sso vw
This commit is contained in:
@@ -1097,6 +1097,8 @@ storage:
|
|||||||
|
|
||||||
**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
|
**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
|
||||||
|
|
||||||
|
**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
|
||||||
|
|
||||||
**Endpoints**:
|
**Endpoints**:
|
||||||
- Web UI: `https://bitwarden.forteapps.net`
|
- Web UI: `https://bitwarden.forteapps.net`
|
||||||
|
|
||||||
@@ -1104,6 +1106,7 @@ storage:
|
|||||||
|
|
||||||
**Secrets**:
|
**Secrets**:
|
||||||
- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
|
- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
|
||||||
|
- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
|
||||||
- `vaultwarden-tls` — auto-managed by cert-manager
|
- `vaultwarden-tls` — auto-managed by cert-manager
|
||||||
|
|
||||||
### AI Code Review (ai-review)
|
### AI Code Review (ai-review)
|
||||||
|
|||||||
@@ -0,0 +1,22 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: keycloak-client-vaultwarden
|
||||||
|
namespace: vaultwarden
|
||||||
|
labels:
|
||||||
|
keycloak.forteapps.net/client-config: "true"
|
||||||
|
stringData:
|
||||||
|
client.json: |
|
||||||
|
{
|
||||||
|
"clientId": "vaultwarden",
|
||||||
|
"name": "Vaultwarden",
|
||||||
|
"redirectUris": ["https://vaultwarden.forteapps.net/*"],
|
||||||
|
"webOrigins": ["https://vaultwarden.forteapps.net"],
|
||||||
|
"defaultClientScopes": ["openid", "email", "profile"],
|
||||||
|
"protocolMappers": [],
|
||||||
|
"secret": {
|
||||||
|
"namespace": "vaultwarden",
|
||||||
|
"name": "vaultwarden-oidc-credentials",
|
||||||
|
"keys": { "clientId": "client-id", "clientSecret": "client-secret" }
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
resources:
|
resources:
|
||||||
- vaultwarden.yaml
|
- vaultwarden.yaml
|
||||||
|
- keycloak-client-config.yaml
|
||||||
|
|||||||
@@ -68,3 +68,15 @@ storage:
|
|||||||
path: /files
|
path: /files
|
||||||
keepPvc: true
|
keepPvc: true
|
||||||
accessMode: "ReadWriteOnce"
|
accessMode: "ReadWriteOnce"
|
||||||
|
|
||||||
|
sso:
|
||||||
|
enabled: true
|
||||||
|
existingSecret: vaultwarden-oidc-credentials
|
||||||
|
authority: "https://id.forteapps.net/realms/forte"
|
||||||
|
scopes: "email profile"
|
||||||
|
pkce: true
|
||||||
|
signupsMatchEmail: true
|
||||||
|
clientId:
|
||||||
|
existingSecretKey: client-id
|
||||||
|
clientSecret:
|
||||||
|
existingSecretKey: client-secret
|
||||||
|
|||||||
Reference in New Issue
Block a user