@@ -106,9 +106,11 @@ Connection — deleting the Connection garbage-collects the Secret.
106106
107107## Register with the hub
108108
109- The CatalogEntry is what makes the hub provision the provider's workspace,
110- schemas, APIExport, and runtime kubeconfig. The Helm chart renders it
111- (` catalogEntry.enabled=true ` ), or apply the raw manifest:
109+ The CatalogEntry registers the provider with the hub for routing + the portal
110+ Enable flow. It is a kcp resource, so it lives in the provider workspace — not
111+ the hosting cluster. With ` catalogEntry.enabled=true ` (default) the chart renders
112+ it into a ConfigMap and the init container self-registers it into the workspace
113+ via the provider kubeconfig; alternatively apply the raw manifest yourself:
112114
113115``` sh
114116kubectl --kubeconfig kcp-admin.kubeconfig ws use root:kedge:providers
@@ -130,7 +132,8 @@ docker build -t ghcr.io/faroshq/kedge-code-provider:dev providers/code/
130132## Deploy with Helm
131133
132134The chart ships the provider Deployment, a ClusterIP Service, the ServiceAccount,
133- and (optionally) the CatalogEntry. The runtime kubeconfig the controllers need
135+ and (optionally) the CatalogEntry ConfigMap the init container applies to kcp.
136+ The runtime kubeconfig the controllers need
134137is ** minted by the hub** when it reconciles the CatalogEntry and mounted from the
135138` kedge-provider-kubeconfig ` Secret — the volume is ` optional ` , so the pod serves
136139portal/MCP/packages reads immediately and the controller manager engages once
@@ -148,8 +151,10 @@ helm install code providers/code/deploy/chart \
148151
149152### With "Connect with GitHub" (OAuth)
150153
151- Create a GitHub OAuth App with callback ` https://<provider-host>/oauth/github/callback ` ,
152- store its client secret in a Secret, then:
154+ Create a GitHub OAuth App, store its client secret in a Secret, then enable the
155+ ` githubOAuth.* ` block. The portal probes ` /services/providers/code/oauth/github/config `
156+ through the hub; once OAuth is enabled and the provider backend is reachable, the
157+ ** Connect with GitHub** button appears.
153158
154159``` sh
155160kubectl -n code create secret generic kedge-code-github-oauth \
@@ -162,14 +167,88 @@ helm install code providers/code/deploy/chart \
162167 --set githubOAuth.enabled=true \
163168 --set githubOAuth.clientId=< oauth-app-client-id> \
164169 --set githubOAuth.clientSecretRef.name=kedge-code-github-oauth \
165- --set githubOAuth.redirectURL=https://code.example.com /oauth/github/callback \
166- --set githubOAuth.portalOrigin=https://kedge.example.com
170+ --set githubOAuth.redirectURL=https://< hub-host > /services/providers/ code/oauth/github/callback \
171+ --set githubOAuth.portalOrigin=https://< hub-host >
167172```
168173
169- The OAuth callback is a top-level redirect from GitHub (no kedge auth), so
170- ` redirectURL ` must point at the provider's ** own externally-reachable URL** , not
171- the hub ` /services ` proxy. ` portalOrigin ` should be the hub origin so the popup
172- returns the token only to your portal.
174+ #### Choosing ` redirectURL `
175+
176+ GitHub's callback is a ** top-level browser redirect with no kedge auth** , so
177+ ` redirectURL ` must be publicly reachable and forward to the provider's HTTP
178+ backend (` :8083 ` ). It must end in ` /callback ` ; the matching ` /start ` URL is
179+ derived automatically by swapping ` /callback ` → ` /start ` under the ** same host
180+ and path prefix** . Two options:
181+
182+ 1 . ** Reuse the hub ingress (recommended — no extra ingress object):** point at
183+ the hub's existing ` /services/providers/code/* ` proxy:
184+ ```
185+ https://<hub-host>/services/providers/code/oauth/github/callback
186+ ```
187+ The proxy forwards these anonymous requests straight to the provider backend,
188+ so the whole flow rides the single hub hostname. Set ` portalOrigin ` to the
189+ same hub origin.
190+
191+ 2 . ** The provider's own external host:** if you expose the provider directly
192+ (its own ingress/hostname), use:
193+ ```
194+ https://code.example.com/oauth/github/callback
195+ ```
196+
197+ Whichever you pick, register that ** exact** callback URL on the GitHub OAuth App,
198+ and set ` portalOrigin ` to the hub origin so the popup returns the token only to
199+ your portal.
