move oidc issuer_url and client_id to env vars, rename secret to oidc_secret

Only oidc_client_secret is actually sensitive — issuer_url and client_id
are now plain env vars. Renamed oidc_client_secret to oidc_secret to
pass abra lint. Updated README with accurate quickstart and OIDC setup.
Entrypoint guards git commands for min image compatibility.

.env.sample

@@ -21,9 +21,9 @@ COMPOSE_FILE="compose.yml"
 
 # SSO/OIDC (uncomment to enable)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
-#SECRET_OIDC_ISSUER_URL_VERSION=v1       # generate=false
-#SECRET_OIDC_CLIENT_ID_VERSION=v1        # generate=false
-#SECRET_OIDC_CLIENT_SECRET_VERSION=v1    # generate=false
+#OIDC_ISSUER_URL=https://keycloak.example.com/realms/myrealm
+#OIDC_CLIENT_ID=lichen
+#SECRET_OIDC_SECRET_VERSION=v1    # generate=false
 # Secrets
 SECRET_ADMIN_PASSWORD_VERSION=v1
 

README.md

@@ -40,21 +40,19 @@ When using the minimal image, set `AUTH_PROVIDERS=file` (or `file,oidc` with OID
 
 ## SSO/OIDC
 
-To enable OIDC login, uncomment the OIDC overlay and secret versions in your app config:
+To enable OIDC login, uncomment the OIDC overlay and set your provider details in your app config:
 
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
-SECRET_OIDC_ISSUER_URL_VERSION=v1
-SECRET_OIDC_CLIENT_ID_VERSION=v1
-SECRET_OIDC_CLIENT_SECRET_VERSION=v1
+OIDC_ISSUER_URL=https://keycloak.example.com/realms/myrealm
+OIDC_CLIENT_ID=lichen
+SECRET_OIDC_SECRET_VERSION=v1
 ```
 
-Then insert the secrets:
+Then insert the client secret:
 
 ```
-abra app secret insert YOURAPPDOMAIN oidc_issuer_url v1 https://keycloak.example.com/realms/myrealm
-abra app secret insert YOURAPPDOMAIN oidc_client_id v1 lichen
-abra app secret insert YOURAPPDOMAIN oidc_client_secret v1 YOUR_CLIENT_SECRET
+abra app secret insert YOURAPPDOMAIN oidc_secret v1 YOUR_CLIENT_SECRET
 ```
 
 Add `oidc` to your `AUTH_PROVIDERS` (e.g. `AUTH_PROVIDERS=file,oidc`) and redeploy.

compose.oidc.yml

@@ -5,18 +5,12 @@ services:
   app:
     environment:
       - OIDC_ENABLED=true
+      - OIDC_ISSUER_URL=${OIDC_ISSUER_URL}
+      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
     secrets:
-      - oidc_issuer_url
-      - oidc_client_id
-      - oidc_client_secret
+      - oidc_secret
 
 secrets:
-  oidc_issuer_url:
+  oidc_secret:
     external: true
-    name: ${STACK_NAME}_oidc_issuer_url_${SECRET_OIDC_ISSUER_URL_VERSION}
-  oidc_client_id:
-    external: true
-    name: ${STACK_NAME}_oidc_client_id_${SECRET_OIDC_CLIENT_ID_VERSION}
-  oidc_client_secret:
-    external: true
-    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
+    name: ${STACK_NAME}_oidc_secret_${SECRET_OIDC_SECRET_VERSION}

compose.yml

@@ -32,7 +32,7 @@ services:
         max_attempts: 5
       labels:
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.1+0.1.9"
+        - "coop-cloud.${STACK_NAME}.version=0.1.2+v0.1.9"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
     healthcheck:
       test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:9000/tls-check"]

lichen.toml.tmpl

@@ -1,6 +1,6 @@
 {{ if env "OIDC_ENABLED" }}
 [oidc]
-issuer_url = "{{ secret "oidc_issuer_url" }}"
-client_id = "{{ secret "oidc_client_id" }}"
-client_secret = "{{ secret "oidc_client_secret" }}"
+issuer_url = "{{ env "OIDC_ISSUER_URL" }}"
+client_id = "{{ env "OIDC_CLIENT_ID" }}"
+client_secret = "{{ secret "oidc_secret" }}"
 {{ end }}