chibisafe

infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-oidc
+  namespace: chibisafe
+type: Opaque
+stringData:
+  cookie-secret: "gtwkoUMSp1wJa2o5Fo5CNByR8+kTocJOOuywuLexRO4="

infra/overlays/upc-dev/chibisafe/chibisafe.yaml

@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: chibisafe
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: chibisafe
+    app.kubernetes.io/part-of: storage
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://l4gdev.github.io/helm-charts
+    chart: chibisafe
+    targetRevision: "0.1.1"
+    helm:
+      releaseName: chibisafe
+      valueFiles:
+      - $values/infra/values/base/chibisafe-values.yaml
+      - $values/infra/values/upc-dev/chibisafe-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: chibisafe
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/overlays/upc-dev/chibisafe/ingressroute.yaml

@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: chibisafe-tls
+  namespace: chibisafe
+spec:
+  secretName: chibisafe-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - chibisafe.forteapps.net
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: chibisafe
+  namespace: chibisafe
+  annotations:
+    gethomepage.dev/enabled: "false"
+    gethomepage.dev/name: "Chibisafe"
+    gethomepage.dev/description: "File upload & sharing"
+    gethomepage.dev/group: "Storage"
+    gethomepage.dev/icon: "chibisafe"
+    gethomepage.dev/href: "https://chibisafe.forteapps.net"
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: Host(`chibisafe.forteapps.net`)
+    kind: Rule
+    services:
+    - name: chibisafe
+      port: 9001
+  tls:
+    secretName: chibisafe-tls

infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-chibisafe
+  namespace: chibisafe
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "chibisafe",
+      "name": "Chibisafe",
+      "redirectUris": ["https://chibisafe.forteapps.net/*"],
+      "webOrigins": ["https://chibisafe.forteapps.net"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "chibisafe",
+        "name": "chibisafe-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }

infra/overlays/upc-dev/chibisafe/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- chibisafe.yaml
+- keycloak-client-config.yaml
+- ingressroute.yaml
+- auth-oidc-secret.yaml

infra/overlays/upc-dev/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- chibisafe
 - vaultwarden-postgresql
 - vaultwarden
 

infra/values/base/chibisafe-values.yaml

@@ -0,0 +1,45 @@
+replicaCount: 1
+
+frontend:
+  image:
+    repository: chibisafe/chibisafe
+    tag: "latest"
+    pullPolicy: IfNotPresent
+
+backend:
+  image:
+    repository: chibisafe/chibisafe-server
+    tag: "latest"
+    pullPolicy: IfNotPresent
+
+caddy:
+  image:
+    repository: caddy
+    tag: "2-alpine"
+    pullPolicy: IfNotPresent
+
+persistence:
+  database:
+    enabled: true
+    size: 1Gi
+    accessModes:
+    - ReadWriteOnce
+
+  uploads:
+    enabled: true
+    size: 10Gi
+    accessModes:
+    - ReadWriteOnce
+
+  logs:
+    enabled: false
+
+service:
+  type: ClusterIP
+  port: 80
+
+networkPolicy:
+  enabled: false
+
+podDisruptionBudget:
+  enabled: false

infra/values/upc-dev/chibisafe-values.yaml

@@ -0,0 +1,11 @@
+podAnnotations:
+  policies.forteapps.io/auth: "true"
+  policies.forteapps.io/auth-type: "oidc"
+  policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
+  policies.forteapps.io/auth-oidc-client-id: "chibisafe"
+  policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
+  policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
+
+# Ingress disabled — using IngressRoute to target sidecar port directly
+ingress:
+  enabled: false