From 308235e4fe2d590dc038f35e193be9e0ef367fea Mon Sep 17 00:00:00 2001 From: Andrew Stoltz Date: Wed, 3 Jun 2026 22:33:19 -0500 Subject: [PATCH] feat(auth): route oidc client secrets for s57 flips --- apps/fc-distribution/fc-distribution.yaml | 32 +++++++++++++++++++++++ apps/knowledge/knowledge.yaml | 31 ++++++++++++++++++---- 2 files changed, 58 insertions(+), 5 deletions(-) diff --git a/apps/fc-distribution/fc-distribution.yaml b/apps/fc-distribution/fc-distribution.yaml index d331bd8..d53ecd2 100644 --- a/apps/fc-distribution/fc-distribution.yaml +++ b/apps/fc-distribution/fc-distribution.yaml @@ -74,6 +74,14 @@ metadata: spec: itemPath: "vaults/IAmWorkin/items/FlowerCore Edition Signing Key - edition:aistation-field" --- +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: distribution-oidc-client + namespace: fc-distribution +spec: + itemPath: "vaults/IAmWorkin/items/distribution-oidc-client" +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -130,6 +138,30 @@ spec: value: "Production" - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT value: "false" + - name: FlowerCore__Auth__Enabled + value: "true" + - name: FlowerCore__Auth__Oidc__Enabled + value: "true" + - name: FlowerCore__Auth__Oidc__Authority + valueFrom: + secretKeyRef: + name: distribution-oidc-client + key: issuer_url + optional: true + - name: FlowerCore__Auth__Oidc__Audience + value: "distribution" + - name: FlowerCore__Auth__Oidc__ClientId + valueFrom: + secretKeyRef: + name: distribution-oidc-client + key: client_id + optional: true + - name: FlowerCore__Auth__Oidc__ClientSecret + valueFrom: + secretKeyRef: + name: distribution-oidc-client + key: client_secret + optional: true # SQLite connection (catalog + data-protection keys via FlowerCoreDbContext). # Read by Data/DatabaseProviderExtensions.cs in precedence order; Sqlite key wins. - name: FlowerCore__Database__Provider diff --git a/apps/knowledge/knowledge.yaml b/apps/knowledge/knowledge.yaml index 442dfcc..5736e52 100644 --- a/apps/knowledge/knowledge.yaml +++ b/apps/knowledge/knowledge.yaml @@ -51,6 +51,14 @@ metadata: spec: itemPath: "vaults/IAmWorkin/items/FlowerCore Knowledge MCP Tokens" --- +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: knowledge-oidc-client + namespace: knowledge +spec: + itemPath: "vaults/IAmWorkin/items/knowledge-oidc-client" +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -124,24 +132,37 @@ spec: - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT value: "false" # AuthentiK/OIDC is wired but not enforced until the - # knowledge-oidc-client Secret is provisioned and - # FlowerCore__Auth__Enabled is flipped to true. + # knowledge-oidc-client Secret is provisioned. Service-to-service + # RAG keeps the existing MCP token as FlowerCore:Auth:ApiKey. - name: FlowerCore__Auth__Enabled - value: "false" + value: "true" - name: FlowerCore__Auth__Oidc__Enabled value: "true" - name: FlowerCore__Auth__Oidc__Authority - value: "https://id.iamworkin.lan/application/o/knowledge/" + valueFrom: + secretKeyRef: + name: knowledge-oidc-client + key: issuer_url + optional: true - name: FlowerCore__Auth__Oidc__Audience value: "knowledge" - name: FlowerCore__Auth__Oidc__ClientId - value: "knowledge" + valueFrom: + secretKeyRef: + name: knowledge-oidc-client + key: client_id + optional: true - name: FlowerCore__Auth__Oidc__ClientSecret valueFrom: secretKeyRef: name: knowledge-oidc-client key: client_secret optional: true + - name: FlowerCore__Auth__ApiKey + valueFrom: + secretKeyRef: + name: knowledge-mcp-tokens + key: password # Vector-store directory + embedding model + edition profile dir. # Profile JSON is baked into the image at /home/app/editions via the # csproj Content-link from FlowerCore.Common/editions/.