refactor

.github/copilot-instructions.md

@@ -12,11 +12,12 @@ Multi-tenant SCIM 2.0 Service Provider (RFC 7643/7644) with five Maven modules:
 | `scim-validator` | Groovy/Spock SCIM compliance suite (REST Assured) | - |
 | `scim-validator-mgmt` | Validator run/inspection management service | 8082 |
 
-Multi-tenancy is workspace-based. SCIM routes are scoped to `/ws/{workspaceId}/scim/v2/**`.
+Multi-tenancy is workspace-based. SCIM routes are scoped to `/ws/{workspaceId}/scim/v2/**`,
+and the current implementation expects `workspaceId` to be a UUID.
 
-- `BearerTokenAuthFilter` resolves workspace by UUID or name from the path.
+- `BearerTokenAuthFilter` extracts the workspace UUID from the path and validates that the token belongs to that workspace.
 - Bearer tokens are validated via SHA-256 hash lookup (`WorkspaceTokenRepository.findByTokenHashAndNotRevoked`).
-- `WorkspaceContext` (ThreadLocal) carries workspace/token for downstream services.
+- There is no `WorkspaceContext` ThreadLocal anymore; controllers resolve the workspace UUID from the route and pass it explicitly into services.
 - All core SCIM entities are workspace-scoped with `workspace_id` foreign keys.
 
 Compatibility mode is route-based and extensible:
@@ -34,6 +35,8 @@ Management security is profile-based:
 - Default profile is `azure`, using interactive Azure OIDC login.
 - `cloudflare` profile switches the management apps to JWT resource-server mode.
 - Cloudflare mode reads the token from `Cf-Access-Jwt-Assertion` by default and maps roles from a configurable claim.
+- Management user persistence is email-based in both management modules; resolved emails are normalized and stored as the primary key.
+- Management access now expects a usable email claim from OIDC/JWT principals.
 - Shared helpers live in `scim-server-common` (`AzureOidcSecuritySupport`, `CloudflareJwtSecuritySupport`, `MgmtSecuritySupport`).
 
 Kubernetes support is split into two trees:
@@ -55,8 +58,8 @@ The root `.sops.yaml` defines the active age recipient.
 # Full reactor build
 mvn clean install
 
-# Build without SCIM validator module
-mvn clean install -pl '!scim-validator'
+# Full reactor build without running validator specs
+mvn clean install -Dskip.validator.tests=true
 
 # API local mode (requires datasource env vars and ACTUATOR_API_KEY)
 cd scim-server-api && mvn spring-boot:run
@@ -87,13 +90,15 @@ Docker default ports:
 - API `:8080`
 - Mgmt `:8081`
 - Validator Mgmt `:8082`
-- PostgreSQL `:5432`
+- Playground PostgreSQL `:5432`
+- Validator PostgreSQL `:5433`
 
 Operational notes:
 
 - `docker-compose.yml` loads `docker/env/cloudflare.env` into the management apps.
 - Kubernetes manifests set `SPRING_PROFILES_ACTIVE=cloudflare` for the management apps.
 - Application services in Kubernetes are `ClusterIP`; Cloudflare tunnel is the external-access path in this branch.
+- No repository-specific `DOCKER_HOST` or `TESTCONTAINERS_DOCKER_SOCKET_OVERRIDE` overrides are required for local Testcontainers runs; use the default local Docker Desktop / Docker Engine setup.
 
 ## Validator Execution
 
@@ -107,11 +112,15 @@ cd scim-validator && mvn test
 Notes from `ScimBaseSpec`:
 
 - By default, the validator can bootstrap PostgreSQL plus `edipal/scim-server-api:latest` when explicit `SCIM_*` settings are not provided.
+- Bootstrap selection is based on whether a usable target is configured, not on the presence of the default `SCIM_API_URL` placeholder value.
 - Disable automatic bootstrap with `SCIM_TESTCONTAINERS_ENABLED=false` or `-Dscim.testcontainers.enabled=false` when targeting an existing environment.
 - You can alternatively set `SCIM_BASE_URL` (full path, including `/ws/{workspaceId}/scim/v2`).
 - You can also provide `SCIM_API_URL` together with `SCIM_WORKSPACE_ID`.
 - `SCIM_AUTH_TOKEN` is required for validator runs.
 - `SCIM_WORKSPACE_ID` is required unless `SCIM_BASE_URL` is provided.
+- Validator config is loaded from `validator-application.yml` in test resources to avoid `application.yml` collisions when the validator test JAR is consumed by `scim-validator-mgmt`.
+- `ValidatorConfiguration` accepts both `SCIM_*` placeholders and dotted JVM properties such as `scim.baseUrl`, `scim.authToken`, `scim.apiUrl`, and `scim.workspaceId`, because `scim-validator-mgmt` sets dotted properties before loading validator specs.
+- The validator `tests` classifier JAR is packaged after test resources are copied (`test-compile`) so downstream consumers receive `validator-application.yml`.
 
