bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

deploy(dns): enable production auth profile

Browse Source
This commit is contained in:
Andrew Stoltz
2026-06-15 15:08:03 -05:00
parent 40fd35ba44
commit 6febe1fdb3
2 changed files with 94 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
apps/fc-dns/fc-dns.yaml
View File

@@ -26,6 +26,17 @@ metadata:
spec: spec:
itemPath: "vaults/IAmWorkin/items/dns-oidc-client" itemPath: "vaults/IAmWorkin/items/dns-oidc-client"
--- ---
# Service X-Api-Key for the cert-manager ACME webhook -> dns-web call path.
# The 1Password operator resolves this item into Secret/dns-api-keys; field
# `api_key` becomes Secret key `api_key`.
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: dns-api-keys
namespace: fc-dns
spec:
itemPath: "vaults/IAmWorkin/items/FlowerCore DNS API Keys"
---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
@@ -48,7 +59,7 @@ data:
{ {
"FlowerCore": { "FlowerCore": {
"Auth": { "Auth": {
"Enabled": false, "Enabled": true,
"Oidc": { "Oidc": {
"Enabled": true, "Enabled": true,
"Audience": "dns", "Audience": "dns",
@@ -63,7 +74,7 @@ data:
}, },
"Tenant": { "Tenant": {
"DefaultTenantId": "default", "DefaultTenantId": "default",
"JwtClaimsEnabled": false, "JwtClaimsEnabled": true,
"DefaultTenantHosts": [ "DefaultTenantHosts": [
"dns.iamworkin.lan" "dns.iamworkin.lan"
] ]
@@ -111,7 +122,7 @@ spec:
fsGroup: 1654 fsGroup: 1654
containers: containers:
- name: dns-web - name: dns-web
image: localhost/fc-dns-web:v20260614-wave5-isolation-6124856 image: localhost/fc-dns-web:v20260615-phase0-hybrid-f77fb94
imagePullPolicy: Never imagePullPolicy: Never
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
@@ -148,8 +159,14 @@ spec:
name: dns-oidc-client name: dns-oidc-client
key: client_secret key: client_secret
optional: true optional: true
- name: FlowerCore__Auth__ApiKey
valueFrom:
secretKeyRef:
name: dns-api-keys
key: api_key
optional: true
- name: FlowerCore__Auth__Enabled - name: FlowerCore__Auth__Enabled
value: "false" value: "true"
- name: FlowerCore__Auth__Oidc__Enabled - name: FlowerCore__Auth__Oidc__Enabled
value: "true" value: "true"
- name: FlowerCore__Auth__Oidc__Audience - name: FlowerCore__Auth__Oidc__Audience
@@ -209,6 +226,42 @@ spec:
targetPort: 5320 targetPort: 5320
type: ClusterIP type: ClusterIP
--- ---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dns-web-ingress-isolation
namespace: fc-dns
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: dns-web
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: fc-dns
- ipBlock:
cidr: 10.42.0.0/16
- ipBlock:
cidr: 10.0.56.0/24
- ipBlock:
cidr: 10.0.57.0/24
- ipBlock:
cidr: 10.0.58.0/24
- ipBlock:
cidr: 10.0.68.0/27
ports:
- port: 5320
protocol: TCP
---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
@@ -303,7 +356,7 @@ spec:
fsGroup: 1654 fsGroup: 1654
containers: containers:
- name: dns-acme-webhook - name: dns-acme-webhook
image: localhost/fc-dns-acme-webhook:v20260614-wave5-isolation-6124856 image: localhost/fc-dns-acme-webhook:v20260615-phase0-hybrid-f77fb94
imagePullPolicy: Never imagePullPolicy: Never
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
@@ -322,6 +375,12 @@ spec:
value: /tls/tls.key value: /tls/tls.key
- name: FlowerCore__Dns__AcmeWebhook__ServiceBaseUrl - name: FlowerCore__Dns__AcmeWebhook__ServiceBaseUrl
value: http://dns-web:5320 value: http://dns-web:5320
- name: FlowerCore__Dns__AcmeWebhook__ApiKey
valueFrom:
secretKeyRef:
name: dns-api-keys
key: api_key
optional: true
- name: FlowerCore__Dns__AcmeWebhook__GroupName - name: FlowerCore__Dns__AcmeWebhook__GroupName
value: acme.flowercore.io value: acme.flowercore.io
- name: FlowerCore__Dns__AcmeWebhook__SolverName - name: FlowerCore__Dns__AcmeWebhook__SolverName

