fix: added clientID/secret based access (#160)

* fix: added clientID/secret based access

On-behalf-of: SAP [email protected]

* fixed typo

On-behalf-of: SAP [email protected]

* chore: updated secret reading

On-behalf-of: SAP [email protected]

* chore: removed unused config variable

On-behalf-of: SAP [email protected]

* chore: updated client id in tests

On-behalf-of: SAP [email protected]

Author: OlegErshov

go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/kcp-dev/kcp/sdk v0.28.1-0.20250926104223-cec2e15f24c6
 	github.com/kcp-dev/logicalcluster/v3 v3.0.5
 	github.com/kcp-dev/multicluster-provider v0.2.0
+	github.com/oapi-codegen/runtime v1.1.2
 	github.com/openfga/api/proto v0.0.0-20250909173124-0ac19aac54f2
 	github.com/openfga/language/pkg/go v0.2.0-beta.2.0.20251027165255-0f8f255e5f6c
 	github.com/platform-mesh/account-operator v0.5.14
@@ -37,6 +38,7 @@ require (
 require (
 	github.com/99designs/gqlgen v0.17.81 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
+	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect

go.sum

@@ -2,14 +2,18 @@ cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 github.com/99designs/gqlgen v0.17.81 h1:kCkN/xVyRb5rEQpuwOHRTYq83i0IuTQg9vdIiwEerTs=
 github.com/99designs/gqlgen v0.17.81/go.mod h1:vgNcZlLwemsUhYim4dC1pvFP5FX0pr2Y+uYUoHFb1ig=
+github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
 github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
+github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
+github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -108,6 +112,7 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250728122101-adbf20db3e51 h1:l38RDS+VUMx9etvyaCgJIZa4nM7FaNevNubWN0kDZY4=
 github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250728122101-adbf20db3e51/go.mod h1:rF1jfvUfPjFXs+HV/LN1BtPzAz1bfjJOwVa+hAVfroQ=
 github.com/kcp-dev/kcp/sdk v0.28.1-0.20250926104223-cec2e15f24c6 h1:bOR4mdLD24VCJRrHxmtTh21AdbbzkBBKkEh0ngL+XTc=
@@ -143,6 +148,8 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
+github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
 github.com/onsi/ginkgo/v2 v2.22.1 h1:QW7tbJAUDyVDVOM5dFa7qaybo+CRfR7bemlQUN6Z8aM=
 github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM=
 github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
@@ -199,6 +206,7 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
+github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

internal/config/config.go

@@ -2,9 +2,8 @@ package config
 
 type InviteConfig struct {
 	KeycloakBaseURL      string `mapstructure:"invite-keycloak-base-url"`
-	KeycloakClientID     string `mapstructure:"invite-keycloak-client-id" default:"admin-cli"`
-	KeycloakUser         string `mapstructure:"invite-keycloak-user" default:"keycloak-admin"`
-	KeycloakPasswordFile string `mapstructure:"invite-keycloak-password-file" default:"/var/run/secrets/keycloak/password"`
+	KeycloakClientID     string `mapstructure:"invite-keycloak-client-id" default:"security-operator"`
+	KeycloakClientSecret string `mapstructure:"invite-keycloak-client-secret"`
 }
 
 // Config struct to hold the app config

internal/controller/invite_controller.go

@@ -2,7 +2,6 @@ package controller // coverage-ignore
 
 import (
 	"context"
-	"os"
 
 	platformeshconfig "github.com/platform-mesh/golang-commons/config"
 	"github.com/platform-mesh/golang-commons/controller/lifecycle/builder"
@@ -24,12 +23,7 @@ type InviteReconciler struct {
 }
 
 func NewInviteReconciler(ctx context.Context, mgr mcmanager.Manager, cfg *config.Config, log *logger.Logger) *InviteReconciler {
-	pwd, err := os.ReadFile(cfg.Invite.KeycloakPasswordFile)
-	if err != nil {
-		log.Fatal().Err(err).Msg("Failed to read keycloak password file")
-	}
-
-	inviteSubroutine, err := invite.New(ctx, cfg, mgr, string(pwd))
+	inviteSubroutine, err := invite.New(ctx, cfg, mgr)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to create invite subroutine")
 	}

internal/subroutine/invite/subroutine.go

@@ -14,14 +14,14 @@ import (
 	lifecyclesubroutine "github.com/platform-mesh/golang-commons/controller/lifecycle/subroutine"
 	"github.com/platform-mesh/golang-commons/errors"
 	"github.com/platform-mesh/golang-commons/logger"
-	"golang.org/x/oauth2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	mccontext "sigs.k8s.io/multicluster-runtime/pkg/context"
 	mcmanager "sigs.k8s.io/multicluster-runtime/pkg/manager"
 
 	"github.com/platform-mesh/security-operator/api/v1alpha1"
 	"github.com/platform-mesh/security-operator/internal/config"
+	"golang.org/x/oauth2/clientcredentials"
 )
 
 const (
@@ -48,29 +48,27 @@ type keycloakClient struct {
 	ClientID string `json:"clientId,omitempty"`
 }
 
-func New(ctx context.Context, cfg *config.Config, mgr mcmanager.Manager, pwd string) (*subroutine, error) {
+func New(ctx context.Context, cfg *config.Config, mgr mcmanager.Manager) (*subroutine, error) {
 
 	issuer := fmt.Sprintf("%s/realms/master", cfg.Invite.KeycloakBaseURL)
 	provider, err := oidc.NewProvider(ctx, issuer)
 	if err != nil {
 		return nil, err
 	}
 
-	config := oauth2.Config{
-		ClientID: cfg.Invite.KeycloakClientID,
-		Endpoint: provider.Endpoint(),
+	cCfg := clientcredentials.Config{
+		ClientID:     cfg.Invite.KeycloakClientID,
+		ClientSecret: cfg.Invite.KeycloakClientSecret,
+		TokenURL:     provider.Endpoint().TokenURL,
 	}
 
-	token, err := config.PasswordCredentialsToken(ctx, cfg.Invite.KeycloakUser, pwd)
-	if err != nil {
-		return nil, err
-	}
+	httpClient := cCfg.Client(ctx)
 
 	return &subroutine{
 		keycloakBaseURL: cfg.Invite.KeycloakBaseURL,
 		baseDomain:      cfg.BaseDomain,
 		mgr:             mgr,
-		keycloak:        config.Client(ctx, token),
+		keycloak:        httpClient,
 	}, nil
 }
 

internal/subroutine/invite/subroutine_test.go

@@ -350,10 +350,10 @@ func TestSubroutineProcess(t *testing.T) {
 			s, err := invite.New(ctx, &config.Config{
 				Invite: config.InviteConfig{
 					KeycloakBaseURL:  srv.URL,
-					KeycloakClientID: "admin-cli",
+					KeycloakClientID: "security-operator",
 				},
 				BaseDomain: "portal.dev.local:8443",
-			}, mgr, "password")
+			}, mgr)
 			assert.NoError(t, err)
 
 			l := testlogger.New()
@@ -382,9 +382,9 @@ func TestHelperFunctions(t *testing.T) {
 	s, err := invite.New(ctx, &config.Config{
 		Invite: config.InviteConfig{
 			KeycloakBaseURL:  srv.URL,
-			KeycloakClientID: "admin-cli",
+			KeycloakClientID: "security-operator",
 		},
-	}, nil, "password")
+	}, nil)
 	assert.NoError(t, err)
 
 	assert.Equal(t, "Invite", s.GetName())