplete and should stay that
way.

## Notes for the reviewer

Every factual claim was checked against the code on `main` rather than
against the PR descriptions. One claim I could **not** settle and have
flagged in the notes as something to test: whether existing Grafana user
rows created by v5's proxy auth are reclaimed by the new federated
logins, or whether those users land as fresh Viewer accounts. The
reclaim machinery exists (`oauth_allow_insecure_email_lookup`,
`email_attribute_path: preferred_username`) but only fires when the old
username matches the Kerberos UPN. Worth testing on staging before
tagging, because the failure is quiet.

`edge-openprotocol` is in the tree and the CI image build but is not in
`values.yaml` and not in the driver list, so it cannot be selected in
the Manager. I left it out of the notes; you may want to decide whether
it belongs in the v6 changelog at all.
AlexGodbehere added a commit that referenced this pull request Jul 9, 2026
## What

Bumps the default Grafana image from **10.0.1** (June 2023, out of
support since 2024) to **13.1.0** (current stable), and documents the
operator-facing consequences in the v6.0.0 release notes.

## Why

- Two majors of security fixes on a network-facing, credential-holding
component.
- The newer `[auth.jwt]` support is what machine-to-machine consumers
(#668) use to sign in with tokens — including the dev-mode JWKS
exemption needed on non-TLS test deployments (the https-scheme check is
unconditional in 10.0.1; verified conditional in 12.x/13.1.0 source).
- Removes per-deployment drift: existing dev clusters already override
the tag upwards.

## Breaking changes documented (from the Grafana 10 baseline)

- **One-way dashboard schema migration** in v13 — snapshot the Grafana
PV before upgrading; no downgrade after.
- **AngularJS plugin removal** (disabled in 11, gone in 12) — core
panels fine, legacy Graph/Table auto-migrate, third-party Angular
plugins stop rendering.
- **`viewPanel` deep-link format change** (11) — single-panel
bookmarks/kiosk URLs need re-copying; whole-dashboard links unchanged.
- Image renderer plugin + legacy alerting removed upstream — ACS deploys
neither.

Not touched: the Grafana Helm chart dependency stays at 6.52.4; this is
an image bump only.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant