replicas

ns
vaultwarden
2026-05-16 15:48:13 +02:00 · 2026-05-16 15:44:04 +02:00 · 2026-05-16 15:39:55 +02:00 · 2026-05-15 15:47:25 +02:00 · 2026-05-14 23:47:14 +02:00 · 2026-05-14 23:43:40 +02:00
9 changed files with 208 additions and 0 deletions
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1141,6 +1141,30 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption

+### Keycloak Browser Flow (IdP Auto-Redirect)
+
+**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
+
+The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
+
+**Flow executions**:
+
+| Priority | Authenticator | Requirement | Purpose |
+|----------|--------------|-------------|---------|
+| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
+| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
+
+**Key fields in realm JSON**:
+- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
+- `"authenticationFlows"` — defines the custom flow with its executions
+- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
+
+**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
+
+**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
+
+---
+
 ### Keycloak Client Registrar

 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- vaultwarden

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- vaultwarden.yaml
+- vaultwarden-db-secret-sealed.yaml
--- a/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: prod-db-creds
+  namespace: vaultwarden
+spec:
+  encryptedData:
+    SMTP_PASSWORD: AgARC3vcVD2SC8GUry5SYylyiS39eKQUFAjqT4dpXQsoJX7QSLfd7Ta68BURg8Q5e2zWdzIl+nrUyBy/4TMXeHjSUhcfsH0RY2logMuTn96kV/V7YKm1Zw394hrJ3uroB7iFkf/TwiXuwFS1QvppxlpXNWVClHs+r0aW3vD2s7ViFxFqcPYGfNKlGvW2aLU6XER/TUXCffoSmHgl0wut5UaZEo+321AAaqcmk90Te/Pv4oU0SfFGn/+14zDR3VT4s6u8rgYQcSB23p2f3X3+8tCLgSLclyzSXAVfclMBYCuCtOzFjgXOQLoYfW3WW48KqsFKsoZsI/dop8L/y2P78xGJ5gYNiVcH6vEMfOr6wOTISyXqQIi3a/KZcNSY4ZZ7kH13aqru3Fpb4XAGjcmEEfWfOQ9IcPBj6Yh9pNOhxlQHPqXR9zrwx//iXdH2bsbEJ2vNHQhU9uc4t3dO1VnLO/icvMr3CFEuaB4mFDThVrPGOEi5s1YKPTHb1j8B92WSy6aNmNro0977cbbJs/linNox3rNa20kzQPfU2pdlC31vIcpMCM7vtUnx16QHyjUNe/whFqIbSG3mE19jbjIvGo0d7jhBWZYQin+m1MRv/Tv8VjzYe6FciIFX33pNTWkwkvFq+s8eQcyruWCe5hLlF361FklqXcSh1tMyqcfOScNRPxUPlWumkGPDmonULJPkmAs7eJmxKlvinrAPs8eiP7c/1SPW6FdMmxT7sq/27TII
+    SMTP_USERNAME: AgC1Zsv5l5Wbrq7VZC2U55+0/LQvZEbsmlxq2O5Z+Xp/admdqptEBGlLKEdIn7CmyBzvmrmWasmN4NJPJHoeLWn7SgsoULTu1UQ3W9kgcrXUJ52dwOrYLMJUxJuh+OD9HEJejfOMksc2rSM69I4NUc+NXaDSZOo+gzldWzBN7nCa778NcnMgJxVcT4gqjTIRB9EOrCo4f3ldFJzVJW7qNnxurN0UZQ51y+nj+4z2R+LvfOJ1BT5YQC+nmx80HVBMdQWK5WO4QdxCtenXfiFDNcGK3MK/Exd+kubOWse85CMt2dR0GWuIfIOp+t4XQXfb1pxhTibh/fGae9dD0RpSX1c8hobkpXaDJIYeb7ZQF5J6Zf68fgCn0YircY1hB4yF7uX5CQL1yv76M4tM9yuOn5FTJaIG6byWn/RsHZ7KPIUSd1mOce9ZqfTkKzvC/wfX45UMhPEsdXF9o67mAtOpdmBGrmeDD+7GwPwKXz3JgDovlGtzvLvMZ27+x1dpC8LrcAjcKXXGKczbs3L2Pc+tymd9dis36RvlFLEgQG32ffQu5vQXqGcoSEnlZ0l39qoU9EItkA5kp0isGiJI46hJtAdTTNr0roymvrfDyLXpAvXTQYaVMC7/8KVb2r3kIPKtnsDuU2A57ceiqtdWQgUarPn4F0O3SaCnprmTm2thgCgQOkW7BGlN3CCsVboZUIOlFr7CwTswB9ZI6tzOj2WsUOhriTfIuXv3kyrFCspo
