- Add matrix to MANAGED_NS and tuwunel to restart/build targets
- Add post-apply hooks for matrix namespace:
- _patch_tuwunel_oauth2_redirect: reads client_id from hydra-maester
Secret and patches OAuth2Client redirectUris dynamically
- _inject_opensearch_model_id: reads model_id from ingest pipeline
and writes to ConfigMap for tuwunel deployment env var injection
- Add post-apply hook for data namespace:
- _ensure_opensearch_ml: idempotently registers/deploys all-mpnet-base-v2
(768-dim) model, creates ingest + hybrid search pipelines
- Add tuwunel secrets to OpenBao seed (OIDC, TURN, registration token)
- Refactor secret seeding to only write dirty paths (avoid VSO churn)
- Add ACME email fallback from config when not provided via CLI flag
- Add usage: sunbeam config [-h] action ...
positional arguments:
action
set Set configuration values
get Get current configuration
clear Clear configuration
options:
-h, --help show this help message and exit subcommand with set/get/clear actions
- Store configuration in with production_host and infra_directory
- Integrate with production environment detection, prioritizing config over SUNBEAM_SSH_HOST
- Add comprehensive test coverage with 11 new tests
- Update CLI help and error messages for better user experience
sunbeam apply [namespace] builds the full kustomize overlay (preserving
all image substitutions and patches) then filters the output to only
resources in the given namespace before applying. Cleanup and ConfigMap
restart detection are also scoped to the target namespace.
- manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup()
- cli.py: namespace positional arg for apply; meet added to build choices
- tests: 17 new tests covering filter logic and CLI dispatch
- Add cmd_user_disable: disables Kratos identity (state: inactive) and
revokes all sessions. Provides emergency lockout — user cannot log in
again; existing Django app sessions expire within SESSION_COOKIE_AGE (1h).
- Add cmd_user_enable: re-enables a previously disabled identity.
- Wire disable/enable as subcommands of 'sunbeam user'.
- Fix cmd_user_list: table() args were swapped and result was not printed.
Builds the integration-service Docker image from the sunbeam/ root
context (needs both integration/packages/ for the widget source and
integration-service/ for nginx config and logos), pushes to Gitea,
pre-seeds into k3s containerd, and rolls the deployment.
kube.py: kube_exec now accepts an optional container= kwarg so callers
can target a specific container in Linkerd-injected pods (where exec
would otherwise land in the linkerd-proxy sidecar instead of the app).
Used by check_valkey (container="valkey") and check_openbao
(container="openbao").
kube.py + cli.py: new cmd_k8s / sunbeam k8s verb — transparent
kubectl --context=sunbeam passthrough for one-off cluster operations.
Returns kubectl's exit code directly.
