From 9a58fd2af65d96c129159cb4da1f0f106948eac9 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <astoltz@iamwork.in>
Date: Wed, 3 Jun 2026 23:38:48 -0500
Subject: [PATCH] oidc: flip enforcement ON for knowledge + distribution
 (no-live-proof, fix-forward)

Operator 2026-06-04: nothing is production yet, flip OIDC + fix-forward (no
browser-proof gate). knowledge: Auth__Enabled false->true (OIDC env already
wired). distribution: add OIDC env block (Authority/Audience/ClientId=distribution,
ClientSecret from distribution-oidc-client) + Enabled=true; public read/entitlement
+ Method() allowlist stay open (OIDC gates admin only). Clients already provisioned
(secrets present). ArgoCD deploys both.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 apps/fc-distribution/fc-distribution.yaml | 18 ++++++++++++++++++
 apps/knowledge/knowledge.yaml             |  2 +-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/apps/fc-distribution/fc-distribution.yaml b/apps/fc-distribution/fc-distribution.yaml
index d331bd8..88e0618 100644
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -130,6 +130,24 @@ spec:
               value: "Production"
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
+            # Authentik/OIDC enforcement (flipped ON 2026-06-04, no-live-proof per operator;
+            # public read/entitlement + Method() allowlist stay open — OIDC gates admin only).
+            - name: FlowerCore__Auth__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Authority
+              value: "https://id.iamworkin.lan/application/o/distribution/"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "distribution"
+            - name: FlowerCore__Auth__Oidc__ClientId
+              value: "distribution"
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: distribution-oidc-client
+                  key: client_secret
+                  optional: true
             # SQLite connection (catalog + data-protection keys via FlowerCoreDbContext).
             # Read by Data/DatabaseProviderExtensions.cs in precedence order; Sqlite key wins.
             - name: FlowerCore__Database__Provider
diff --git a/apps/knowledge/knowledge.yaml b/apps/knowledge/knowledge.yaml
index 442dfcc..b5fa027 100644
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -127,7 +127,7 @@ spec:
             # knowledge-oidc-client Secret is provisioned and
             # FlowerCore__Auth__Enabled is flipped to true.
             - name: FlowerCore__Auth__Enabled
-              value: "false"
+              value: "true"
             - name: FlowerCore__Auth__Oidc__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Authority