feat(auth): route oidc client secrets for s57 flips

apps/fc-distribution/fc-distribution.yaml

@@ -74,6 +74,14 @@ metadata:
 spec:
   itemPath: "vaults/IAmWorkin/items/FlowerCore Edition Signing Key - edition:aistation-field"
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: distribution-oidc-client
+  namespace: fc-distribution
+spec:
+  itemPath: "vaults/IAmWorkin/items/distribution-oidc-client"
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -130,6 +138,30 @@ spec:
               value: "Production"
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
+            - name: FlowerCore__Auth__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Authority
+              valueFrom:
+                secretKeyRef:
+                  name: distribution-oidc-client
+                  key: issuer_url
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "distribution"
+            - name: FlowerCore__Auth__Oidc__ClientId
+              valueFrom:
+                secretKeyRef:
+                  name: distribution-oidc-client
+                  key: client_id
+                  optional: true
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: distribution-oidc-client
+                  key: client_secret
+                  optional: true
             # SQLite connection (catalog + data-protection keys via FlowerCoreDbContext).
             # Read by Data/DatabaseProviderExtensions.cs in precedence order; Sqlite key wins.
             - name: FlowerCore__Database__Provider

apps/knowledge/knowledge.yaml

@@ -51,6 +51,14 @@ metadata:
 spec:
   itemPath: "vaults/IAmWorkin/items/FlowerCore Knowledge MCP Tokens"
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: knowledge-oidc-client
+  namespace: knowledge
+spec:
+  itemPath: "vaults/IAmWorkin/items/knowledge-oidc-client"
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -124,24 +132,37 @@ spec:
             - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
               value: "false"
             # AuthentiK/OIDC is wired but not enforced until the
-            # knowledge-oidc-client Secret is provisioned and
+            # knowledge-oidc-client Secret is provisioned. Service-to-service
-            # FlowerCore__Auth__Enabled is flipped to true.
+            # RAG keeps the existing MCP token as FlowerCore:Auth:ApiKey.
             - name: FlowerCore__Auth__Enabled
-              value: "false"
+              value: "true"
             - name: FlowerCore__Auth__Oidc__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Authority
-              value: "https://id.iamworkin.lan/application/o/knowledge/"
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-oidc-client
+                  key: issuer_url
+                  optional: true
             - name: FlowerCore__Auth__Oidc__Audience
               value: "knowledge"
             - name: FlowerCore__Auth__Oidc__ClientId
-              value: "knowledge"
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-oidc-client
+                  key: client_id
+                  optional: true
             - name: FlowerCore__Auth__Oidc__ClientSecret
               valueFrom:
                 secretKeyRef:
                   name: knowledge-oidc-client
                   key: client_secret
                   optional: true
+            - name: FlowerCore__Auth__ApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-mcp-tokens
+                  key: password
             # Vector-store directory + embedding model + edition profile dir.
             # Profile JSON is baked into the image at /home/app/editions via the
             # csproj Content-link from FlowerCore.Common/editions/.