diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index c21a986..c34bb73 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1140,17 +1140,24 @@ persistence: enabled: true # User files, 10Gi ``` -**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). +**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001). -**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer. +**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS. + +**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port. + +**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer. **Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only. +**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`. + **Endpoints**: - Web UI: `https://chibisafe.forteapps.net` **Secrets**: - `chibisafe-tls` — auto-managed by cert-manager +- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret ### AI Code Review (ai-review) diff --git a/infra/overlays/upc-dev/chibisafe/ingressroute.yaml b/infra/overlays/upc-dev/chibisafe/ingressroute.yaml new file mode 100644 index 0000000..4d3d6e6 --- /dev/null +++ b/infra/overlays/upc-dev/chibisafe/ingressroute.yaml @@ -0,0 +1,36 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: chibisafe-tls + namespace: chibisafe +spec: + secretName: chibisafe-tls + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + dnsNames: + - chibisafe.forteapps.net +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chibisafe + namespace: chibisafe + annotations: + gethomepage.dev/enabled: "false" + gethomepage.dev/name: "Chibisafe" + gethomepage.dev/description: "File upload & sharing" + gethomepage.dev/group: "Storage" + gethomepage.dev/icon: "chibisafe" + gethomepage.dev/href: "https://chibisafe.forteapps.net" +spec: + entryPoints: + - websecure + routes: + - match: Host(`chibisafe.forteapps.net`) + kind: Rule + services: + - name: chibisafe + port: 9001 + tls: + secretName: chibisafe-tls diff --git a/infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml b/infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml new file mode 100644 index 0000000..3b00d57 --- /dev/null +++ b/infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-chibisafe + namespace: chibisafe + labels: + keycloak.forteapps.net/client-config: "true" +stringData: + client.json: | + { + "clientId": "chibisafe", + "name": "Chibisafe", + "redirectUris": ["https://chibisafe.forteapps.net/*"], + "webOrigins": ["https://chibisafe.forteapps.net"], + "protocolMappers": [], + "secret": { + "namespace": "chibisafe", + "name": "chibisafe-oidc-credentials", + "keys": { "clientId": "client-id", "clientSecret": "client-secret" } + } + } diff --git a/infra/overlays/upc-dev/chibisafe/kustomization.yaml b/infra/overlays/upc-dev/chibisafe/kustomization.yaml index d664466..5ec465b 100644 --- a/infra/overlays/upc-dev/chibisafe/kustomization.yaml +++ b/infra/overlays/upc-dev/chibisafe/kustomization.yaml @@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - chibisafe.yaml +- keycloak-client-config.yaml +- ingressroute.yaml diff --git a/infra/values/upc-dev/chibisafe-values.yaml b/infra/values/upc-dev/chibisafe-values.yaml index 894b233..0efd379 100644 --- a/infra/values/upc-dev/chibisafe-values.yaml +++ b/infra/values/upc-dev/chibisafe-values.yaml @@ -1,20 +1,11 @@ +podAnnotations: + policies.forteapps.io/auth: "true" + policies.forteapps.io/auth-type: "oidc" + policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte" + policies.forteapps.io/auth-oidc-client-id: "chibisafe" + policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback" + policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials" + +# Ingress disabled — using IngressRoute to target sidecar port directly ingress: - enabled: true - className: "traefik" - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - gethomepage.dev/enabled: "true" - gethomepage.dev/name: "Chibisafe" - gethomepage.dev/description: "File upload & sharing" - gethomepage.dev/group: "Storage" - gethomepage.dev/icon: "chibisafe" - gethomepage.dev/href: "https://chibisafe.forteapps.net" - hosts: - - host: chibisafe.forteapps.net - paths: - - path: / - pathType: Prefix - tls: - - secretName: chibisafe-tls - hosts: - - chibisafe.forteapps.net + enabled: false