auth

2026-05-19 17:59:27 +02:00
parent 612b5ffb28
commit df663c8193
5 changed files with 78 additions and 21 deletions
--- a/infra/overlays/upc-dev/chibisafe/ingressroute.yaml
+++ b/infra/overlays/upc-dev/chibisafe/ingressroute.yaml
@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: chibisafe-tls
+  namespace: chibisafe
+spec:
+  secretName: chibisafe-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - chibisafe.forteapps.net
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: chibisafe
+  namespace: chibisafe
+  annotations:
+    gethomepage.dev/enabled: "false"
+    gethomepage.dev/name: "Chibisafe"
+    gethomepage.dev/description: "File upload & sharing"
+    gethomepage.dev/group: "Storage"
+    gethomepage.dev/icon: "chibisafe"
+    gethomepage.dev/href: "https://chibisafe.forteapps.net"
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: Host(`chibisafe.forteapps.net`)
+    kind: Rule
+    services:
+    - name: chibisafe
+      port: 9001
+  tls:
+    secretName: chibisafe-tls
--- a/infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml
+++ b/infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-chibisafe
+  namespace: chibisafe
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "chibisafe",
+      "name": "Chibisafe",
+      "redirectUris": ["https://chibisafe.forteapps.net/*"],
+      "webOrigins": ["https://chibisafe.forteapps.net"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "chibisafe",
+        "name": "chibisafe-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
--- a/infra/overlays/upc-dev/chibisafe/kustomization.yaml
+++ b/infra/overlays/upc-dev/chibisafe/kustomization.yaml
@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - chibisafe.yaml
+- keycloak-client-config.yaml
+- ingressroute.yaml
--- a/infra/values/upc-dev/chibisafe-values.yaml
+++ b/infra/values/upc-dev/chibisafe-values.yaml
@@ -1,20 +1,11 @@
+podAnnotations:
+  policies.forteapps.io/auth: "true"
+  policies.forteapps.io/auth-type: "oidc"
+  policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
+  policies.forteapps.io/auth-oidc-client-id: "chibisafe"
+  policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
+  policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
+
+# Ingress disabled — using IngressRoute to target sidecar port directly
 ingress:
-  enabled: true
-  className: "traefik"
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "Chibisafe"
-    gethomepage.dev/description: "File upload & sharing"
-    gethomepage.dev/group: "Storage"
-    gethomepage.dev/icon: "chibisafe"
-    gethomepage.dev/href: "https://chibisafe.forteapps.net"
-  hosts:
-  - host: chibisafe.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: chibisafe-tls
-    hosts:
-    - chibisafe.forteapps.net
+  enabled: false