diff --git a/apps/base/forte-drop-mcp/forte-drop-mcp.yaml b/apps/base/forte-drop-mcp/forte-drop-mcp.yaml new file mode 100644 index 0000000..0465bdb --- /dev/null +++ b/apps/base/forte-drop-mcp/forte-drop-mcp.yaml @@ -0,0 +1,37 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: forte-drop-mcp + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" + notifications.argoproj.io/subscribe.on-sync-succeeded.slack: "" + notifications.argoproj.io/subscribe.on-sync-failed.slack: "" + notifications.argoproj.io/subscribe.on-degraded.slack: "" + labels: + app.kubernetes.io/name: forte-drop-mcp + app.kubernetes.io/part-of: apps + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git + path: forteapp + targetRevision: HEAD + helm: + valueFiles: + - $values/forte-drop-mcp/values.yaml + - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git + targetRevision: HEAD + ref: values + destination: + server: https://kubernetes.default.svc + namespace: forte-drop + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml b/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml new file mode 100644 index 0000000..228062a --- /dev/null +++ b/apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml @@ -0,0 +1,27 @@ +# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g., +# Claude Desktop) discover this via /.well-known/oauth-protected-resource and +# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp. +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-forte-drop-mcp + namespace: forte-drop + labels: + keycloak.forteapps.net/client-config: "true" +stringData: + client.json: | + { + "clientId": "forte-drop-mcp", + "name": "Forte Drop (MCP)", + "enabled": true, + "protocol": "openid-connect", + "clientAuthenticatorType": "client-secret", + "standardFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "defaultClientScopes": ["openid","profile","email"], + "attributes": { + "access.token.lifespan": "3600" + } + } diff --git a/apps/base/forte-drop-mcp/kustomization.yaml b/apps/base/forte-drop-mcp/kustomization.yaml new file mode 100644 index 0000000..9d5338b --- /dev/null +++ b/apps/base/forte-drop-mcp/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- forte-drop-mcp.yaml +- keycloak-client-forte-drop-mcp.yaml +# - auth-oidc-sealed.yaml # added in follow-up commit diff --git a/apps/base/forte-drop/forte-drop.yaml b/apps/base/forte-drop/forte-drop.yaml new file mode 100644 index 0000000..08610ba --- /dev/null +++ b/apps/base/forte-drop/forte-drop.yaml @@ -0,0 +1,37 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: forte-drop + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" + notifications.argoproj.io/subscribe.on-sync-succeeded.slack: "" + notifications.argoproj.io/subscribe.on-sync-failed.slack: "" + notifications.argoproj.io/subscribe.on-degraded.slack: "" + labels: + app.kubernetes.io/name: forte-drop + app.kubernetes.io/part-of: apps + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git + path: forteapp + targetRevision: HEAD + helm: + valueFiles: + - $values/forte-drop/values.yaml + - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git + targetRevision: HEAD + ref: values + destination: + server: https://kubernetes.default.svc + namespace: forte-drop + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/base/forte-drop/keycloak-client-forte-drop.yaml b/apps/base/forte-drop/keycloak-client-forte-drop.yaml new file mode 100644 index 0000000..b7d6e85 --- /dev/null +++ b/apps/base/forte-drop/keycloak-client-forte-drop.yaml @@ -0,0 +1,28 @@ +# Labeled config Secret read by the Keycloak Client Registrar. The registrar will +# create the OIDC client in the forte realm and write the resulting credentials +# back into forte-drop-oidc-credentials Secret in this namespace within ~2 min. +# That client-secret then gets manually copied into the auth-oidc SealedSecret +# (one-time per cluster; see PR description). +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-forte-drop + namespace: forte-drop + labels: + keycloak.forteapps.net/client-config: "true" +stringData: + client.json: | + { + "clientId": "forte-drop", + "name": "Forte Drop (web)", + "enabled": true, + "protocol": "openid-connect", + "clientAuthenticatorType": "client-secret", + "standardFlowEnabled": true, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"], + "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"], + "defaultClientScopes": ["openid","email","profile"] + } diff --git a/apps/base/forte-drop/kustomization.yaml b/apps/base/forte-drop/kustomization.yaml new file mode 100644 index 0000000..feda2e9 --- /dev/null +++ b/apps/base/forte-drop/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- forte-drop.yaml +- keycloak-client-forte-drop.yaml +# - forte-drop-secrets-sealed.yaml # added in follow-up commit +# - auth-oidc-sealed.yaml # added in follow-up commit (after Keycloak registrar creates client_secret) diff --git a/apps/base/kustomization.yaml b/apps/base/kustomization.yaml index a501fbf..b494209 100644 --- a/apps/base/kustomization.yaml +++ b/apps/base/kustomization.yaml @@ -6,3 +6,5 @@ resources: - musicman - ts-mcp - argo-mcp +- forte-drop +- forte-drop-mcp