+    pgpassword: AgB7F1Nvm2sjBOneDFux2mc/qni32jaq+KccTWkS7UZWWgA37owrE/XvDSOXZ0ZkrpBfhvCnsrh7/mbVnZYNWCd/GgxI2txnkp9MxW5JLpJiaZZmzznI229BgG9I08vg6ciuUS+bvRw9XJFD7SAmgeA3NaDKAHRNIhu3CFEKQJANity+pKHY1zK6gX6ubmllFtjEJg2pijM3EeSNuXdAFXZlsYIJMqFzlvQrb4MV7qeqsvW2qMeJBElMnas60l3JgeUYtsIwh6720m6FFKGXYQLm4cKbByC0M1C0/Nfwnd9j+xgIgyXharQFmgyp1qQBM+MAHxnHoHCE3V9cJqy1nCy33M16YYsZGOuAkHB9ks9I7NxGAKKjAIm5DccW7zbYINzTQKAUYIF/VhVosHv0thAHjfuH7fGzSmo9BHrLTQE3tO5RF40X2GgKFxP/R5lA+dCtR2QBNot0DaL2TEJoPc0czSYPY5y92FDOQ1j9jvcet18tkJN+bzCKwiG+BxtD0eH+tv1EAZTwvyl43xlU3E3RwWgSmOWcusMrn92fhsHwNFs9mMeeM8qeAVq4xUkatbKoijHm6q03tMgp2T6iT3EoVNLzWz+754mLQxt6serkBS8U7Mkxwpfitf64ANLaQyMF8t9Rao0c8Q/ZkIl9TEczbCPX3DvlnsoSPKDMWGB9gTzKbvvH0+Gcxxs+LZFigE7SQ20kYMlQpD8uo15ufWpMSGmFJxvto55fYgA0+wJmqe18ERy1QjxCqQYG7A==
+    pgusername: AgAvYmIjfz5UbstZli9gpc77rc+oAft7NYIHFrSClyV0Ugt6UU+icMMlLbU92roy7J9XUHuWoXoK5vh0y/XeF95ce1VJC0/zvMK2OXmpfERbyNvyCpwzCFtzYJ4LO7yOi8PAPstzuziqnvLt+GLCwk1enU+IWHI7G2A/qIeWEww5+Y5a4WevVrchp0Wh87PdJ88IT5EiF7qBT2ipbcSoB+Gon962nbw8+pnFedmRcUQcdOf0tQBBZOl5TUVJ6mn4WIY8u6/yOwACMlUXQ553rxXYwGKyTRjI0KbTWwpgeCJiqokyrw/RcShD6qJvZGePdq6rNmmkELOHCPo9z/WvXQIDHbuPldvcglyHuN2w4tsBcGukbmjitwS6wxYD0vp3er3FI9+0tRnD9zlkLiUpcaLi9Rrm7NPS/JP1dbGcHz7fJNXgbMZRGRx3DjV73Qnz6YHvOHT4g6BI2+9JytriRKSOJk/FlDCINgrO+6zMrbxKzBTW3+FK1cc41sJ9zClbV603wsMgtkmB1sZL4xcLmq5wOuk19uO9TsK0Xnf+ajuFUkQm42DVxtTZ9HObLnP8eygn1WiMDv3ks6W7HIpJTpc2YJVU/Pg/kTeQgBKS0JRTkzpJFPHV2UrkLTr0U6ToPYOb2SWBnPI+Lp3cTOeUsbKOylBzx4uUJGoZUL5pAorjd5tDHJhMyMm589m5J3mGMXuhXO1cWg80
+  template:
+    metadata:
+      creationTimestamp: null
+      name: prod-db-creds
+      namespace: vaultwarden
--- a/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vaultwarden
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://guerzon.github.io/vaultwarden
+    chart: vaultwarden
+    targetRevision: "0.36.4"
+    helm:
+      releaseName: vaultwarden
+      valueFiles:
+      - $values/infra/values/base/vaultwarden-values.yaml
+      - $values/infra/values/upc-dev/vaultwarden-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vaultwarden
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -41,6 +41,7 @@ gitea:
    oauth2:
      ENABLED: true
      ENABLE_AUTO_REGISTRATION: true
+      ACCOUNT_LINKING: auto
      USERNAME: email

