Deploy IRC admin public auth route

2026-06-19 20:54:21 -05:00
parent 4899ba9267
commit 56f73d68b9
1 changed files with 82 additions and 7 deletions
--- a/apps-gx10/irc/irc.yaml
+++ b/apps-gx10/irc/irc.yaml
@@ -55,6 +55,20 @@ spec:
  dnsNames:
    - webirc.iamworkin.lan
 ---
+# TLS Certificate for FlowerCore IRC Admin
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: irc-admin-tls
+  namespace: irc
+spec:
+  secretName: irc-admin-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - irc-admin.iamworkin.lan
+---
 # The Lounge configuration
 apiVersion: v1
 kind: ConfigMap
@@ -684,6 +698,25 @@ data:
      rpc-class flowercore-readonly;
    }

+    rpc-class flowercore-admin {
+      permissions {
+        rpc { info; set_issuer; }
+        server { list; get; }
+        channel { list; get; set_topic; kick; }
+        user { list; get; }
+        stats { get; }
+        server_ban { list; get; add; del; }
+        name_ban { list; get; add; del; }
+        log { subscribe; unsubscribe; }
+      }
+    }
+
+    rpc-user flowercoreadmin {
+      match { ip 10.*; }
+      password "__RPC_ADMIN_PASSWORD_HASH__";
+      rpc-class flowercore-admin;
+    }
+
    drpass {
      restart "__OPER_PASSWORD__";
      die "__OPER_PASSWORD__";
@@ -1033,7 +1066,7 @@ spec:
      labels:
        app: unrealircd
      annotations:
-        flowercore.io/config-revision: "irc-r1-rpc-custom-readonly-20260619"
+        flowercore.io/config-revision: "irc-admin-rpc-auth-20260620"
    spec:
      initContainers:
        - name: inject-credentials
@@ -1043,12 +1076,14 @@ spec:
            - |
              OPER_PW=$(cat /secrets/password)
              RPC_PW_HASH=$(cat /rpc-secrets/passwordHash)
+              RPC_ADMIN_PW_HASH=$(cat /rpc-secrets/adminPasswordHash)
              LINK_PW=$(cat /secrets/Link-Password)
              CLOAK_KEY_1=$(cat /cloak-secrets/cloak-key-1)
              CLOAK_KEY_2=$(cat /cloak-secrets/cloak-key-2)
              CLOAK_KEY_3=$(cat /cloak-secrets/cloak-key-3)
              sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
                   -e "s|__RPC_PASSWORD_HASH__|${RPC_PW_HASH}|g" \
+                   -e "s|__RPC_ADMIN_PASSWORD_HASH__|${RPC_ADMIN_PW_HASH}|g" \
                   -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
                   -e "s|__CLOAK_KEY_1__|${CLOAK_KEY_1}|g" \
                   -e "s|__CLOAK_KEY_2__|${CLOAK_KEY_2}|g" \
@@ -1395,8 +1430,6 @@ spec:
      storage: 1Gi
 ---
 # FlowerCore IRC management web app.
-# External irc-admin.iamworkin.lan route is intentionally held until the
-# FlowerCore.DNS default tenant onboarding gate allows a 10.0.57.202 A record.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -1435,7 +1468,7 @@ spec:
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: web
-          image: localhost/fc-irc-web:v20260619-irc-logsub-259ca85
+          image: localhost/fc-irc-web:v20260620-irc-admin-54a3f5a
          imagePullPolicy: Never
          ports:
            - containerPort: 5080
@@ -1470,12 +1503,12 @@ spec:
            - name: FlowerCore__IRC__ServerManagement__RpcPath
              value: "/api"
            - name: FlowerCore__IRC__ServerManagement__RpcUsername
-              value: "flowercorereadonly"
+              value: "flowercoreadmin"
            - name: FlowerCore__IRC__ServerManagement__RpcPassword
              valueFrom:
                secretKeyRef:
                  name: unrealircd-rpc-credentials
-                  key: password
+                  key: adminPassword
            - name: FlowerCore__IRC__ServerManagement__RpcAllowInvalidServerCertificate
              value: "true"
            - name: FlowerCore__IRC__ServerManagement__PreferRpcReadModel
@@ -1485,7 +1518,31 @@ spec:
            - name: FlowerCore__Mcp__RoutePath
              value: "/mcp"
            - name: FlowerCore__Mcp__RequireAuthorization
-              value: "false"
+              value: "true"
+            - name: FlowerCore__Auth__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "irc"
+            - name: FlowerCore__Auth__Oidc__Authority
+              valueFrom:
+                secretKeyRef:
+                  name: irc-oidc-client
+                  key: issuer_url
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientId
+              valueFrom:
+                secretKeyRef:
+                  name: irc-oidc-client
+                  key: client_id
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: irc-oidc-client
+                  key: client_secret
+                  optional: true
          resources:
            requests:
              cpu: 50m
@@ -1572,3 +1629,21 @@ spec:
          port: 9000
  tls:
    secretName: webirc-tls
+---
+# Traefik IngressRoute - FlowerCore IRC Admin (irc-admin.iamworkin.lan)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: irc-admin
+  namespace: irc
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`irc-admin.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: irc-web
+          port: 80
+  tls:
+    secretName: irc-admin-tls