 ## Code Conventions
 
@@ -136,17 +145,23 @@ Notes from `ScimBaseSpec`:
 - Workspace-scoped uniqueness:
 	- `scim_users`: `(workspace_id, user_name)`
 	- `scim_groups`: `(workspace_id, display_name)`
+- Management ownership data is email-keyed:
+	- `mgmt_users.email` is the primary key
+	- `validator_mgmt_users.email` is the primary key
+	- `validation_run.created_by_email` is a foreign key to `validator_mgmt_users(email)`
+- `workspaces.created_by_username` is sized for email-style owner values (`VARCHAR(500)`).
 - `ScimUser` flattens `name.*` and enterprise extension sub-attributes into columns.
-- Multi-valued user attributes are dedicated child entities with `@OneToMany(cascade = ALL, orphanRemoval = true)`:
+
+- Multi-valued user attributes on `ScimUser` are JSON-backed lists, not `@OneToMany` child entities:
 	- `emails`, `phoneNumbers`, `addresses`, `entitlements`, `roles`, `ims`, `photos`, `x509Certificates`
 
 ## Key SCIM Components
 
-- `ScimFilterParser` (`~378` lines): recursive-descent filter parser to JPA `Specification<T>`.
+- `ScimFilterParser`: recursive-descent filter parser to JPA `Specification<T>`.
 	- operators: `eq ne co sw ew pr gt ge lt le`
 	- logic: `and or not`, grouping with parentheses
 	- supports `name.*`, `meta.*`, and enterprise extension attribute paths
-- `ScimPatchEngine` (`~850` lines): RFC 7644 PATCH processing with path parsing and filtered multi-valued operations.
+- `ScimPatchEngine`: RFC 7644 PATCH processing with path parsing and filtered multi-valued operations.
 - `ScimSchemaDefinitions`: source of truth for discovery/schema responses.
 
 When adding or changing attributes, keep parser, mapper, patch, and schema definitions aligned.
@@ -179,7 +194,7 @@ If you modify management authentication or deployment behavior, also review:
 
 ## Adding A New SCIM Attribute
 
-1. Extend `ScimUser`/`ScimGroup` (or add child entity in `scim-server-common` when multi-valued).
+1. Extend `ScimUser`/`ScimGroup` (or add a JSON-backed value object and list field in `scim-server-common` when the attribute is multi-valued).
 2. Update mapper read/write paths in `scim-server-api`.
 3. Add PATCH support in `ScimPatchEngine` when applicable.
 4. Add schema metadata in `ScimSchemaDefinitions`.

README.md

@@ -32,8 +32,9 @@ combines:
   SOPS-encrypted secrets, and Cloudflare Tunnel integration
 
 The design centers on workspace isolation. Every SCIM request is scoped to a
-workspace via `/ws/{workspaceId}/scim/v2/**`, and every core SCIM entity is
-stored with a `workspace_id` foreign key.
+workspace via `/ws/{workspaceId}/scim/v2/**`; the current implementation
+requires `workspaceId` to be a UUID, and every core SCIM entity is stored with
+a `workspace_id` foreign key.
 
 ## What It Implements
 
@@ -68,23 +69,24 @@ playground service provider:
 
 ### Request model
 
-1. A client calls a SCIM endpoint under `/ws/{workspaceId}/scim/v2/**`.
-2. `BearerTokenAuthFilter` extracts the workspace identifier from the path.
-3. The filter accepts either a workspace UUID or a workspace name.
+1. A client calls a SCIM endpoint under `/ws/{workspaceId}/scim/v2/**` using a
+  workspace UUID.
+2. `BearerTokenAuthFilter` extracts the workspace UUID from the path.
+3. Non-UUID workspace identifiers are rejected with a SCIM `404` response.
 4. The bearer token is hashed with SHA-256 and looked up through
    `WorkspaceTokenRepository.findByTokenHashAndNotRevoked(...)`.
 5. If the token belongs to the resolved workspace and is not expired or
-   revoked, `WorkspaceContext` is populated for downstream services.
-6. After authentication, the SCIM controllers and services operate only inside
-   that workspace boundary.
+  revoked, the request is allowed through the filter chain.
+6. The SCIM controllers resolve the workspace UUID from the route and pass it
+  explicitly into services; there is no workspace ThreadLocal context.
 7. `RequestResponseLoggingFilter` captures the request and response payloads for
    later inspection in the management UI.
 
