From d3db19b0cad5669867f2089e9f3ad1c7349887c4 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Thu, 23 Apr 2026 11:27:30 -0500
Subject: [PATCH] guacamole: enable json auth for remotedesktop sso

---
 apps/guacamole/guacamole.yaml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml
index ed8b278..755d981 100644
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -307,6 +307,13 @@ spec:
             # Recordings are written by guacd and read by guacamole web (history UI).
             - name: RECORDING_SEARCH_PATH
               value: /var/lib/guacamole/recordings
+            - name: JSON_ENABLED
+              value: "true"
+            - name: JSON_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-json-auth-key
+                  key: password
             # Map well-formed env vars to guacamole.properties at container start.
             # Lets the 1Password vault extension read its config (op-connect-url,
             # op-connect-token, op-vault-id) without templating the ConfigMap.
@@ -447,6 +454,14 @@ metadata:
 spec:
   itemPath: vaults/IAmWorkin/items/Guacamole
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: guacamole-json-auth-key
+  namespace: guacamole
+spec:
+  itemPath: vaults/IAmWorkin/items/Guacamole JSON Auth
+---
 # Blue Jay Branding Extension (CSS + translations)
 apiVersion: v1
 kind: ConfigMap
@@ -468,7 +483,7 @@ data:
     # MySQL/guacd settings provided via env vars — do NOT duplicate here
 
     # Extension Priority
-    extension-priority: mysql, ban, bluejay, onepassword-vault, *
+    extension-priority: mysql, ban, bluejay, onepassword-vault, json, *
 
     # Ban (brute force)
     ban-max-invalid-attempts: 5