From 578d968120a1d34e458adfc6c2a678347b49cdde Mon Sep 17 00:00:00 2001 From: BryanFRD Date: Tue, 16 Jun 2026 19:02:15 +0200 Subject: [PATCH] fix: correct FerrVault SAT prefix to fvsat_ and drop dead DefaultAudience const --- api/ferrvault/v1alpha1/connectionspec_types.go | 13 ++++++------- .../ferrvault_v1alpha1_ferrvaultconnection.yaml | 2 +- internal/ferrvault/client.go | 2 +- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/api/ferrvault/v1alpha1/connectionspec_types.go b/api/ferrvault/v1alpha1/connectionspec_types.go index e970d71..af068bc 100644 --- a/api/ferrvault/v1alpha1/connectionspec_types.go +++ b/api/ferrvault/v1alpha1/connectionspec_types.go @@ -20,7 +20,7 @@ type ConnectionSpec struct { // Auth via `tokenSecretRef` (`ffclust_…` / `fft_…`) or `oidc`. // // - `ferrvault` — new FerrVault SaaS, flat `/v1/operator/secrets/reveal` - // surface. Auth via a Service-Account Token (`sat_…`) bound to a + // surface. Auth via a Service-Account Token (`fvsat_…`) bound to a // specific vault. `organization` is ignored; the `project` field on // each secret is ignored too — the SAT scopes everything. // @@ -91,8 +91,11 @@ type OIDCAuth struct { TokenPath string `json:"tokenPath,omitempty"` // Audience the projected ServiceAccount token declares in its `aud` - // claim. Must match `EXPECTED_AUDIENCE` on the FerrVault side - // (`https://ferrflow.com`). Defaults to that value when omitted. + // claim. Must match the audience the target API is configured to + // expect: for `ferrvault` mode, the FerrVault API's + // `FERRVAULT_JWT_AUDIENCE` (unset there = no audience check); for + // `cloud` mode, the FerrFlow API's expected audience. Leave empty + // when the target performs no audience validation. // // +optional Audience string `json:"audience,omitempty"` @@ -109,10 +112,6 @@ const ( // a single source of truth. const DefaultTokenPath = "/var/run/secrets/ferrvault/token" -// DefaultAudience matches the FerrVault API's `EXPECTED_AUDIENCE` constant. -// Changing this is a coordinated breaking change across both repos. -const DefaultAudience = "https://ferrflow.com" - // ResolvedMode returns the effective Mode for the connection spec, applying // the `ferrvault` default for empty values so callers don't have to repeat it. func (s ConnectionSpec) ResolvedMode() string { diff --git a/config/samples/ferrvault_v1alpha1_ferrvaultconnection.yaml b/config/samples/ferrvault_v1alpha1_ferrvaultconnection.yaml index f70a507..3a5fb01 100644 --- a/config/samples/ferrvault_v1alpha1_ferrvaultconnection.yaml +++ b/config/samples/ferrvault_v1alpha1_ferrvaultconnection.yaml @@ -16,4 +16,4 @@ metadata: namespace: my-app type: Opaque stringData: - token: sat_REPLACE_ME_WITH_VALUE_FROM_FERRVAULT_UI + token: fvsat_REPLACE_ME_WITH_VALUE_FROM_FERRVAULT_UI diff --git a/internal/ferrvault/client.go b/internal/ferrvault/client.go index fd113c1..636d852 100644 --- a/internal/ferrvault/client.go +++ b/internal/ferrvault/client.go @@ -312,7 +312,7 @@ type vaultRevealResponse struct { // RevealFromVault fetches `names` from the named FerrVault vault via the new // `POST /v1/operator/secrets/reveal` endpoint. `names` is optional — pass an // empty slice to pull every secret the SAT can see. The token is interpreted -// as a SAT (`sat_…`) and bound server-side to a specific vault; `vault` here +// as a SAT (`fvsat_…`) and bound server-side to a specific vault; `vault` here // must match the SAT's vault scope or the API responds 403. // // The result is mapped onto `BulkRevealResponse` so the controller can stay