From 117297effc8abc0f5fc9ebcfe1f6d2ac8dbbb73e Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Sat, 16 May 2026 21:47:59 +0200
Subject: [PATCH] sso vw

---
 docs/REFERENCE.md                             |  3 +++
 .../vaultwarden/keycloak-client-config.yaml   | 22 +++++++++++++++++++
 .../upc-dev/vaultwarden/kustomization.yaml    |  1 +
 infra/values/upc-dev/vaultwarden-values.yaml  | 12 ++++++++++
 4 files changed, 38 insertions(+)
 create mode 100644 infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml

diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index 52d43e5..04b3d23 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1097,6 +1097,8 @@ storage:
 
 **TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
 
+**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
+
 **Endpoints**:
 - Web UI: `https://bitwarden.forteapps.net`
 
@@ -1104,6 +1106,7 @@ storage:
 
 **Secrets**:
 - `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
+- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 - `vaultwarden-tls` — auto-managed by cert-manager
 
 ### AI Code Review (ai-review)
diff --git a/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
new file mode 100644
index 0000000..35ab8a0
--- /dev/null
+++ b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-vaultwarden
+  namespace: vaultwarden
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "vaultwarden",
+      "name": "Vaultwarden",
+      "redirectUris": ["https://vaultwarden.forteapps.net/*"],
+      "webOrigins": ["https://vaultwarden.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "vaultwarden",
+        "name": "vaultwarden-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
index 65b394b..46b4f10 100644
--- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - vaultwarden.yaml
+- keycloak-client-config.yaml
diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml
index e37e8d9..3b110b2 100644
--- a/infra/values/upc-dev/vaultwarden-values.yaml
+++ b/infra/values/upc-dev/vaultwarden-values.yaml
@@ -68,3 +68,15 @@ storage:
     path: /files
     keepPvc: true
     accessMode: "ReadWriteOnce"
+
+sso:
+  enabled: true
+  existingSecret: vaultwarden-oidc-credentials
+  authority: "https://id.forteapps.net/realms/forte"
+  scopes: "email profile"
+  pkce: true
+  signupsMatchEmail: true
+  clientId:
+    existingSecretKey: client-id
+  clientSecret:
+    existingSecretKey: client-secret