Merge pull request #681 from hanzjk/patch-10.3

hanzjk · web-flow · commit 4a160e512cd0 · 2026-04-08T11:45:14.000+05:30
Update OAuth method for workload publisher
diff --git a/deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/generate-workload.yaml b/deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/generate-workload.yaml
@@ -147,16 +147,11 @@ spec:
             CLIENT_SECRET="${OAUTH_CLIENT_SECRET}"
 
             echo "Requesting OAuth token from ${OAUTH_URL}..."
-            # Use client_secret_basic: credentials in Authorization header (Base64 encoded, no newlines)
-            BASIC_AUTH=$(echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | base64 | tr -d '\n')
-            
-
             TOKEN_RESPONSE=$(curl -s --fail-with-body \
               -X POST "${OAUTH_URL}" \
               -H "Host: ${OAUTH_HOST}" \
               -H "Content-Type: application/x-www-form-urlencoded" \
-              -H "Authorization: Basic ${BASIC_AUTH}" \
-              -d "grant_type=client_credentials")
+              -d "grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}")
 
             ACCESS_TOKEN=$(echo "${TOKEN_RESPONSE}" | jq -r '.access_token')
 
diff --git a/deployments/helm-charts/wso2-amp-thunder-extension/values.yaml b/deployments/helm-charts/wso2-amp-thunder-extension/values.yaml
@@ -134,12 +134,12 @@ thunder:
     # Workload Publisher Client configuration (for CI workflows to create workloads)
     workloadPublisherClient:
       clientId: "openchoreo-workload-publisher-client" # clusterauthzrolebinding is already created with this clientId by openchoreo, so it should not be changed unless the corresponding ClusterAuthzRoleBinding is also updated
-      clientSecret: "openchoreo-workload-publisher-client-secret"
+      clientSecret: "openchoreo-workload-publisher-secret"
       name: "Workload Publisher"
       description: "OpenChoreo Workload Publisher Client for creating workloads from CI workflows"
       grantTypes:
         - "client_credentials"
-      tokenEndpointAuthMethod: "client_secret_basic"
+      tokenEndpointAuthMethod: "client_secret_post"
       pkceRequired: false
       publicClient: false
       accessTokenValidityPeriod: 3600
diff --git a/deployments/single-cluster/values-openbao.yaml b/deployments/single-cluster/values-openbao.yaml
@@ -39,7 +39,7 @@ server:
         policies=openchoreo-secret-writer-policy ttl=20m
 
       # Workflow Plane
-      bao kv put secret/workflow-plane-oauth-client-secret value="openchoreo-workload-publisher-client-secret"
+      bao kv put secret/workflow-plane-oauth-client-secret value="openchoreo-workload-publisher-secret"
       
       # Observer (observability)
       bao kv put secret/observer-oauth-client-secret value="openchoreo-observer-resource-reader-client-secret"