 ### Multi-tenancy
 
 Multi-tenancy is workspace-based rather than host-based:
 
-- workspace identity comes from the route, not from JWT claims
+- workspace identity comes from the route UUID, not from JWT claims
 - the same bearer-token model works across all SCIM resources
 - uniqueness constraints are scoped by workspace
 - request logs and statistics are workspace-scoped
@@ -131,16 +133,16 @@ Key capabilities:
 Main routes:
 
 - UI root: `/`
-- Workspace UI: `/ui/workspaces/{workspaceId}`
-- Management API root: `/api/management/**`
+- Workspace UI: `/workspaces/{workspaceId}`
+- Management API root: `/api/**`
 
 Representative management API endpoints:
 
-- `POST /api/management/workspaces`
-- `GET /api/management/workspaces`
-- `POST /api/management/workspaces/{workspaceId}/tokens`
-- `GET /api/management/workspaces/{workspaceId}/logs`
-- `POST /api/management/workspaces/{workspaceId}/generate/{kind}`
+- `POST /api/workspaces`
+- `GET /api/workspaces`
+- `POST /api/workspaces/{workspaceId}/tokens`
+- `GET /api/workspaces/{workspaceId}/logs`
+- `POST /api/workspaces/{workspaceId}/generate/{kind}`
 
 Supported generator kinds:
 
@@ -196,8 +198,10 @@ Some repository-specific implementation details matter if you extend the code:
 
 - `ScimUser` flattens `name.*` and enterprise extension manager fields into
   columns.
-- multi-valued user attributes are modeled as dedicated child entities with
-  `cascade = ALL` and `orphanRemoval = true`.
+- multi-valued user attributes are stored as JSON columns on `scim_users`,
+  backed by list fields on `ScimUser`; Flyway
+  `V2__migrate_user_collections_to_json.sql` removed the old dedicated child
+  tables.
 - `ScimUser` and `ScimGroup` use optimistic locking through `@Version`, which is
   surfaced as weak SCIM `ETag` values.
 - group membership uses a polymorphic `memberValue` identifier, so delete flows
@@ -207,7 +211,7 @@ Some repository-specific implementation details matter if you extend the code:
 ## Tech Stack
 
 - Java 17
-- Spring Boot 3.5.12
+- Spring Boot 3.5.13
 - Spring MVC, Spring Security, Spring Data JPA, Thymeleaf
 - PostgreSQL for the main playground and validator persistence stores
 - CloudNativePG for Kubernetes PostgreSQL clustering
@@ -343,7 +347,7 @@ Notes:
 - The management deployments set `SPRING_PROFILES_ACTIVE=cloudflare`.
 - The API deployment stays on its regular bearer-token model.
 - The manifests reference published container images such as
-  `edipal/scim-server-api:1.0.6`.
+  `edipal/scim-server-api:1.0.8`.
 
 ### Kubernetes secrets and age rotation
 
@@ -464,18 +468,18 @@ token is only shown once. At rest, only the SHA-256 hash is stored.
 
 ### 5. Call the SCIM API
 
-Use the workspace UUID or workspace name in the route.
+Use the workspace UUID in the route.
 
 Example discovery request:
 
 ```bash
 export SCIM_TOKEN=<workspace-token>
-export WORKSPACE_ID=<workspace-uuid-or-name>
+export WORKSPACE_UUID=<workspace-uuid>
 
 curl \
   -H "Authorization: Bearer ${SCIM_TOKEN}" \
   -H "Accept: application/scim+json" \
-  http://localhost:8080/ws/${WORKSPACE_ID}/scim/v2/ServiceProviderConfig
+  http://localhost:8080/ws/${WORKSPACE_UUID}/scim/v2/ServiceProviderConfig
 ```
 
