deploy: roll Chat and Knowledge OIDC images

2026-06-03 18:11:56 -05:00
parent e2e93d482c
commit 1e8bf54c6e
2 changed files with 223 additions and 3 deletions
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -102,7 +102,7 @@ spec:
        - name: web
          # Placeholder tag — bump to the image you built + imported to ALL
          # RKE2 nodes via scripts/deploy-knowledge.sh before applying.
-          image: localhost/fc-knowledge-web:v20260429232635
+          image: localhost/fc-knowledge-web:v20260603-oidc-authentik
          imagePullPolicy: Never
          command:
            - /bin/sh
@@ -123,6 +123,25 @@ spec:
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
+            # AuthentiK/OIDC is wired but not enforced until the
+            # knowledge-oidc-client Secret is provisioned and
+            # FlowerCore__Auth__Enabled is flipped to true.
+            - name: FlowerCore__Auth__Enabled
+              value: "false"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Authority
+              value: "https://id.iamworkin.lan/application/o/knowledge/"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "knowledge"
+            - name: FlowerCore__Auth__Oidc__ClientId
+              value: "knowledge"
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-oidc-client
+                  key: client_secret
+                  optional: true
            # Vector-store directory + embedding model + edition profile dir.
            # Profile JSON is baked into the image at /home/app/editions via the
            # csproj Content-link from FlowerCore.Common/editions/.