base/lasuite/messages-config.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: messages-config
  namespace: lasuite
data:
  DJANGO_CONFIGURATION:          Production
  DJANGO_SETTINGS_MODULE:        messages.settings
  DJANGO_ALLOWED_HOSTS:          mail.DOMAIN_SUFFIX,messages-backend.lasuite.svc.cluster.local
  ALLOWED_HOSTS:                 mail.DOMAIN_SUFFIX,messages-backend.lasuite.svc.cluster.local
  DJANGO_CSRF_TRUSTED_ORIGINS:   https://mail.DOMAIN_SUFFIX
  DB_NAME:                       messages_db
  DB_USER:                       messages
  OPENSEARCH_URL:                http://opensearch.data.svc.cluster.local:9200
  MDA_API_BASE_URL:              http://messages-backend.lasuite.svc.cluster.local:80/api/v1.0/
  MYHOSTNAME:                    mail.DOMAIN_SUFFIX
  # rspamd URL (auth token injected separately from messages-mpa-credentials secret)
  SPAM_RSPAMD_URL:               http://messages-mpa.lasuite.svc.cluster.local:8010/_api
  MESSAGES_FRONTEND_BACKEND_SERVER: messages-backend.lasuite.svc.cluster.local:80
  STORAGE_MESSAGE_IMPORTS_BUCKET_NAME:  sunbeam-messages-imports
  STORAGE_MESSAGE_IMPORTS_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333
  AWS_STORAGE_BUCKET_NAME:       sunbeam-messages
  IDENTITY_PROVIDER:             oidc
  FRONTEND_THEME:                default
  DRIVE_BASE_URL:                https://drive.DOMAIN_SUFFIX
  LOGIN_REDIRECT_URL:            https://mail.DOMAIN_SUFFIX
  LOGOUT_REDIRECT_URL:           https://mail.DOMAIN_SUFFIX
  OIDC_REDIRECT_ALLOWED_HOSTS:   '["https://auth.DOMAIN_SUFFIX"]'
  MTA_OUT_MODE:                  direct
  # Create user accounts on first OIDC login (required — no pre-provisioning)
  OIDC_CREATE_USER:              "True"
  # Redirect to home on auth failure (avoids HttpResponseRedirect(None) → /callback/None 404)
  LOGIN_REDIRECT_URL_FAILURE:    https://mail.DOMAIN_SUFFIX
  # Store OIDC tokens in session so the Drive integration can proxy requests on behalf of the user.
  OIDC_STORE_ACCESS_TOKEN:       "True"
  OIDC_STORE_REFRESH_TOKEN:      "True"
  # Session lives 7 days — long enough to survive overnight/weekend without re-auth.
  # Default is 43200 (12h) which forces a login after a browser restart.
  SESSION_COOKIE_AGE:            "604800"
  # Renew the id token 60 s before it expires (access_token TTL = 1h).
  # Without this the default falls back to SESSION_COOKIE_AGE (7 days), which means
  # every request sees the 1h token as "expiring within 7 days" and triggers a
  # prompt=none renewal on every page load — causing repeated auth loops.
  OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS: "60"
  # offline_access scope is set directly in the deployment env (overrides lasuite-oidc-provider envFrom).
feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates - Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay 2026-03-10 19:00:57 +00:00			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: messages-config`
			`namespace: lasuite`
			`data:`
			`DJANGO_CONFIGURATION: Production`
			`DJANGO_SETTINGS_MODULE: messages.settings`
			`DJANGO_ALLOWED_HOSTS: mail.DOMAIN_SUFFIX,messages-backend.lasuite.svc.cluster.local`
			`ALLOWED_HOSTS: mail.DOMAIN_SUFFIX,messages-backend.lasuite.svc.cluster.local`
			`DJANGO_CSRF_TRUSTED_ORIGINS: https://mail.DOMAIN_SUFFIX`
			`DB_NAME: messages_db`
			`DB_USER: messages`
			`OPENSEARCH_URL: http://opensearch.data.svc.cluster.local:9200`
			`MDA_API_BASE_URL: http://messages-backend.lasuite.svc.cluster.local:80/api/v1.0/`
			`MYHOSTNAME: mail.DOMAIN_SUFFIX`
			`# rspamd URL (auth token injected separately from messages-mpa-credentials secret)`
			`SPAM_RSPAMD_URL: http://messages-mpa.lasuite.svc.cluster.local:8010/_api`
			`MESSAGES_FRONTEND_BACKEND_SERVER: messages-backend.lasuite.svc.cluster.local:80`
			`STORAGE_MESSAGE_IMPORTS_BUCKET_NAME: sunbeam-messages-imports`
			`STORAGE_MESSAGE_IMPORTS_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333`
			`AWS_STORAGE_BUCKET_NAME: sunbeam-messages`
			`IDENTITY_PROVIDER: oidc`
			`FRONTEND_THEME: default`
			`DRIVE_BASE_URL: https://drive.DOMAIN_SUFFIX`
			`LOGIN_REDIRECT_URL: https://mail.DOMAIN_SUFFIX`
			`LOGOUT_REDIRECT_URL: https://mail.DOMAIN_SUFFIX`
			`OIDC_REDIRECT_ALLOWED_HOSTS: '["https://auth.DOMAIN_SUFFIX"]'`
			`MTA_OUT_MODE: direct`
			`# Create user accounts on first OIDC login (required — no pre-provisioning)`
			`OIDC_CREATE_USER: "True"`
			`# Redirect to home on auth failure (avoids HttpResponseRedirect(None) → /callback/None 404)`
			`LOGIN_REDIRECT_URL_FAILURE: https://mail.DOMAIN_SUFFIX`
			`# Store OIDC tokens in session so the Drive integration can proxy requests on behalf of the user.`
			`OIDC_STORE_ACCESS_TOKEN: "True"`
			`OIDC_STORE_REFRESH_TOKEN: "True"`
			`# Session lives 7 days — long enough to survive overnight/weekend without re-auth.`
			`# Default is 43200 (12h) which forces a login after a browser restart.`
			`SESSION_COOKIE_AGE: "604800"`
			`# Renew the id token 60 s before it expires (access_token TTL = 1h).`
			`# Without this the default falls back to SESSION_COOKIE_AGE (7 days), which means`
			`# every request sees the 1h token as "expiring within 7 days" and triggers a`
			`# prompt=none renewal on every page load — causing repeated auth loops.`
			`OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS: "60"`
			`# offline_access scope is set directly in the deployment env (overrides lasuite-oidc-provider envFrom).`