    session:
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -58,6 +58,9 @@ keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
+  extraEnvVars:
+  - name: IMPORT_MANAGED_PROTOCOL_MAPPER
+    value: "no-delete"
  configuration:
    forte-realm.json: |
      {
@@ -101,6 +104,18 @@ keycloakConfigCli:
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
+              },
+              {
+                "name": "groups",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-group-membership-mapper",
+                "config": {
+                  "claim.name": "groups",
+                  "full.path": "false",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
              }
            ]
          },
@@ -173,7 +188,54 @@ keycloakConfigCli:
            ]
          }
        ],
+        "browserFlow": "browser-auto-idp",
+        "authenticationFlows": [
+          {
+            "alias": "browser-auto-idp",
+            "description": "Browser flow with auto-redirect to Forte Entra IdP",
+            "providerId": "basic-flow",
+            "topLevel": true,
+            "builtIn": false,
+            "authenticationExecutions": [
+              {
+                "authenticator": "auth-cookie",
+                "authenticatorFlow": false,
+                "requirement": "ALTERNATIVE",
+                "priority": 10
+              },
+              {
+                "authenticator": "identity-provider-redirector",
+                "authenticatorFlow": false,
+                "requirement": "ALTERNATIVE",
+                "priority": 20,
+                "authenticatorConfig": "forte-entra-redirector"
+              }
+            ]
+          }
+        ],
+        "authenticatorConfig": [
+          {
+            "alias": "forte-entra-redirector",
+            "config": {
+              "defaultProvider": "forte-entra"
+            }
+          }
+        ],
        "groups": [
+          {
+            "name": "k8s",
+            "path": "/k8s",
+            "clientRoles": {
+              "grafana": ["Editor"]
+            }
+          },
+          {
+            "name": "dev",
+            "path": "/dev",
+            "clientRoles": {
+              "grafana": ["Viewer"]
+            }
+          },
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
--- a/infra/values/base/vaultwarden-values.yaml
+++ b/infra/values/base/vaultwarden-values.yaml
@@ -0,0 +1,3 @@
+image:
+  tag: "1.36.0-alpine"
+domain: "https://vaultwarden.forteapps.net"
--- a/infra/values/upc-dev/vaultwarden-values.yaml
+++ b/infra/values/upc-dev/vaultwarden-values.yaml
@@ -0,0 +1,45 @@
+database:
+  type: postgresql
+  existingSecret: prod-db-creds
+  existingSecretUserKey: pgusername
+  existingSecretPasswordKey: pgpassword
+ingress:
+  enabled: true
+  class: "traefik"
+  tlsSecret: vw-forteapps-net-crt
+  hostname: bitwarden.forteapps.net
+
+replicas: 1
+
+service:
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 10800
+
+smtp:
+  host: smtp.office365.com
+  from: no-reply@forteapps.net
+  fromName: "Forte Bitwarden Administrator"
+  existingSecret: prod-db-creds
+  username:
+    existingSecretKey: SMTP_USERNAME
+  password:
+    existingSecretKey: SMTP_PASSWORD
+
+storage:
+  data:
+    name: "vaultwarden-data"
+    size: "5Gi"
+    class: ""
+    path: "/data"
+    keepPvc: true
+    accessMode: "ReadWriteOnce"
+
+  attachments:
+    name: "vaultwarden-files"
+    size: "5Gi"
+    class: ""
+    path: /files
+    keepPvc: true
+    accessMode: "ReadWriteOnce"
Author	SHA1	Message	Date
Danijel Simeunovic	66de9b8a0a	replicas	2026-05-16 15:48:13 +02:00
Danijel Simeunovic	716c552be9	ns	2026-05-16 15:44:04 +02:00
Danijel Simeunovic	f048b47a0f	vaultwarden	2026-05-16 15:39:55 +02:00
Danijel Simeunovic	66f40427ee	mappings	2026-05-15 15:47:25 +02:00
Danijel Simeunovic	332881cbd0	fix	2026-05-14 23:47:14 +02:00
Danijel Simeunovic	f363afa087	browser flow override	2026-05-14 23:43:40 +02:00
Danijel Simeunovic	bc42347cb6	gitea+ACCOUNT_LINKING	2026-05-14 21:30:53 +02:00
Danijel Simeunovic	80d7bff4bc	groups	2026-05-14 21:18:17 +02:00
Danijel Simeunovic	3644a3ec87	mappers	2026-05-14 21:14:57 +02:00
Danijel Simeunovic	bd478478f1	fix attemt	2026-05-14 20:40:44 +02:00
Danijel Simeunovic	67b1d95509	account linking	2026-05-14 19:39:38 +02:00
Danijel Simeunovic	fff95d98a5	remove protocol mappers	2026-05-13 23:15:28 +02:00
Danijel Simeunovic	8b743efa43	KC fix	2026-05-13 23:13:09 +02:00