Legacy embedded SSO configuration ownership

The public ops config sso command is supplied by the task repository. The embedded ops -config sso form remains temporarily available for compatibility with already published scripts and installations. It manages the following configuration. Resource names can be changed with --configmap, --secret, --statefulset, and --container.

Kubernetes resources

The command creates and owns a dedicated ConfigMap. Its default name is openserverless-sso-config, and it contains exactly these keys:

  • OIDC_ISSUER_URL
  • OIDC_JWKS_URL
  • OIDC_AUDIENCE
  • OIDC_CLIENT_ID
  • OIDC_REQUIRED_GROUP
  • OIDC_USERNAME_CLAIM
  • OIDC_GROUPS_CLAIM
  • SSO_AUTOPROVISION_ON_LOGIN
  • SSO_AUTOPROVISION_TIMEOUT_SECONDS
  • SSO_AUTOPROVISION_POLL_SECONDS
  • SSO_AUTOPROVISION_DEFAULT_SERVICES
  • SSO_NAMESPACE_PRESERVE_VALID
  • SSO_NAMESPACE_HASH_LENGTH
  • SSO_NAMESPACE_MAX_LENGTH

When --client-secret is supplied, the command also creates and owns a dedicated Secret. Its default name is openserverless-sso-secret, and its only managed key is OIDC_CLIENT_SECRET.

The command adds exact, prefix-free envFrom references for the managed ConfigMap and, when applicable, the managed Secret to the selected admin-api container. It does not create direct env entries, volumes, volume mounts, or annotations.

Disable behavior

ops config sso disable removes only the exact envFrom references described above and deletes the two dedicated resources with Kubernetes --ignore-not-found. Other envFrom entries, all direct env entries, volumes, volume mounts, and existing annotations remain unchanged.

The command is idempotent. If neither managed reference is present, no patch or rollout command is issued for the StatefulSet. Missing ConfigMaps and Secrets are not errors. Removing an envFrom entry changes the pod template, so Kubernetes starts the necessary rollout itself. By default the command waits for that rollout; --no-rollout skips the wait and does not issue an additional restart.

The local ~/.ops/config.json cleanup is also limited to the keys written by the SSO command. Unrecognized SSO_* keys are preserved.