From a5af7bc7f91b9c4a48c5f6618f3d4098026460a5 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Tue, 19 May 2026 18:34:26 +0200
Subject: [PATCH] chibisafe

---
 docs/REFERENCE.md                             | 50 +++++++++++++++++++
 .../upc-dev/chibisafe/auth-oidc-secret.yaml   |  8 +++
 .../overlays/upc-dev/chibisafe/chibisafe.yaml | 43 ++++++++++++++++
 .../upc-dev/chibisafe/ingressroute.yaml       | 36 +++++++++++++
 .../chibisafe/keycloak-client-config.yaml     | 21 ++++++++
 .../upc-dev/chibisafe/kustomization.yaml      |  7 +++
 infra/overlays/upc-dev/kustomization.yaml     |  1 +
 infra/values/base/chibisafe-values.yaml       | 45 +++++++++++++++++
 infra/values/upc-dev/chibisafe-values.yaml    | 11 ++++
 9 files changed, 222 insertions(+)
 create mode 100644 infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml
 create mode 100644 infra/overlays/upc-dev/chibisafe/chibisafe.yaml
 create mode 100644 infra/overlays/upc-dev/chibisafe/ingressroute.yaml
 create mode 100644 infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml
 create mode 100644 infra/overlays/upc-dev/chibisafe/kustomization.yaml
 create mode 100644 infra/values/base/chibisafe-values.yaml
 create mode 100644 infra/values/upc-dev/chibisafe-values.yaml

diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index 04b3d23..c34bb73 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1109,6 +1109,56 @@ storage:
 - `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 - `vaultwarden-tls` — auto-managed by cert-manager
 
+### Chibisafe
+
+**Chart**: `l4gdev/chibisafe`
+**Version**: 0.1.1 (app latest)
+**Namespace**: `chibisafe`
+
+**Purpose**: Self-hosted file upload and sharing service.
+
+**Configuration**:
+```yaml
+# infra/overlays/upc-dev/chibisafe/ + infra/values/
+ingress:
+  enabled: true
+  className: "traefik"
+  hosts:
+  - host: chibisafe.forteapps.net
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: chibisafe-tls
+    hosts:
+    - chibisafe.forteapps.net
+
+persistence:
+  database:
+    enabled: true   # SQLite, 1Gi
+  uploads:
+    enabled: true   # User files, 10Gi
+```
+
+**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001).
+
+**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS.
+
+**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port.
+
+**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer.
+
+**Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only.
+
+**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`.
+
+**Endpoints**:
+- Web UI: `https://chibisafe.forteapps.net`
+
+**Secrets**:
+- `chibisafe-tls` — auto-managed by cert-manager
+- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+
 ### AI Code Review (ai-review)
 
