auth
This commit is contained in:
@@ -1140,17 +1140,24 @@ persistence:
|
||||
enabled: true # User files, 10Gi
|
||||
```
|
||||
|
||||
**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80).
|
||||
**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001).
|
||||
|
||||
**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer.
|
||||
**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS.
|
||||
|
||||
**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port.
|
||||
|
||||
**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer.
|
||||
|
||||
**Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only.
|
||||
|
||||
**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`.
|
||||
|
||||
**Endpoints**:
|
||||
- Web UI: `https://chibisafe.forteapps.net`
|
||||
|
||||
**Secrets**:
|
||||
- `chibisafe-tls` — auto-managed by cert-manager
|
||||
- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret
|
||||
|
||||
### AI Code Review (ai-review)
|
||||
|
||||
|
||||
36
infra/overlays/upc-dev/chibisafe/ingressroute.yaml
Normal file
36
infra/overlays/upc-dev/chibisafe/ingressroute.yaml
Normal file
@@ -0,0 +1,36 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: chibisafe-tls
|
||||
namespace: chibisafe
|
||||
spec:
|
||||
secretName: chibisafe-tls
|
||||
issuerRef:
|
||||
name: letsencrypt-prod
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- chibisafe.forteapps.net
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: chibisafe
|
||||
namespace: chibisafe
|
||||
annotations:
|
||||
gethomepage.dev/enabled: "false"
|
||||
gethomepage.dev/name: "Chibisafe"
|
||||
gethomepage.dev/description: "File upload & sharing"
|
||||
gethomepage.dev/group: "Storage"
|
||||
gethomepage.dev/icon: "chibisafe"
|
||||
gethomepage.dev/href: "https://chibisafe.forteapps.net"
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`chibisafe.forteapps.net`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: chibisafe
|
||||
port: 9001
|
||||
tls:
|
||||
secretName: chibisafe-tls
|
||||
21
infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml
Normal file
21
infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: keycloak-client-chibisafe
|
||||
namespace: chibisafe
|
||||
labels:
|
||||
keycloak.forteapps.net/client-config: "true"
|
||||
stringData:
|
||||
client.json: |
|
||||
{
|
||||
"clientId": "chibisafe",
|
||||
"name": "Chibisafe",
|
||||
"redirectUris": ["https://chibisafe.forteapps.net/*"],
|
||||
"webOrigins": ["https://chibisafe.forteapps.net"],
|
||||
"protocolMappers": [],
|
||||
"secret": {
|
||||
"namespace": "chibisafe",
|
||||
"name": "chibisafe-oidc-credentials",
|
||||
"keys": { "clientId": "client-id", "clientSecret": "client-secret" }
|
||||
}
|
||||
}
|
||||
@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- chibisafe.yaml
|
||||
- keycloak-client-config.yaml
|
||||
- ingressroute.yaml
|
||||
|
||||
@@ -1,20 +1,11 @@
|
||||
podAnnotations:
|
||||
policies.forteapps.io/auth: "true"
|
||||
policies.forteapps.io/auth-type: "oidc"
|
||||
policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
|
||||
policies.forteapps.io/auth-oidc-client-id: "chibisafe"
|
||||
policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
|
||||
policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
|
||||
|
||||
# Ingress disabled — using IngressRoute to target sidecar port directly
|
||||
ingress:
|
||||
enabled: true
|
||||
className: "traefik"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Chibisafe"
|
||||
gethomepage.dev/description: "File upload & sharing"
|
||||
gethomepage.dev/group: "Storage"
|
||||
gethomepage.dev/icon: "chibisafe"
|
||||
gethomepage.dev/href: "https://chibisafe.forteapps.net"
|
||||
hosts:
|
||||
- host: chibisafe.forteapps.net
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: chibisafe-tls
|
||||
hosts:
|
||||
- chibisafe.forteapps.net
|
||||
enabled: false
|
||||
|
||||
Reference in New Issue
Block a user