2026-03-21 14:34:23 +00:00
|
|
|
#[macro_use]
|
|
|
|
|
pub mod error;
|
|
|
|
|
|
feat: ServiceClient trait, HttpTransport, and SunbeamClient factory
Foundation layer for unified service client wrappers:
- AuthMethod enum (None, Bearer, Header, Token)
- ServiceClient trait with service_name(), base_url(), from_parts()
- HttpTransport with json(), json_opt(), send(), bytes() helpers
- SunbeamClient lazy factory with OnceLock-cached per-service clients
- Feature flags for all service modules (identity, gitea, matrix, etc.)
Bump: sunbeam-sdk v0.2.0
2026-03-21 20:11:22 +00:00
|
|
|
pub mod client;
|
|
|
|
|
|
2026-03-21 14:34:23 +00:00
|
|
|
pub mod auth;
|
|
|
|
|
pub mod checks;
|
|
|
|
|
pub mod cluster;
|
|
|
|
|
pub mod config;
|
|
|
|
|
pub mod constants;
|
|
|
|
|
pub mod gitea;
|
|
|
|
|
pub mod images;
|
|
|
|
|
pub mod kube;
|
|
|
|
|
pub mod manifests;
|
|
|
|
|
pub mod openbao;
|
|
|
|
|
pub mod output;
|
|
|
|
|
pub mod pm;
|
feat(sdk): dynamic service registry from K8s labels
Adds `sunbeam_sdk::registry`, the discovery layer that the new
service-oriented CLI commands use to resolve names like "hydra",
"auth", or "ory" into the right Kubernetes resources.
Instead of duplicating service definitions in Rust code, the registry
queries Deployments, StatefulSets, DaemonSets, and ConfigMaps that
carry the `sunbeam.pt/service` label and reads everything else from
labels and annotations:
- sunbeam.pt/service / sunbeam.pt/category — required, the primary keys
- sunbeam.pt/display-name — human-readable label for status output
- sunbeam.pt/kv-path — OpenBao KV v2 path (for `sunbeam secrets <svc>`)
- sunbeam.pt/db-user / sunbeam.pt/db-name — CNPG postgres credentials
- sunbeam.pt/build-target — buildkit target for `sunbeam build`
- sunbeam.pt/depends-on — comma-separated dependency names
- sunbeam.pt/health-check — pod-ready / cnpg / seal-status / HTTP path
- sunbeam.pt/virtual=true — for ConfigMap-only "external" services
`ServiceRegistry::resolve(input)` does name → category → namespace
matching in that order, so `sunbeam logs hydra`, `sunbeam restart auth`,
and `sunbeam status ory` all work uniformly.
Multi-deployment services (e.g. messages-{backend,mta-in,mta-out})
share a service label and the registry merges them into a single
ServiceDefinition with multiple `deployments`.
Includes 14 unit tests covering name/category/namespace resolution,
case-insensitivity, virtual services, and the empty registry case.
2026-04-07 17:52:26 +01:00
|
|
|
pub mod registry;
|
2026-03-21 14:34:23 +00:00
|
|
|
pub mod secrets;
|
|
|
|
|
pub mod services;
|
|
|
|
|
pub mod update;
|
|
|
|
|
pub mod users;
|
feat: encrypted vault keystore, JWT auth, Drive upload
Vault keystore (vault_keystore.rs):
- AES-256-GCM encrypted local storage for root tokens + unseal keys
- Argon2id KDF with machine-specific salt, 0600 permissions
- save/load/verify/export API with 26 unit tests
- Integrated into seed flow: save after init, load as fallback,
backfill from cluster, restore K8s Secret if wiped
Vault CLI:
- vault reinit: wipe and re-initialize vault with confirmation
- vault keys: show local keystore status
- vault export-keys: plaintext export for machine migration
- vault status: now shows keystore status + uses JWT auth
- Fixed seal_status() bypassing request() (missing auth headers)
Vault OIDC auth:
- JWT auth method enabled on OpenBao via seed script
- cli-admin role: full access for users with admin:true JWT claim
- cli-reader role: read-only for non-admin SSO users
- BaoClient.with_proxy_auth(): sends both Bearer (proxy) and
X-Vault-Token (vault) headers
- SunbeamClient.bao() authenticates via JWT login, falls back
to local keystore root token
Drive:
- SDK client uses /items/ endpoint (was /files/ and /folders/)
- Added create_child, upload_ended, upload_to_s3 methods
- Added recursive drive upload command (--path, --folder-id)
- Switched all La Suite clients to /external_api/v1.0/
Infrastructure:
- Removed openbao-keys-placeholder.yaml from kustomization
- Added sunbeam.dev/managed-by label to programmatic secrets
- kv_patch→kv_put fallback for fresh vault initialization
- Hydra/Kratos secrets combined (new,old) for key rotation
2026-03-24 12:09:01 +00:00
|
|
|
pub mod vault_keystore;
|
feat: ServiceClient trait, HttpTransport, and SunbeamClient factory
Foundation layer for unified service client wrappers:
- AuthMethod enum (None, Bearer, Header, Token)
- ServiceClient trait with service_name(), base_url(), from_parts()
- HttpTransport with json(), json_opt(), send(), bytes() helpers
- SunbeamClient lazy factory with OnceLock-cached per-service clients
- Feature flags for all service modules (identity, gitea, matrix, etc.)
Bump: sunbeam-sdk v0.2.0
2026-03-21 20:11:22 +00:00
|
|
|
|
|
|
|
|
// Feature-gated service client modules
|
|
|
|
|
#[cfg(feature = "identity")]
|
|
|
|
|
pub mod identity;
|
|
|
|
|
#[cfg(feature = "matrix")]
|
|
|
|
|
pub mod matrix;
|
|
|
|
|
#[cfg(feature = "opensearch")]
|
|
|
|
|
pub mod search;
|
|
|
|
|
#[cfg(feature = "s3")]
|
|
|
|
|
pub mod storage;
|
|
|
|
|
#[cfg(feature = "livekit")]
|
|
|
|
|
pub mod media;
|
|
|
|
|
#[cfg(feature = "monitoring")]
|
|
|
|
|
pub mod monitoring;
|
|
|
|
|
#[cfg(feature = "build")]
|
|
|
|
|
pub mod build;
|