feat(auth): route oidc client secrets for s57 flips

2026-06-03 22:33:19 -05:00
parent 404d884863
commit 308235e4fe
2 changed files with 58 additions and 5 deletions
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -51,6 +51,14 @@ metadata:
 spec:
  itemPath: "vaults/IAmWorkin/items/FlowerCore Knowledge MCP Tokens"
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: knowledge-oidc-client
+  namespace: knowledge
+spec:
+  itemPath: "vaults/IAmWorkin/items/knowledge-oidc-client"
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -124,24 +132,37 @@ spec:
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
            # AuthentiK/OIDC is wired but not enforced until the
-            # knowledge-oidc-client Secret is provisioned and
-            # FlowerCore__Auth__Enabled is flipped to true.
+            # knowledge-oidc-client Secret is provisioned. Service-to-service
+            # RAG keeps the existing MCP token as FlowerCore:Auth:ApiKey.
            - name: FlowerCore__Auth__Enabled
-              value: "false"
+              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Authority
-              value: "https://id.iamworkin.lan/application/o/knowledge/"
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-oidc-client
+                  key: issuer_url
+                  optional: true
            - name: FlowerCore__Auth__Oidc__Audience
              value: "knowledge"
            - name: FlowerCore__Auth__Oidc__ClientId
-              value: "knowledge"
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-oidc-client
+                  key: client_id
+                  optional: true
            - name: FlowerCore__Auth__Oidc__ClientSecret
              valueFrom:
                secretKeyRef:
                  name: knowledge-oidc-client
                  key: client_secret
                  optional: true
+            - name: FlowerCore__Auth__ApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-mcp-tokens
+                  key: password
            # Vector-store directory + embedding model + edition profile dir.
            # Profile JSON is baked into the image at /home/app/editions via the
            # csproj Content-link from FlowerCore.Common/editions/.