 Example user creation:
@@ -486,7 +490,7 @@ curl \
   -H "Authorization: Bearer ${SCIM_TOKEN}" \
   -H "Content-Type: application/scim+json" \
   -H "Accept: application/scim+json" \
-  http://localhost:8080/ws/${WORKSPACE_ID}/scim/v2/Users \
+  http://localhost:8080/ws/${WORKSPACE_UUID}/scim/v2/Users \
   -d '{
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
     "userName": "alice@example.com",
@@ -540,7 +544,7 @@ pass the SCIM target via CLI properties:
 cd scim-validator
 mvn test \
   -Dscim.testcontainers.enabled=false \
-  -Dscim.baseUrl=http://localhost:8080/ws/<workspace-id-or-name>/scim/v2 \
+  -Dscim.baseUrl=http://localhost:8080/ws/<workspace-uuid>/scim/v2 \
   -Dscim.authToken=<workspace-token>
 ```
 
@@ -551,14 +555,14 @@ cd scim-validator
 mvn test \
   -Dscim.testcontainers.enabled=false \
   -Dscim.apiUrl=http://localhost:8080 \
-  -Dscim.workspaceId=<workspace-id-or-name> \
+  -Dscim.workspaceId=<workspace-uuid> \
   -Dscim.authToken=<workspace-token>
 ```
 
 Environment variables remain supported as well:
 
 ```bash
-export SCIM_BASE_URL=http://localhost:8080/ws/<workspace-id-or-name>/scim/v2
+export SCIM_BASE_URL=http://localhost:8080/ws/<workspace-uuid>/scim/v2
 export SCIM_AUTH_TOKEN=<workspace-token>
 
 cd scim-validator
@@ -569,15 +573,16 @@ Alternative environment model:
 
 ```bash
 export SCIM_API_URL=http://localhost:8080
-export SCIM_WORKSPACE_ID=<workspace-id-or-name>
+export SCIM_WORKSPACE_ID=<workspace-uuid>
 export SCIM_AUTH_TOKEN=<workspace-token>
 