200+
201+ ### Full production deployment (hub-routed OAuth)
202+
203+ Provider running in its own namespace, registered against an already-running hub,
204+ with OAuth routed through the hub ingress (no per-provider ingress). The runtime
205+ kubeconfig the controllers need is supplied as the ` kedge-provider-kubeconfig `
206+ Secret (its key ** must** be ` kubeconfig ` ) — mint it via the admin onboarding flow
207+ (` /bonkers ` ).
208+
209+ ``` sh
210+ # 1. Namespace.
211+ kubectl create namespace kedge-prod-provider-code
212+
213+ # 2. Provider kubeconfig Secret (key MUST be "kubeconfig").
214+ kubectl -n kedge-prod-provider-code create secret generic kedge-provider-kubeconfig \
215+ --from-file=kubeconfig=kedge/provider-code.kubeconfig
216+
217+ # 3. GitHub OAuth App client secret.
218+ kubectl -n kedge-prod-provider-code create secret generic code-github-oauth \
219+ --from-literal=clientSecret=< oauth-app-client-secret>
220+
221+ # 4. Install the chart from the published OCI registry.
222+ helm upgrade --install code oci://ghcr.io/faroshq/charts/kedge-code-provider:0.0.82 \
223+ -n kedge-prod-provider-code \
224+ --set hub.url=https://kedge-kedge-hub.kedge-prod.svc.cluster.local:9443 \
225+ --set hub.insecure=true \
226+ --set hub.tokenSecretRef.name=" " \
227+ --set image.tag=v0.0.82 \
228+ --set catalogEntry.enabled=false \
229+ --set githubOAuth.enabled=true \
230+ --set githubOAuth.clientId=< oauth-app-client-id> \
231+ --set githubOAuth.clientSecretRef.name=code-github-oauth \
232+ --set githubOAuth.clientSecretRef.key=clientSecret \
233+ --set githubOAuth.redirectURL=https://console.faros.sh/services/providers/code/oauth/github/callback \
234+ --set githubOAuth.portalOrigin=https://console.faros.sh
235+ ```
236+
237+ Notes:
238+ - ` hub.insecure=true ` + ` hub.tokenSecretRef.name="" ` suit an in-cluster hub with
239+ a self-signed cert and no static heartbeat token. For a real heartbeat token,
240+ create a Secret and set ` hub.tokenSecretRef.name ` /` .key ` instead.
241+ - ` catalogEntry.enabled=false ` means the chart does ** not** manage the
242+ CatalogEntry — the hub uses whatever ` backend.url ` the existing CatalogEntry
243+ declares. ** Make sure that ` backend.url ` points at this deployment's Service**
244+ (` http://code-kedge-code-provider.<namespace>.svc.cluster.local:8083 ` ); a stale
245+ namespace there makes the hub→provider proxy return ** 502** (and the OAuth
246+ button stays hidden). Leaving ` catalogEntry.enabled=true ` lets the init
247+ container keep ` backend.url ` in sync with the release namespace automatically.
248+ - After install, verify the OAuth probe returns ` {"enabled":true} ` :
249+ ``` sh
250+ curl -s https://console.faros.sh/services/providers/code/oauth/github/config
251+ ```
173252
174253` values.yaml ` documents the full surface — image, replicas, hub URL + token
175254Secret, the runtime kubeconfig Secret name, the ` githubOAuth.* ` block, the
@@ -225,7 +304,7 @@ the connection token's `read:packages` scope.
225304| ` KEDGE_DEV_ALLOW_TENANT_QUERY ` | (unset) | ` true ` lets ` ?tenant= ` /` ?token= ` replace identity headers (dev only) |
226305| ` GITHUB_OAUTH_CLIENT_ID ` | (unset → OAuth off) | GitHub OAuth App client ID |
227306| ` GITHUB_OAUTH_CLIENT_SECRET ` | (unset) | GitHub OAuth App client secret |
228- | ` GITHUB_OAUTH_REDIRECT_URL ` | (unset) | Absolute callback URL on the provider's own host |
307+ | ` GITHUB_OAUTH_REDIRECT_URL ` | (unset) | Absolute callback URL (must end in ` /callback ` ); either the hub ` /services/providers/code/oauth/github/callback ` proxy route or the provider's own host. ` /start ` is derived from it |
229308| ` GITHUB_OAUTH_PORTAL_ORIGIN ` | ` * ` | postMessage target origin (set to the hub origin in prod) |
230309| ` GITHUB_OAUTH_SCOPES ` | ` repo,read:org,admin:public_key,read:packages ` | Requested OAuth scopes |
231310
0 commit comments