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
diff --git a/infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml b/infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml
new file mode 100644
index 0000000..615951c
--- /dev/null
+++ b/infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-oidc
+  namespace: chibisafe
+type: Opaque
+stringData:
+  cookie-secret: "gtwkoUMSp1wJa2o5Fo5CNByR8+kTocJOOuywuLexRO4="
diff --git a/infra/overlays/upc-dev/chibisafe/chibisafe.yaml b/infra/overlays/upc-dev/chibisafe/chibisafe.yaml
new file mode 100644
index 0000000..0e74f2e
--- /dev/null
+++ b/infra/overlays/upc-dev/chibisafe/chibisafe.yaml
@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: chibisafe
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: chibisafe
+    app.kubernetes.io/part-of: storage
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://l4gdev.github.io/helm-charts
+    chart: chibisafe
+    targetRevision: "0.1.1"
+    helm:
+      releaseName: chibisafe
+      valueFiles:
+      - $values/infra/values/base/chibisafe-values.yaml
+      - $values/infra/values/upc-dev/chibisafe-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: chibisafe
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
diff --git a/infra/overlays/upc-dev/chibisafe/ingressroute.yaml b/infra/overlays/upc-dev/chibisafe/ingressroute.yaml
new file mode 100644
index 0000000..4d3d6e6
--- /dev/null
+++ b/infra/overlays/upc-dev/chibisafe/ingressroute.yaml
@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: chibisafe-tls
+  namespace: chibisafe
+spec:
+  secretName: chibisafe-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - chibisafe.forteapps.net
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: chibisafe
+  namespace: chibisafe
+  annotations:
+    gethomepage.dev/enabled: "false"
+    gethomepage.dev/name: "Chibisafe"
+    gethomepage.dev/description: "File upload & sharing"
+    gethomepage.dev/group: "Storage"
+    gethomepage.dev/icon: "chibisafe"
+    gethomepage.dev/href: "https://chibisafe.forteapps.net"
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: Host(`chibisafe.forteapps.net`)
+    kind: Rule
+    services:
+    - name: chibisafe
+      port: 9001
+  tls:
+    secretName: chibisafe-tls
diff --git a/infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml b/infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml
new file mode 100644
index 0000000..3b00d57
--- /dev/null
+++ b/infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-chibisafe
+  namespace: chibisafe
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "chibisafe",
+      "name": "Chibisafe",
+      "redirectUris": ["https://chibisafe.forteapps.net/*"],
+      "webOrigins": ["https://chibisafe.forteapps.net"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "chibisafe",
+        "name": "chibisafe-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
diff --git a/infra/overlays/upc-dev/chibisafe/kustomization.yaml b/infra/overlays/upc-dev/chibisafe/kustomization.yaml
new file mode 100644
index 0000000..815b8fb
--- /dev/null
+++ b/infra/overlays/upc-dev/chibisafe/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- chibisafe.yaml
+- keycloak-client-config.yaml
+- ingressroute.yaml
+- auth-oidc-secret.yaml
diff --git a/infra/overlays/upc-dev/kustomization.yaml b/infra/overlays/upc-dev/kustomization.yaml
index fac7510..9580dff 100644
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- chibisafe
 - vaultwarden-postgresql
 - vaultwarden
 
diff --git a/infra/values/base/chibisafe-values.yaml b/infra/values/base/chibisafe-values.yaml
new file mode 100644
index 0000000..b22a71a
--- /dev/null
+++ b/infra/values/base/chibisafe-values.yaml
@@ -0,0 +1,45 @@
+replicaCount: 1
+
+frontend:
+  image:
+    repository: chibisafe/chibisafe
+    tag: "latest"
+    pullPolicy: IfNotPresent
+
+backend:
+  image:
+    repository: chibisafe/chibisafe-server
+    tag: "latest"
+    pullPolicy: IfNotPresent
+
+caddy:
+  image:
+    repository: caddy
+    tag: "2-alpine"
+    pullPolicy: IfNotPresent
+
+persistence:
+  database:
+    enabled: true
+    size: 1Gi
+    accessModes:
+    - ReadWriteOnce
+
+  uploads:
+    enabled: true
+    size: 10Gi
+    accessModes:
+    - ReadWriteOnce
+
+  logs:
+    enabled: false
+
+service:
+  type: ClusterIP
+  port: 80
+
+networkPolicy:
+  enabled: false
+
+podDisruptionBudget:
+  enabled: false
diff --git a/infra/values/upc-dev/chibisafe-values.yaml b/infra/values/upc-dev/chibisafe-values.yaml
new file mode 100644
index 0000000..0efd379
--- /dev/null
+++ b/infra/values/upc-dev/chibisafe-values.yaml
@@ -0,0 +1,11 @@
+podAnnotations:
+  policies.forteapps.io/auth: "true"
+  policies.forteapps.io/auth-type: "oidc"
+  policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
+  policies.forteapps.io/auth-oidc-client-id: "chibisafe"
+  policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
+  policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
+
+# Ingress disabled — using IngressRoute to target sidecar port directly
+ingress:
+  enabled: false