From 6febe1fdb38efc11bacd4480154ab1169bc88898 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz Date: Mon, 15 Jun 2026 15:08:03 -0500 Subject: [PATCH] deploy(dns): enable production auth profile --- apps/fc-dns/fc-dns.yaml | 69 +++++++++++++++++-- .../FleetManifestLintTests.cs | 32 ++++++++- 2 files changed, 94 insertions(+), 7 deletions(-) diff --git a/apps/fc-dns/fc-dns.yaml b/apps/fc-dns/fc-dns.yaml index c57c0d5..03b795d 100644 --- a/apps/fc-dns/fc-dns.yaml +++ b/apps/fc-dns/fc-dns.yaml @@ -26,6 +26,17 @@ metadata: spec: itemPath: "vaults/IAmWorkin/items/dns-oidc-client" --- +# Service X-Api-Key for the cert-manager ACME webhook -> dns-web call path. +# The 1Password operator resolves this item into Secret/dns-api-keys; field +# `api_key` becomes Secret key `api_key`. +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: dns-api-keys + namespace: fc-dns +spec: + itemPath: "vaults/IAmWorkin/items/FlowerCore DNS API Keys" +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -48,7 +59,7 @@ data: { "FlowerCore": { "Auth": { - "Enabled": false, + "Enabled": true, "Oidc": { "Enabled": true, "Audience": "dns", @@ -63,7 +74,7 @@ data: }, "Tenant": { "DefaultTenantId": "default", - "JwtClaimsEnabled": false, + "JwtClaimsEnabled": true, "DefaultTenantHosts": [ "dns.iamworkin.lan" ] @@ -111,7 +122,7 @@ spec: fsGroup: 1654 containers: - name: dns-web - image: localhost/fc-dns-web:v20260614-wave5-isolation-6124856 + image: localhost/fc-dns-web:v20260615-phase0-hybrid-f77fb94 imagePullPolicy: Never securityContext: readOnlyRootFilesystem: true @@ -148,8 +159,14 @@ spec: name: dns-oidc-client key: client_secret optional: true + - name: FlowerCore__Auth__ApiKey + valueFrom: + secretKeyRef: + name: dns-api-keys + key: api_key + optional: true - name: FlowerCore__Auth__Enabled - value: "false" + value: "true" - name: FlowerCore__Auth__Oidc__Enabled value: "true" - name: FlowerCore__Auth__Oidc__Audience @@ -209,6 +226,42 @@ spec: targetPort: 5320 type: ClusterIP --- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: dns-web-ingress-isolation + namespace: fc-dns +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: dns-web + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik-system + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: fc-dns + - ipBlock: + cidr: 10.42.0.0/16 + - ipBlock: + cidr: 10.0.56.0/24 + - ipBlock: + cidr: 10.0.57.0/24 + - ipBlock: + cidr: 10.0.58.0/24 + - ipBlock: + cidr: 10.0.68.0/27 + ports: + - port: 5320 + protocol: TCP +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -303,7 +356,7 @@ spec: fsGroup: 1654 containers: - name: dns-acme-webhook - image: localhost/fc-dns-acme-webhook:v20260614-wave5-isolation-6124856 + image: localhost/fc-dns-acme-webhook:v20260615-phase0-hybrid-f77fb94 imagePullPolicy: Never securityContext: readOnlyRootFilesystem: true @@ -322,6 +375,12 @@ spec: value: /tls/tls.key - name: FlowerCore__Dns__AcmeWebhook__ServiceBaseUrl value: http://dns-web:5320 + - name: FlowerCore__Dns__AcmeWebhook__ApiKey + valueFrom: + secretKeyRef: + name: dns-api-keys + key: api_key + optional: true - name: FlowerCore__Dns__AcmeWebhook__GroupName value: acme.flowercore.io - name: FlowerCore__Dns__AcmeWebhook__SolverName diff --git a/tests/bluejay-infra-lint/FleetManifestLintTests.cs b/tests/bluejay-infra-lint/FleetManifestLintTests.cs index b3641f9..460db11 100644 --- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs +++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs @@ -867,7 +867,7 @@ public sealed class FleetManifestLintTests { var deployments = new[] { - (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client", AuthEnabled: "false"), + (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client", AuthEnabled: "true"), (App: "fc-media", Name: "fc-media-web", Slug: "media", Secret: "media-oidc-client", AuthEnabled: "true"), (App: "fc-distribution", Name: "fc-distribution", Slug: "distribution", Secret: "distribution-oidc-client", AuthEnabled: "true"), }; @@ -918,6 +918,34 @@ public sealed class FleetManifestLintTests } } + [Fact] + public void DnsPhase0_UsesOnePasswordBackedAcmeApiKey() + { + var item = AppDocuments("fc-dns") + .Single(document => document.Kind == "OnePasswordItem" && document.Name == "dns-api-keys"); + item.Scalar("spec", "itemPath").Should().Be("vaults/IAmWorkin/items/FlowerCore DNS API Keys"); + + var dnsWeb = AppDocuments("fc-dns") + .Single(document => document.Kind == "Deployment" && document.Name == "dns-web") + .MainContainerMappings() + .Should() + .ContainSingle() + .Subject; + EnvSecretName(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("dns-api-keys"); + EnvSecretKey(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("api_key"); + EnvSecretOptional(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("true"); + + var webhook = AppDocuments("fc-dns") + .Single(document => document.Kind == "Deployment" && document.Name == "dns-acme-webhook") + .MainContainerMappings() + .Should() + .ContainSingle() + .Subject; + EnvSecretName(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("dns-api-keys"); + EnvSecretKey(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("api_key"); + EnvSecretOptional(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("true"); + } + [Fact] public void DnsAndMediaGitOpsAdoption_PreservesLiveStorageAndImageShape() { @@ -927,7 +955,7 @@ public sealed class FleetManifestLintTests var dnsPvc = AppDocuments("fc-dns") .Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "dns-web-data"); - ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260613-g5-quota-aa99bd1"); + ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260615-phase0-hybrid-f77fb94"); dnsPvc.Scalar("spec", "storageClassName").Should().Be("longhorn"); dnsPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("1Gi");