diff --git a/apps/fc-distribution/fc-distribution.yaml b/apps/fc-distribution/fc-distribution.yaml index d331bd8..88e0618 100644 --- a/apps/fc-distribution/fc-distribution.yaml +++ b/apps/fc-distribution/fc-distribution.yaml @@ -130,6 +130,24 @@ spec: value: "Production" - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT value: "false" + # Authentik/OIDC enforcement (flipped ON 2026-06-04, no-live-proof per operator; + # public read/entitlement + Method() allowlist stay open — OIDC gates admin only). + - name: FlowerCore__Auth__Enabled + value: "true" + - name: FlowerCore__Auth__Oidc__Enabled + value: "true" + - name: FlowerCore__Auth__Oidc__Authority + value: "https://id.iamworkin.lan/application/o/distribution/" + - name: FlowerCore__Auth__Oidc__Audience + value: "distribution" + - name: FlowerCore__Auth__Oidc__ClientId + value: "distribution" + - name: FlowerCore__Auth__Oidc__ClientSecret + valueFrom: + secretKeyRef: + name: distribution-oidc-client + key: client_secret + optional: true # SQLite connection (catalog + data-protection keys via FlowerCoreDbContext). # Read by Data/DatabaseProviderExtensions.cs in precedence order; Sqlite key wins. - name: FlowerCore__Database__Provider diff --git a/apps/knowledge/knowledge.yaml b/apps/knowledge/knowledge.yaml index 442dfcc..b5fa027 100644 --- a/apps/knowledge/knowledge.yaml +++ b/apps/knowledge/knowledge.yaml @@ -127,7 +127,7 @@ spec: # knowledge-oidc-client Secret is provisioned and # FlowerCore__Auth__Enabled is flipped to true. - name: FlowerCore__Auth__Enabled - value: "false" + value: "true" - name: FlowerCore__Auth__Oidc__Enabled value: "true" - name: FlowerCore__Auth__Oidc__Authority