diff --git a/Keycloak-installation.md b/Keycloak-installation.md
index 4f8b508..7a44509 100644
--- a/Keycloak-installation.md
+++ b/Keycloak-installation.md
@@ -174,3 +174,34 @@ User redirected to original URL
 | `Claims verification failed` | User has no email set in Keycloak | Set email address and tick Email Verified on the Keycloak user |
 | `NoReverseMatch` for `OIDC_EXEMPT_URLS` | Regex pattern used instead of URL name | Use the Django URL name (`'search_api'`), not a regex |
 | Login loops without showing Keycloak | Existing Keycloak session auto-authenticates | Expected behaviour — Keycloak reuses its session. Log out of Keycloak admin console to test a clean login |
+
+---
+
+## Kubernetes Deployment
+
+Split the configuration across a ConfigMap and a Secret. The client secret must not go in a ConfigMap as the contents are visible in plain text to anyone with cluster access.
+
+**ConfigMap**
+```yaml
+data:
+  OIDC_OP_BASE_URL: https://keycloak.example.com/realms/your-realm
+  OIDC_RP_CLIENT_ID: labhelper
+  CSRF_TRUSTED_ORIGINS: https://labhelper.adebaumann.com
+  ALLOWED_HOSTS: labhelper.adebaumann.com
+```
+
+**Secret**
+```yaml
+stringData:
+  OIDC_RP_CLIENT_SECRET: <client-secret-from-keycloak-credentials-tab>
+  DJANGO_SECRET_KEY: <random-secret-key>
+```
+
+Reference both in the deployment:
+```yaml
+envFrom:
+  - configMapRef:
+      name: labhelper-config
+  - secretRef:
+      name: labhelper-secret
+```
diff --git a/labhelper/settings.py b/labhelper/settings.py
index 3ccd0ff..4e4c46c 100644
--- a/labhelper/settings.py
+++ b/labhelper/settings.py
@@ -160,11 +160,11 @@ AUTHENTICATION_BACKENDS = [
 # All individual endpoints are derived from OIDC_OP_BASE_URL automatically.
 # You can override any individual endpoint with its own env var.
 # ---------------------------------------------------------------------------
-_oidc_base = "http://127.0.0.1:8080/realms/master"
+_oidc_base = os.environ.get('OIDC_OP_BASE_URL', '').rstrip('/')
 _oidc_connect = f'{_oidc_base}/protocol/openid-connect' if _oidc_base else ''
 
-OIDC_RP_CLIENT_ID = "labhelper"
-OIDC_RP_CLIENT_SECRET = "NnDDaJfbQlBSHV1z1H2cCiaubLyuQcgY"
+OIDC_RP_CLIENT_ID = os.environ.get('OIDC_RP_CLIENT_ID', '')
+OIDC_RP_CLIENT_SECRET = os.environ.get('OIDC_RP_CLIENT_SECRET', '')
 OIDC_RP_SIGN_ALGO = 'RS256'
 OIDC_RP_SCOPES = 'openid email profile'
 OIDC_USE_PKCE = True