 cd scim-validator
 mvn test
 ```
 
 The validator will derive the full base path from `SCIM_API_URL` and
-`SCIM_WORKSPACE_ID` if `SCIM_BASE_URL` is not provided.
+`SCIM_WORKSPACE_ID` if `SCIM_BASE_URL` is not provided. `SCIM_WORKSPACE_ID`
+must be the workspace UUID used by the API route.
 
 Mode selection:
 
@@ -586,8 +591,8 @@ Mode selection:
 
 Advanced overrides for the automatic bootstrap:
 
-- `SCIM_VALIDATOR_API_IMAGE` or `-Dscim.validator.apiImage=...`
-- `SCIM_VALIDATOR_POSTGRES_IMAGE` or `-Dscim.validator.postgresImage=...`
+- `SCIM_VALIDATOR_API_IMAGE` or `-Dscim.testcontainers.apiImage=...`
+- `SCIM_VALIDATOR_POSTGRES_IMAGE` or `-Dscim.testcontainers.postgresImage=...`
 
 ## CI/CD and Release Automation
 

k8s/app/database/secrets/scim-postgres-playground.sops.yaml

@@ -2,10 +2,12 @@ apiVersion: v1
 kind: Secret
 metadata:
     name: scim-postgres-playground
+    labels:
+        cnpg.io/reload: "true"
 type: kubernetes.io/basic-auth
 stringData:
     username: ENC[AES256_GCM,data:0kFhe469fgwyY51Zz2lZ,iv:O9KYvo8cjGKfmA4SmAt94RKlCXwIoZxBzUS0z0vFWS0=,tag:7S4cMRtfcNgJkqIGbQYZ8g==,type:str]
-    password: ENC[AES256_GCM,data:9YHNUR5KtwWpVuAi/BM9zrDnTAXCYhrTqHynvrCN3SjyJQ==,iv:I0llr3Yc6/jaFzqN8bzigvQJVFUGSuysyzVdi55F64E=,tag:0v+UVRoZBvGg/ahhAbi9YA==,type:str]
+    password: ENC[AES256_GCM,data:k9aU16ZFcYnzXvZsrbNVtGFcEitPV4hy,iv:PjL1J+yKsmtTsJ+d5o3yHD+xZMSk46jQwRx1+fuZBbM=,tag:Ko/CizQY+p3J+vrvfOg7Pg==,type:str]
 sops:
     age:
         - recipient: age1j0ka5qnc6cpldfavwstqg2u6k536ymxcjeatlceraa09dgvetq9s07jkkh
@@ -17,7 +19,7 @@ sops:
             S3ZYWE5Bd3UrcWE2UjMycmxNWnhDTEkKKuRerZjqbHyXK9uNMcoM/U7nA0MIgf1a
             ayqPpA9uNODmqan5dKHZwCtSTTzepGldi6kPD0QLSIPKw6Ne/ni1IA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-27T18:27:36Z"
-    mac: ENC[AES256_GCM,data:ulROGHRpDEPRXZQa+yKNLiz3AWs0hqIqD6/P2b4aQ6ENKT0pR2BLpFeOd0PNkEaFms9Tqh7gsFA+GL41NjqFAWc53SRPWybjLXbslNhxV1hhPt58886tmfHSkNqnraUXVzIJLsgE/OLxdlbu2FVoWEjCn9IJhmfDrjOVIcEdFZs=,iv:8dhhGTzxU4J0JfXef+3V6HWd5LEOcW5BloIQASY7noQ=,tag:1JNX5GS8BHH60I6DQmUv3w==,type:str]
+    lastmodified: "2026-04-10T14:28:06Z"
+    mac: ENC[AES256_GCM,data:nyCALSeNO82ilx/iBdrowL2Hj+IUGPGL5sAolWoiKFBg8GzBVvPhqMzTaLp4UATu8zehHMvZDqIkfl+NL2QmbOdrJMBdRXrQO+ehZULPnd8m+EuMpWXqx32C3+MqI6yiBk22w0fn6CWzxLt3SGcTlpOlIi6n5NIkfXtyyA2oO3M=,iv:+wBfkkY/dd6WM+0uNxIE6dGmNRG0lsKmeYvGsYjUqEk=,tag:7+ZQOq8+bA+oq41VZsYkdA==,type:str]
     encrypted_regex: ^(data|stringData)$
     version: 3.12.2

k8s/app/database/secrets/scim-postgres-superuser.sops.yaml

@@ -2,10 +2,12 @@ apiVersion: v1
 kind: Secret
 metadata:
     name: scim-postgres-superuser
+    labels:
+        cnpg.io/reload: "true"
 type: kubernetes.io/basic-auth
 stringData:
     username: ENC[AES256_GCM,data:RpP3Q+sju98=,iv:T/g4El6MGOhlVANGPFvMfeZSmSUmm0YTDZARlif1HRA=,tag:2fXRky8P7kODOWldiuttqQ==,type:str]
-    password: ENC[AES256_GCM,data:NfjkDVdQae2Lj1sVzRPA9n9NViONt3YA7BpdLmRdbsyObUv2/D4hFA+T,iv:H/O7uR241oI50gpG9SbdwcuNP3yQDCpVWwKJaiGiMM0=,tag:Lasrek9zvOVgLaQTaZRFSA==,type:str]
+    password: ENC[AES256_GCM,data:SGXVmF/IMZOBFZ/VBNt0gyx160kKfSpi,iv:Z71afVjFpW2Lm29WmeH8L77FyWQ3RtJcFqQbP/d4G5c=,tag:O2a08G8tMobJ6m7fHEWRTg==,type:str]
 sops:
     age:
         - recipient: age1j0ka5qnc6cpldfavwstqg2u6k536ymxcjeatlceraa09dgvetq9s07jkkh
@@ -17,7 +19,7 @@ sops:
             TC9VZ0lrQWVLZEF6UGNURHAwSFdKVDAKEN1fzcFkwE1AEhBQPINVmTC8ZuwcSOAt
             RDjfKMA3Tjnf4I1jjeuPdJGP1kviefiq6hsZlhvXfhi123Itgju3Hw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-27T17:34:28Z"
-    mac: ENC[AES256_GCM,data:akyDoGqWfM2GcCcIsnuN6oo4JwCpIBfqOb+1qcyJTqnELK1uo+H0BpG/O9fe/sd4S0VGRV3mkcCzSNNceIXmDszH7HToibA0/ZJq69VPivs9jivLIuuwEEOMld5T5ps54VUTQqdPMq0mkpVTRB8/hR7+R1pHm8Uy7K1WXvQBhcA=,iv:uLjD7ep3Z/sTFIuXJVro4mv5M73nAGBOJ/UXVJFGte4=,tag:Ub9d8ualxzEiEStrDdHhew==,type:str]
+    lastmodified: "2026-04-10T14:28:34Z"
+    mac: ENC[AES256_GCM,data:ixVk4pKBzQ8QgCMB8QDa7F55gxKo7HFPHvWU27bd2wLsdk12geR7u6tqvqcFQnhrbr+4gbuyTK43/kgr3xvzhi2m5Dn58T2ugR5NoRBApd6O3sAv55reeklVofkh3LMzmCEWs6kydmEW4RSJYOsBglpyLxVWc995/E2Yi8+0+Gc=,iv:ZWjPe5+UR8E52YouNBXEhVqJgpEPxXbecO9CrIGTE2I=,tag:LL4JVeEPw06VG2KMXG/h4Q==,type:str]
     encrypted_regex: ^(data|stringData)$
     version: 3.12.2

k8s/app/database/secrets/scim-postgres-validator.sops.yaml

@@ -2,10 +2,12 @@ apiVersion: v1
 kind: Secret
 metadata:
     name: scim-postgres-validator
+    labels:
+        cnpg.io/reload: "true"
 type: kubernetes.io/basic-auth
 stringData:
     username: ENC[AES256_GCM,data:RRhOPM4AwpJYBYMhUBo=,iv:skmebd/VxWfE5/CF8Q/JtWTHE9do9gh+XaReuXSuOm8=,tag:yn3+t6lMA3+YWjk/tardxA==,type:str]
-    password: ENC[AES256_GCM,data:9NcAKCeTxubh8Njh9nUyCI2EQ9aC0oF+UZAxkGeEb8Ht,iv:i0dK2Fx7DFHsrPatnuqQA4ksXqKj2ZlN4GvNwDrhCeg=,tag:NAjnRO8clbtvwRq8BVgucg==,type:str]
+    password: ENC[AES256_GCM,data:W8FlVgd8QGrc3dJNMhSAA9qSVjOLWt4z,iv:FNGOQMQQk+c6+IKZXpOXB+7iBPz5THb16w8SfY2J1b8=,tag:GMdR4vyNqrQLX0L6aYVe4g==,type:str]
 sops:
     age:
         - recipient: age1j0ka5qnc6cpldfavwstqg2u6k536ymxcjeatlceraa09dgvetq9s07jkkh
@@ -17,7 +19,7 @@ sops:
             ZFcwVHhzUm92Q3psQXR2WjBiWC9oVW8KRPK/RJiFoh76BJCvnJGCdtPS6CKXy1sP
             QiulBwudI0i1xbw58gw2QZ2my0UU/6VQyqvWnZ7YftqtUar1VDfxfg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-27T17:34:28Z"
-    mac: ENC[AES256_GCM,data:022nfA0wzoYDMaEvcod0OvHIN6mFdVyal0TVXWGXZBs98YDfG90RXzmuKcxp9rWydQXz4+nQN/BdwiaotEfHeTsyfHyy37j72RQy1D6nuFF6rzcelg0Y2lk3kqAcjon/MoJwfmfxArCHfKFPnDDi71aBuzEdiPnQnSic4aqkXlQ=,iv:Rt4zeq1gWdAMVrlLd8nRDwvtBmhcGX9tAlYYagV/7f0=,tag:+6E3Lwv0lk+JmpMC/T56NA==,type:str]
+    lastmodified: "2026-04-10T14:28:52Z"
+    mac: ENC[AES256_GCM,data:I/4BXyST/uRbtzbJjqBFww0fzN9/bReKp0Ybb8eUTydVXndpE1OiLsIh2GOK/VRMzR+cL0pbNDEd7MphAbx33J8Kt3xP3itxHKGo0mSKUhUjtJpluPF0ZEte8IDbEliGvH0FQ9eZdtOf4QWcvCCQPSM12OhIyWXy4/38EWcMJH0=,iv:1A/BtIKje3MqjmTnj1B6e/PlYEvO9BAmgGW7PCXClfQ=,tag:CYvRHZ5Hm8dMbgR0ERJ25g==,type:str]
     encrypted_regex: ^(data|stringData)$
     version: 3.12.2

k8s/app/scim-server-api/configmap.yaml

@@ -3,5 +3,4 @@ kind: ConfigMap
 metadata:
   name: scim-server-api-k3s-config
 data:
-  SPRING_DATASOURCE_URL: jdbc:postgresql://scim-postgres-rw:5432/scimplayground
-  SPRING_DATASOURCE_USERNAME: scim_playground
+  SPRING_DATASOURCE_URL: jdbc:postgresql://scim-postgres-rw:5432/scimplayground

k8s/app/scim-server-api/deployment.yaml

@@ -30,6 +30,11 @@ spec:
             - secretRef:
                 name: scim-server-api-k3s-secrets
           env:
+            - name: SPRING_DATASOURCE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: scim-postgres-playground
+                  key: username
             - name: SPRING_DATASOURCE_PASSWORD
               valueFrom:
                 secretKeyRef: