From 56f73d68b9e176502cf60795ce8ce9669c220587 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com>
Date: Fri, 19 Jun 2026 20:54:21 -0500
Subject: [PATCH] Deploy IRC admin public auth route

---
 apps-gx10/irc/irc.yaml | 89 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 82 insertions(+), 7 deletions(-)

diff --git a/apps-gx10/irc/irc.yaml b/apps-gx10/irc/irc.yaml
index 9492476..5417e66 100644
--- a/apps-gx10/irc/irc.yaml
+++ b/apps-gx10/irc/irc.yaml
@@ -55,6 +55,20 @@ spec:
   dnsNames:
     - webirc.iamworkin.lan
 ---
+# TLS Certificate for FlowerCore IRC Admin
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: irc-admin-tls
+  namespace: irc
+spec:
+  secretName: irc-admin-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - irc-admin.iamworkin.lan
+---
 # The Lounge configuration
 apiVersion: v1
 kind: ConfigMap
@@ -684,6 +698,25 @@ data:
       rpc-class flowercore-readonly;
     }
 
+    rpc-class flowercore-admin {
+      permissions {
+        rpc { info; set_issuer; }
+        server { list; get; }
+        channel { list; get; set_topic; kick; }
+        user { list; get; }
+        stats { get; }
+        server_ban { list; get; add; del; }
+        name_ban { list; get; add; del; }
+        log { subscribe; unsubscribe; }
+      }
+    }
+
+    rpc-user flowercoreadmin {
+      match { ip 10.*; }
+      password "__RPC_ADMIN_PASSWORD_HASH__";
+      rpc-class flowercore-admin;
+    }
+
     drpass {
       restart "__OPER_PASSWORD__";
       die "__OPER_PASSWORD__";
@@ -1033,7 +1066,7 @@ spec:
       labels:
         app: unrealircd
       annotations:
-        flowercore.io/config-revision: "irc-r1-rpc-custom-readonly-20260619"
+        flowercore.io/config-revision: "irc-admin-rpc-auth-20260620"
     spec:
       initContainers:
         - name: inject-credentials
@@ -1043,12 +1076,14 @@ spec:
             - |
               OPER_PW=$(cat /secrets/password)
               RPC_PW_HASH=$(cat /rpc-secrets/passwordHash)
+              RPC_ADMIN_PW_HASH=$(cat /rpc-secrets/adminPasswordHash)
               LINK_PW=$(cat /secrets/Link-Password)
               CLOAK_KEY_1=$(cat /cloak-secrets/cloak-key-1)
               CLOAK_KEY_2=$(cat /cloak-secrets/cloak-key-2)
               CLOAK_KEY_3=$(cat /cloak-secrets/cloak-key-3)
               sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
                    -e "s|__RPC_PASSWORD_HASH__|${RPC_PW_HASH}|g" \
+                   -e "s|__RPC_ADMIN_PASSWORD_HASH__|${RPC_ADMIN_PW_HASH}|g" \
                    -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
                    -e "s|__CLOAK_KEY_1__|${CLOAK_KEY_1}|g" \
                    -e "s|__CLOAK_KEY_2__|${CLOAK_KEY_2}|g" \
@@ -1395,8 +1430,6 @@ spec:
       storage: 1Gi
 ---
 # FlowerCore IRC management web app.
-# External irc-admin.iamworkin.lan route is intentionally held until the
-# FlowerCore.DNS default tenant onboarding gate allows a 10.0.57.202 A record.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -1435,7 +1468,7 @@ spec:
         fsGroupChangePolicy: OnRootMismatch
       containers:
         - name: web
-          image: localhost/fc-irc-web:v20260619-irc-logsub-259ca85
+          image: localhost/fc-irc-web:v20260620-irc-admin-54a3f5a
           imagePullPolicy: Never
           ports:
             - containerPort: 5080
@@ -1470,12 +1503,12 @@ spec:
             - name: FlowerCore__IRC__ServerManagement__RpcPath
               value: "/api"
             - name: FlowerCore__IRC__ServerManagement__RpcUsername
-              value: "flowercorereadonly"
+              value: "flowercoreadmin"
             - name: FlowerCore__IRC__ServerManagement__RpcPassword
               valueFrom:
                 secretKeyRef:
                   name: unrealircd-rpc-credentials
-                  key: password
+                  key: adminPassword
             - name: FlowerCore__IRC__ServerManagement__RpcAllowInvalidServerCertificate
               value: "true"
             - name: FlowerCore__IRC__ServerManagement__PreferRpcReadModel
@@ -1485,7 +1518,31 @@ spec:
             - name: FlowerCore__Mcp__RoutePath
               value: "/mcp"
             - name: FlowerCore__Mcp__RequireAuthorization
-              value: "false"
+              value: "true"
+            - name: FlowerCore__Auth__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "irc"
+            - name: FlowerCore__Auth__Oidc__Authority
+              valueFrom:
+                secretKeyRef:
+                  name: irc-oidc-client
+                  key: issuer_url
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientId
+              valueFrom:
+                secretKeyRef:
+                  name: irc-oidc-client
+                  key: client_id
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: irc-oidc-client
+                  key: client_secret
+                  optional: true
           resources:
             requests:
               cpu: 50m
@@ -1572,3 +1629,21 @@ spec:
           port: 9000
   tls:
     secretName: webirc-tls
+---
+# Traefik IngressRoute - FlowerCore IRC Admin (irc-admin.iamworkin.lan)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: irc-admin
+  namespace: irc
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`irc-admin.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: irc-web
+          port: 80
+  tls:
+    secretName: irc-admin-tls