bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Deploy IRC admin public auth route

Browse Source
This commit is contained in:
Andrew Stoltz
2026-06-19 20:54:21 -05:00
parent 4899ba9267
commit 56f73d68b9
1 changed files with 82 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
apps-gx10/irc/irc.yaml
View File

@@ -55,6 +55,20 @@ spec:
dnsNames: dnsNames:
- webirc.iamworkin.lan - webirc.iamworkin.lan
--- ---
# TLS Certificate for FlowerCore IRC Admin
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: irc-admin-tls
namespace: irc
spec:
secretName: irc-admin-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- irc-admin.iamworkin.lan
---
# The Lounge configuration # The Lounge configuration
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@@ -684,6 +698,25 @@ data:
rpc-class flowercore-readonly; rpc-class flowercore-readonly;
} }
rpc-class flowercore-admin {
permissions {
rpc { info; set_issuer; }
server { list; get; }
channel { list; get; set_topic; kick; }
user { list; get; }
stats { get; }
server_ban { list; get; add; del; }
name_ban { list; get; add; del; }
log { subscribe; unsubscribe; }
}
}
rpc-user flowercoreadmin {
match { ip 10.*; }
password "__RPC_ADMIN_PASSWORD_HASH__";
rpc-class flowercore-admin;
}
drpass { drpass {
restart "__OPER_PASSWORD__"; restart "__OPER_PASSWORD__";
die "__OPER_PASSWORD__"; die "__OPER_PASSWORD__";
@@ -1033,7 +1066,7 @@ spec:
labels: labels:
app: unrealircd app: unrealircd
annotations: annotations:
flowercore.io/config-revision: "irc-r1-rpc-custom-readonly-20260619" flowercore.io/config-revision: "irc-admin-rpc-auth-20260620"
spec: spec:
initContainers: initContainers:
- name: inject-credentials - name: inject-credentials
@@ -1043,12 +1076,14 @@ spec:
- | - |
OPER_PW=$(cat /secrets/password) OPER_PW=$(cat /secrets/password)
RPC_PW_HASH=$(cat /rpc-secrets/passwordHash) RPC_PW_HASH=$(cat /rpc-secrets/passwordHash)
RPC_ADMIN_PW_HASH=$(cat /rpc-secrets/adminPasswordHash)
LINK_PW=$(cat /secrets/Link-Password) LINK_PW=$(cat /secrets/Link-Password)
CLOAK_KEY_1=$(cat /cloak-secrets/cloak-key-1) CLOAK_KEY_1=$(cat /cloak-secrets/cloak-key-1)
CLOAK_KEY_2=$(cat /cloak-secrets/cloak-key-2) CLOAK_KEY_2=$(cat /cloak-secrets/cloak-key-2)
CLOAK_KEY_3=$(cat /cloak-secrets/cloak-key-3) CLOAK_KEY_3=$(cat /cloak-secrets/cloak-key-3)
sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \ sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
-e "s|__RPC_PASSWORD_HASH__|${RPC_PW_HASH}|g" \ -e "s|__RPC_PASSWORD_HASH__|${RPC_PW_HASH}|g" \
-e "s|__RPC_ADMIN_PASSWORD_HASH__|${RPC_ADMIN_PW_HASH}|g" \
-e "s|__LINK_PASSWORD__|${LINK_PW}|g" \ -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
-e "s|__CLOAK_KEY_1__|${CLOAK_KEY_1}|g" \ -e "s|__CLOAK_KEY_1__|${CLOAK_KEY_1}|g" \
-e "s|__CLOAK_KEY_2__|${CLOAK_KEY_2}|g" \ -e "s|__CLOAK_KEY_2__|${CLOAK_KEY_2}|g" \
@@ -1395,8 +1430,6 @@ spec:
storage: 1Gi storage: 1Gi
--- ---
# FlowerCore IRC management web app. # FlowerCore IRC management web app.
# External irc-admin.iamworkin.lan route is intentionally held until the
# FlowerCore.DNS default tenant onboarding gate allows a 10.0.57.202 A record.
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@@ -1435,7 +1468,7 @@ spec:
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
containers: containers:
- name: web - name: web
image: localhost/fc-irc-web:v20260619-irc-logsub-259ca85 image: localhost/fc-irc-web:v20260620-irc-admin-54a3f5a
imagePullPolicy: Never imagePullPolicy: Never
ports: ports:
- containerPort: 5080 - containerPort: 5080
@@ -1470,12 +1503,12 @@ spec:
- name: FlowerCore__IRC__ServerManagement__RpcPath - name: FlowerCore__IRC__ServerManagement__RpcPath
value: "/api" value: "/api"
- name: FlowerCore__IRC__ServerManagement__RpcUsername - name: FlowerCore__IRC__ServerManagement__RpcUsername
value: "flowercorereadonly" value: "flowercoreadmin"
- name: FlowerCore__IRC__ServerManagement__RpcPassword - name: FlowerCore__IRC__ServerManagement__RpcPassword
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: unrealircd-rpc-credentials name: unrealircd-rpc-credentials
key: password key: adminPassword
- name: FlowerCore__IRC__ServerManagement__RpcAllowInvalidServerCertificate - name: FlowerCore__IRC__ServerManagement__RpcAllowInvalidServerCertificate
value: "true" value: "true"
- name: FlowerCore__IRC__ServerManagement__PreferRpcReadModel - name: FlowerCore__IRC__ServerManagement__PreferRpcReadModel
@@ -1485,7 +1518,31 @@ spec:
- name: FlowerCore__Mcp__RoutePath - name: FlowerCore__Mcp__RoutePath
value: "/mcp" value: "/mcp"
- name: FlowerCore__Mcp__RequireAuthorization - name: FlowerCore__Mcp__RequireAuthorization
value: "false" value: "true"
- name: FlowerCore__Auth__Enabled
value: "true"
- name: FlowerCore__Auth__Oidc__Enabled
value: "true"
- name: FlowerCore__Auth__Oidc__Audience
value: "irc"
- name: FlowerCore__Auth__Oidc__Authority
valueFrom:
secretKeyRef:
name: irc-oidc-client
key: issuer_url
optional: true
- name: FlowerCore__Auth__Oidc__ClientId
valueFrom:
secretKeyRef:
name: irc-oidc-client
key: client_id
optional: true
- name: FlowerCore__Auth__Oidc__ClientSecret
valueFrom:
secretKeyRef:
name: irc-oidc-client
key: client_secret
optional: true
resources: resources:
requests: requests:
cpu: 50m cpu: 50m
@@ -1572,3 +1629,21 @@ spec:
port: 9000 port: 9000
tls: tls:
secretName: webirc-tls secretName: webirc-tls
---
# Traefik IngressRoute - FlowerCore IRC Admin (irc-admin.iamworkin.lan)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: irc-admin
namespace: irc
spec:
entryPoints:
- websecure
routes:
- match: Host(`irc-admin.iamworkin.lan`)
kind: Rule
services:
- name: irc-web
port: 80
tls:
secretName: irc-admin-tls