32
tests/bluejay-infra-lint/FleetManifestLintTests.cs
View File

@@ -867,7 +867,7 @@ public sealed class FleetManifestLintTests
{ {
var deployments = new[] var deployments = new[]
{ {
(App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client", AuthEnabled: "false"), (App: "fc-dns", Name: "dns-web", Slug: "dns", Secret: "dns-oidc-client", AuthEnabled: "true"),
(App: "fc-media", Name: "fc-media-web", Slug: "media", Secret: "media-oidc-client", AuthEnabled: "true"), (App: "fc-media", Name: "fc-media-web", Slug: "media", Secret: "media-oidc-client", AuthEnabled: "true"),
(App: "fc-distribution", Name: "fc-distribution", Slug: "distribution", Secret: "distribution-oidc-client", AuthEnabled: "true"), (App: "fc-distribution", Name: "fc-distribution", Slug: "distribution", Secret: "distribution-oidc-client", AuthEnabled: "true"),
}; };
@@ -918,6 +918,34 @@ public sealed class FleetManifestLintTests
} }
} }
[Fact]
public void DnsPhase0_UsesOnePasswordBackedAcmeApiKey()
{
var item = AppDocuments("fc-dns")
.Single(document => document.Kind == "OnePasswordItem" && document.Name == "dns-api-keys");
item.Scalar("spec", "itemPath").Should().Be("vaults/IAmWorkin/items/FlowerCore DNS API Keys");
var dnsWeb = AppDocuments("fc-dns")
.Single(document => document.Kind == "Deployment" && document.Name == "dns-web")
.MainContainerMappings()
.Should()
.ContainSingle()
.Subject;
EnvSecretName(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("dns-api-keys");
EnvSecretKey(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("api_key");
EnvSecretOptional(dnsWeb, "FlowerCore__Auth__ApiKey").Should().Be("true");
var webhook = AppDocuments("fc-dns")
.Single(document => document.Kind == "Deployment" && document.Name == "dns-acme-webhook")
.MainContainerMappings()
.Should()
.ContainSingle()
.Subject;
EnvSecretName(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("dns-api-keys");
EnvSecretKey(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("api_key");
EnvSecretOptional(webhook, "FlowerCore__Dns__AcmeWebhook__ApiKey").Should().Be("true");
}
[Fact] [Fact]
public void DnsAndMediaGitOpsAdoption_PreservesLiveStorageAndImageShape() public void DnsAndMediaGitOpsAdoption_PreservesLiveStorageAndImageShape()
{ {
@@ -927,7 +955,7 @@ public sealed class FleetManifestLintTests
var dnsPvc = AppDocuments("fc-dns") var dnsPvc = AppDocuments("fc-dns")
.Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "dns-web-data"); .Single(document => document.Kind == "PersistentVolumeClaim" && document.Name == "dns-web-data");
ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260613-g5-quota-aa99bd1"); ManifestNodeExtensions.Scalar(dnsContainer, "image").Should().Be("localhost/fc-dns-web:v20260615-phase0-hybrid-f77fb94");
dnsPvc.Scalar("spec", "storageClassName").Should().Be("longhorn"); dnsPvc.Scalar("spec", "storageClassName").Should().Be("longhorn");
dnsPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("1Gi"); dnsPvc.Scalar("spec", "resources", "requests", "storage").Should().Be("1Gi");