deploy(irc): enable readonly UnrealIRCd RPC on GX10

2026-06-19 17:42:34 -05:00
parent 2dee33f21d
commit 9ea463ba11
1 changed files with 45 additions and 3 deletions
--- a/apps-gx10/irc/irc.yaml
+++ b/apps-gx10/irc/irc.yaml
@@ -4,7 +4,8 @@
 #
 # GX10 adaptations vs OLD bluejay-infra/apps/irc/irc.yaml:
 #   - OnePasswordItem REPLACED by directly-copied Secrets (no OnePassword operator on GX10).
-#     irc-credentials is applied separately; cloak keys are injected from unrealircd-cloak-keys.
+#     irc-credentials and unrealircd-rpc-credentials are applied separately; cloak keys
+#     are injected from unrealircd-cloak-keys.
 #   - unrealircd image -> localhost/fc-unrealircd:6.1.9.1-arm64 (built on GX10 from
 #     DjLegolas/unrealircd-docker, alpine:3.19 base, UnrealIRCd 6.1.9.1 from source;
 #     djlegolas/unrealircd:6.1.9.1 on Docker Hub is amd64-ONLY -> would crashloop on arm64).
@@ -587,6 +588,7 @@ data:
    /* Credentials injected from copied K8s secret at pod startup */

    include "modules.default.conf";
+    include "rpc.modules.default.conf";
    include "help/help.conf";
    include "operclass.default.conf";
    include "snomasks.default.conf";
@@ -636,6 +638,12 @@ data:
      port 6667;
    }

+    listen {
+      ip *;
+      port 8600;
+      options { rpc; }
+    }
+
    listen {
      ip *;
      port 6697;
@@ -658,6 +666,12 @@ data:
      class opers;
    }

+    rpc-user flowercore-readonly {
+      match { ip 10.42.*; }
+      password "__RPC_PASSWORD__";
+      rpc-class readonly;
+    }
+
    drpass {
      restart "__OPER_PASSWORD__";
      die "__OPER_PASSWORD__";
@@ -1014,11 +1028,13 @@ spec:
          args:
            - |
              OPER_PW=$(cat /secrets/password)
+              RPC_PW=$(cat /rpc-secrets/password)
              LINK_PW=$(cat /secrets/Link-Password)
              CLOAK_KEY_1=$(cat /cloak-secrets/cloak-key-1)
              CLOAK_KEY_2=$(cat /cloak-secrets/cloak-key-2)
              CLOAK_KEY_3=$(cat /cloak-secrets/cloak-key-3)
              sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
+                   -e "s|__RPC_PASSWORD__|${RPC_PW}|g" \
                   -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
                   -e "s|__CLOAK_KEY_1__|${CLOAK_KEY_1}|g" \
                   -e "s|__CLOAK_KEY_2__|${CLOAK_KEY_2}|g" \
@@ -1029,6 +1045,9 @@ spec:
            - name: irc-credentials
              mountPath: /secrets
              readOnly: true
+            - name: unrealircd-rpc-credentials
+              mountPath: /rpc-secrets
+              readOnly: true
            - name: unrealircd-cloak-keys
              mountPath: /cloak-secrets
              readOnly: true
@@ -1067,6 +1086,8 @@ spec:
              name: irc-tls
            - containerPort: 8067
              name: services-link
+            - containerPort: 8600
+              name: rpc
          volumeMounts:
            - name: injected-config
              mountPath: /app/conf/unrealircd.conf
@@ -1090,6 +1111,9 @@ spec:
        - name: irc-credentials
          secret:
            secretName: irc-credentials
+        - name: unrealircd-rpc-credentials
+          secret:
+            secretName: unrealircd-rpc-credentials
        - name: unrealircd-cloak-keys
          secret:
            secretName: unrealircd-cloak-keys
@@ -1263,7 +1287,7 @@ spec:
          configMap:
            name: thelounge-flowercore-theme
 ---
-# UnrealIRCd internal Service (anope uplink 8067 + in-cluster 6667 for thelounge)
+# UnrealIRCd internal Service (anope uplink 8067 + in-cluster 6667 for thelounge + in-cluster JSON-RPC)
 apiVersion: v1
 kind: Service
 metadata:
@@ -1282,6 +1306,9 @@ spec:
    - port: 8067
      targetPort: 8067
      name: services-link
+    - port: 8600
+      targetPort: 8600
+      name: rpc
 ---
 # UnrealIRCd external LoadBalancer — exposes IRC TCP 6667/6697 on the GX10 PROD MetalLB pool.
 # (Replaces OLD's Traefik irc/irctls entryPoints; GX10 Traefik has no such entryPoints.)
@@ -1394,7 +1421,7 @@ spec:
        fsGroupChangePolicy: OnRootMismatch
      containers:
        - name: web
-          image: localhost/fc-irc-web:v20260619-irc2-trust-010f526
+          image: localhost/fc-irc-web:v20260619-irc-r1-rpc-01f67be
          imagePullPolicy: Never
          ports:
            - containerPort: 5080
@@ -1422,6 +1449,21 @@ spec:
              value: "irc.iamworkin.lan"
            - name: FlowerCore__IRC__ServerManagement__TlsPort
              value: "6697"
+            - name: FlowerCore__IRC__ServerManagement__RpcEnabled
+              value: "true"
+            - name: FlowerCore__IRC__ServerManagement__RpcBaseUrl
+              value: "http://unrealircd.irc.svc.cluster.local:8600"
+            - name: FlowerCore__IRC__ServerManagement__RpcPath
+              value: "/api"
+            - name: FlowerCore__IRC__ServerManagement__RpcUsername
+              value: "flowercore-readonly"
+            - name: FlowerCore__IRC__ServerManagement__RpcPassword
+              valueFrom:
+                secretKeyRef:
+                  name: unrealircd-rpc-credentials
+                  key: password
+            - name: FlowerCore__IRC__ServerManagement__PreferRpcReadModel
+              value: "true"
            - name: FlowerCore__Mcp__ServiceName
              value: "fc-irc"
            - name: FlowerCore__Mcp__RoutePath