base/ory/kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

# namespace: ory removed — all non-Helm resources already set namespace: ory
# explicitly, and the Helm charts use namespace: ory in their helmCharts spec.
# The kustomization-level transformer was incorrectly moving hydra-maester's
# enabledNamespaces Role (meant for lasuite) into the ory namespace, causing
# a duplicate-name conflict.

resources:
  - namespace.yaml
  - kratos-admin-deployment.yaml
  # Hydra chart CRDs are not rendered by helm template; apply manually.
  - hydra-oauth2client-crd.yaml
  - vault-secrets.yaml
  - ory-alertrules.yaml
  - hydra-servicemonitor.yaml
  - kratos-servicemonitor.yaml

patches:
  # Set Kratos selfservice UI URLs (DOMAIN_SUFFIX substituted at apply time).
  - path: kratos-selfservice-urls.yaml

  # The hydra-maester sub-chart does not set .Release.Namespace in its Deployment template.
  - patch: |
      - op: add
        path: /metadata/namespace
        value: ory
    target:
      kind: Deployment
      name: hydra-hydra-maester

helmCharts:
  # helm repo add ory https://k8s.ory.sh/helm/charts
  - name: kratos
    repo: https://k8s.ory.sh/helm/charts
    version: "0.60.1"
    releaseName: kratos
    namespace: ory
    valuesFile: kratos-values.yaml

  - name: hydra
    repo: https://k8s.ory.sh/helm/charts
    version: "0.60.1"
    releaseName: hydra
    namespace: ory
    valuesFile: hydra-values.yaml
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00			`apiVersion: kustomize.config.k8s.io/v1beta1`
			`kind: Kustomization`

fix: correct Pingora upstream ports and kustomize namespace conflict pingora-config.yaml: kratos-public and people-backend K8s Services expose port 80, not 4433/8000. The wrong ports caused Pingora to return timeouts for /kratos/* and all people.* routes. ory/kustomization.yaml: remove kustomization-level namespace: ory transformer. All non-Helm resources already declare namespace: ory explicitly. The transformer was incorrectly moving hydra-maester's enabledNamespaces Role (generated for the lasuite namespace) into ory, producing a duplicate-name conflict during kustomize build. 2026-03-03 00:57:58 +00:00			`# namespace: ory removed — all non-Helm resources already set namespace: ory`
			`# explicitly, and the Helm charts use namespace: ory in their helmCharts spec.`
			`# The kustomization-level transformer was incorrectly moving hydra-maester's`
			`# enabledNamespaces Role (meant for lasuite) into the ory namespace, causing`
			`# a duplicate-name conflict.`
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00
			`resources:`
			`- namespace.yaml`
feat(ory): add kratos-admin-ui service Deploy the custom Kratos admin UI (Deno/Hono + Cunningham React): - K8s Deployment + Service in ory namespace - VSO VaultStaticSecret for cookie/csrf/admin-identity-ids secrets - Pingora route for admin.DOMAIN_SUFFIX 2026-03-03 11:30:52 +00:00			`- kratos-admin-deployment.yaml`
feat: bring up local dev stack — all services running - Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations, OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars - SeaweedFS: added s3.json credentials file via -s3.config CLI flag - OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret - OpenSearch: increased memory to 1.5Gi / JVM 1g heap - Gitea: SSL_MODE disable, S3 bucket creation fixed - Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk) - LiveKit: API keys in values, hostPort conflict resolved - Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs - All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node Full stack running: postgres, valkey, openbao, opensearch, seaweedfs, kratos, hydra, gitea, livekit, hive (placeholder), login-ui 2026-02-28 22:08:38 +00:00			`# Hydra chart CRDs are not rendered by helm template; apply manually.`
			`- hydra-oauth2client-crd.yaml`
feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO All Ory service credentials now flow from OpenBao through VSO instead of being hardcoded in Helm values or Deployment env vars. Kratos: - Remove config.dsn; flip secret.enabled=false with nameOverride pointing at kratos-app-secrets (a VSO-managed Secret with secretsDefault, secretsCookie, smtpConnectionURI). - Inject DSN at runtime via deployment.extraEnv from kratos-db-creds (VaultDynamicSecret backed by OpenBao database static role, 24h rotation). Hydra: - Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds (VaultDynamicSecret, same rotation scheme). Login UI: - Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui). vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS, login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS. 2026-03-02 18:32:33 +00:00			`- vault-secrets.yaml`
feat: add PrometheusRule alerts for all services 28 alert rules across 9 PrometheusRule files covering infrastructure (Longhorn, cert-manager), data (PostgreSQL, OpenBao, OpenSearch), storage (SeaweedFS), devtools (Gitea), identity (Hydra, Kratos), media (LiveKit), and mesh (Linkerd golden signals for all services). Severity routing: critical alerts fire to Matrix + email, warnings to Matrix only (AlertManager config updated in separate commit). 2026-03-24 12:20:55 +00:00			`- ory-alertrules.yaml`
			`- hydra-servicemonitor.yaml`
			`- kratos-servicemonitor.yaml`
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00
fix(ory): re-enable hydra-maester, fix namespace, add memory limit 2026-02-28 14:02:47 +00:00			`patches:`
feat(infra): data, storage, devtools, and ory layer updates - data: CNPG cluster tuning, OpenBao values, OpenSearch deployment fixes, OpenSearch PVC, barman vault secret for S3 backup credentials - storage: SeaweedFS filer updates (s3.json via secret subPath), PVC for filer persistent storage - devtools: Gitea values (SSH service, custom theme), gitea-theme-cm ConfigMap - ory: add kratos-selfservice-urls.yaml for self-service flow URLs - media: LiveKit values updated (TURN config, STUN, resource limits) - vso: kustomization cleanup 2026-03-06 12:07:28 +00:00			`# Set Kratos selfservice UI URLs (DOMAIN_SUFFIX substituted at apply time).`
			`- path: kratos-selfservice-urls.yaml`

			`# The hydra-maester sub-chart does not set .Release.Namespace in its Deployment template.`
fix(ory): re-enable hydra-maester, fix namespace, add memory limit 2026-02-28 14:02:47 +00:00			`- patch: \|`
			`- op: add`
			`path: /metadata/namespace`
			`value: ory`
			`target:`
			`kind: Deployment`
			`name: hydra-hydra-maester`

chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00			`helmCharts:`
			`# helm repo add ory https://k8s.ory.sh/helm/charts`
			`- name: kratos`
			`repo: https://k8s.ory.sh/helm/charts`
			`version: "0.60.1"`
			`releaseName: kratos`
			`namespace: ory`
			`valuesFile: kratos-values.yaml`

			`- name: hydra`
			`repo: https://k8s.ory.sh/helm/charts`
			`version: "0.60.1"`
			`releaseName: hydra`
			`namespace: ory`
			`valuesFile: hydra-values.yaml`