deploy(dns): enable production auth profile

2026-06-15 15:08:03 -05:00
parent 40fd35ba44
commit 6febe1fdb3
2 changed files with 94 additions and 7 deletions
--- a/apps/fc-dns/fc-dns.yaml
+++ b/apps/fc-dns/fc-dns.yaml
@@ -26,6 +26,17 @@ metadata:
 spec:
  itemPath: "vaults/IAmWorkin/items/dns-oidc-client"
 ---
+# Service X-Api-Key for the cert-manager ACME webhook -> dns-web call path.
+# The 1Password operator resolves this item into Secret/dns-api-keys; field
+# `api_key` becomes Secret key `api_key`.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: dns-api-keys
+  namespace: fc-dns
+spec:
+  itemPath: "vaults/IAmWorkin/items/FlowerCore DNS API Keys"
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -48,7 +59,7 @@ data:
    {
        "FlowerCore": {
        "Auth": {
-          "Enabled": false,
+          "Enabled": true,
          "Oidc": {
            "Enabled": true,
            "Audience": "dns",
@@ -63,7 +74,7 @@ data:
        },
        "Tenant": {
          "DefaultTenantId": "default",
-          "JwtClaimsEnabled": false,
+          "JwtClaimsEnabled": true,
          "DefaultTenantHosts": [
            "dns.iamworkin.lan"
          ]
@@ -111,7 +122,7 @@ spec:
        fsGroup: 1654
      containers:
        - name: dns-web
-          image: localhost/fc-dns-web:v20260614-wave5-isolation-6124856
+          image: localhost/fc-dns-web:v20260615-phase0-hybrid-f77fb94
          imagePullPolicy: Never
          securityContext:
            readOnlyRootFilesystem: true
@@ -148,8 +159,14 @@ spec:
                  name: dns-oidc-client
                  key: client_secret
                  optional: true
+            - name: FlowerCore__Auth__ApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: dns-api-keys
+                  key: api_key
+                  optional: true
            - name: FlowerCore__Auth__Enabled
-              value: "false"
+              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Audience
@@ -209,6 +226,42 @@ spec:
      targetPort: 5320
  type: ClusterIP
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: dns-web-ingress-isolation
+  namespace: fc-dns
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: dns-web
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-dns
+        - ipBlock:
+            cidr: 10.42.0.0/16
+        - ipBlock:
+            cidr: 10.0.56.0/24
+        - ipBlock:
+            cidr: 10.0.57.0/24
+        - ipBlock:
+            cidr: 10.0.58.0/24
+        - ipBlock:
+            cidr: 10.0.68.0/27
+      ports:
+        - port: 5320
+          protocol: TCP
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -303,7 +356,7 @@ spec:
        fsGroup: 1654
      containers:
        - name: dns-acme-webhook
-          image: localhost/fc-dns-acme-webhook:v20260614-wave5-isolation-6124856
+          image: localhost/fc-dns-acme-webhook:v20260615-phase0-hybrid-f77fb94
          imagePullPolicy: Never
          securityContext:
            readOnlyRootFilesystem: true
@@ -322,6 +375,12 @@ spec:
              value: /tls/tls.key
            - name: FlowerCore__Dns__AcmeWebhook__ServiceBaseUrl
              value: http://dns-web:5320
+            - name: FlowerCore__Dns__AcmeWebhook__ApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: dns-api-keys
+                  key: api_key
+                  optional: true
            - name: FlowerCore__Dns__AcmeWebhook__GroupName
              value: acme.flowercore.io
            - name: FlowerCore__Dns__AcmeWebhook__SolverName
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -867,7 +867,7 @@ public sealed class FleetManifestLintTests
    {
        var deployments = new[]
        {
-            (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client", AuthEnabled: "false"),
+            (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client", AuthEnabled: "true"),
            (App: "fc-media", Name: "fc-media-web", Slug: "media", Secret: "media-oidc-client", AuthEnabled: "true"),
            (App: "fc-distribution", Name: "fc-distribution", Slug: "distribution", Secret: "distribution-oidc-client", AuthEnabled: "true"),
        };
@@ -918,6 +918,34 @@ public sealed class FleetManifestLintTests
        }
    }

+    [Fact]
+    public void DnsPhase0_UsesOnePasswordBackedAcmeApiKey()
+    {
+        var item = AppDocuments("fc-dns")
+            .Single(document => document.Kind == "OnePasswordItem" && document.Name == "dns-api-keys");
+        item.Scalar("spec", "itemPath").Should().Be("vaults/IAmWorkin/items/FlowerCore DNS API Keys");
+
+        var dnsWeb = AppDocuments("fc-dns")
+            .Single(document => document.Kind == "Deployment" && document.Name == "dns-web")
+            .MainContainerMappings()
+            .Should()
+            .ContainSingle()
+            .Subject;
+        EnvSecretName(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("dns-api-keys");
+        EnvSecretKey(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("api_key");
+        EnvSecretOptional(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("true");
+
+        var webhook = AppDocuments("fc-dns")
+            .Single(document => document.Kind == "Deployment" && document.Name == "dns-acme-webhook")
+            .MainContainerMappings()
+            .Should()
+            .ContainSingle()
+            .Subject;
+        EnvSecretName(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("dns-api-keys");
+        EnvSecretKey(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("api_key");
+        EnvSecretOptional(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("true");
+    }
+
    [Fact]
    public void DnsAndMediaGitOpsAdoption_PreservesLiveStorageAndImageShape()
    {
@@ -927,7 +955,7 @@ public sealed class FleetManifestLintTests
        var dnsPvc = AppDocuments("fc-dns")
            .Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "dns-web-data");

-        ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260613-g5-quota-aa99bd1");
+        ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260615-phase0-hybrid-f77fb94");
        dnsPvc.Scalar("spec", "storageClassName").Should().Be("longhorn");
        dnsPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("1Gi");