How to Configure Client Secret from Secret in Auth Resources

Last updated: April 14, 2025

When using the clientSecretFromSecret feature in Auth resources (available in Auth v2.1.0+), you need to properly configure both your Auth resource and the referenced Kubernetes secret.

Prerequisites

  • Auth module version 2.1.0 or higher

  • A Kubernetes secret containing your client secret

Configuration Steps

1. Create the Kubernetes Secret

Create a secret in the same namespace as your stack with the following requirements:

  • The secret must have a label (not annotation) of formance.com/stack: [organizationID]-[stackID]

Example secret configuration:

apiVersion: v1
kind: Secret
metadata:
  name: auth-delegation-client
  namespace: your-stack-namespace
  labels:
    formance.com/stack: your-org-your-stack
stringData:
  client.secret: "your-secret-value"
type: Opaque

2. Configure the Auth Resource

Reference the secret in your Auth resource using clientSecretFromSecret:

apiVersion: formance.com/v1beta1
kind: Auth
metadata:
  name: your-auth-name
spec:
  delegatedOIDCServer:
    clientID: your_client_id
    clientSecretFromSecret:
      key: client.secret
      name: auth-delegation-client
    issuer: https://your-issuer-url

Verification

After proper configuration, you can verify the setup by checking:

  1. The ResourceReference CRD should be created with your stack ID and secret name

  2. The ResourceReference status should show "Up to date" and "Ready: true"

  3. The Auth pod should start successfully without secret-related errors

Common Issues:

  • Adding the formance.com/stack as an annotation instead of a label will prevent the secret from being properly referenced

  • The secret must be in the same namespace as your stack

  • Ensure you're using Auth v2.1.0 or higher, as this feature is not available in earlier versions