auth

docs/REFERENCE.md

@@ -1140,17 +1140,24 @@ persistence:
     enabled: true   # User files, 10Gi
 ```
 
-**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80).
+**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001).
 
-**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer.
+**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS.
+
+**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port.
+
+**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer.
 
 **Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only.
 
+**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`.
+
 **Endpoints**:
 - Web UI: `https://chibisafe.forteapps.net`
 
 **Secrets**:
 - `chibisafe-tls` — auto-managed by cert-manager
+- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 
 ### AI Code Review (ai-review)
 

infra/overlays/upc-dev/chibisafe/ingressroute.yaml

@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: chibisafe-tls
+  namespace: chibisafe
+spec:
+  secretName: chibisafe-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - chibisafe.forteapps.net
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: chibisafe
+  namespace: chibisafe
+  annotations:
+    gethomepage.dev/enabled: "false"
+    gethomepage.dev/name: "Chibisafe"
+    gethomepage.dev/description: "File upload & sharing"
+    gethomepage.dev/group: "Storage"
+    gethomepage.dev/icon: "chibisafe"
+    gethomepage.dev/href: "https://chibisafe.forteapps.net"
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: Host(`chibisafe.forteapps.net`)
+    kind: Rule
+    services:
+    - name: chibisafe
+      port: 9001
+  tls:
+    secretName: chibisafe-tls

infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-chibisafe
+  namespace: chibisafe
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "chibisafe",
+      "name": "Chibisafe",
+      "redirectUris": ["https://chibisafe.forteapps.net/*"],
+      "webOrigins": ["https://chibisafe.forteapps.net"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "chibisafe",
+        "name": "chibisafe-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }

infra/overlays/upc-dev/chibisafe/kustomization.yaml

@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - chibisafe.yaml
+- keycloak-client-config.yaml
+- ingressroute.yaml

infra/values/upc-dev/chibisafe-values.yaml

@@ -1,20 +1,11 @@
+podAnnotations:
+  policies.forteapps.io/auth: "true"
+  policies.forteapps.io/auth-type: "oidc"
+  policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
+  policies.forteapps.io/auth-oidc-client-id: "chibisafe"
+  policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
+  policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
+
+# Ingress disabled — using IngressRoute to target sidecar port directly
 ingress:
-  enabled: true
+  enabled: false
-  className: "traefik"
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "Chibisafe"
-    gethomepage.dev/description: "File upload & sharing"
-    gethomepage.dev/group: "Storage"
-    gethomepage.dev/icon: "chibisafe"
-    gethomepage.dev/href: "https://chibisafe.forteapps.net"
-  hosts:
-  - host: chibisafe.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: chibisafe-tls
-    hosts:
-    - chibisafe.forteapps.net