studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
265a68d85f2a76a4e750bf4eb799fcd07e33984e
sbbb/base/matrix/hydra-oauth2client.yaml

23 lines
652 B
YAML
Raw Normal View History

feat(matrix): add tuwunel Matrix homeserver deployment manifests Kubernetes manifests for tuwunel — a Rust Matrix homeserver using RocksDB for storage. Includes deployment, service, PVC, ConfigMap (tuwunel.toml), Hydra OAuth2Client for SSO, and Vault secrets for credentials injection. Key design decisions: - enableServiceLinks: false to prevent K8s TUWUNEL_* env var conflicts - strategy: Recreate for RocksDB exclusive lock (no rolling updates) - Identity provider configured entirely via env vars (client_id/secret from hydra-maester Secret, not hardcoded) - OpenSearch model_id injected via ConfigMap from CLI post-apply hook - SSO-only auth (login_with_password=false, single_sso=true) - OpenSearch hybrid neural+BM25 search (768-dim, all-mpnet-base-v2)
2026-03-10 18:52:21 +00:00
# Tuwunel OIDC client — registered with Hydra via hydra-maester.
# Hydra Maester creates K8s Secret "oidc-tuwunel" in the matrix namespace
# with CLIENT_ID and CLIENT_SECRET keys.
# redirectUri is patched post-apply by sunbeam CLI (requires client_id
# from the hydra-maester-generated secret).
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: tuwunel
namespace: matrix
spec:
clientName: Matrix
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris: []
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-tuwunel
skipConsent: true
Reference in New Issue Copy Permalink