diff --git a/base/lasuite/docs-frontend-nginx-configmap.yaml b/base/lasuite/docs-frontend-nginx-configmap.yaml
deleted file mode 100644
index 4db6cbf..0000000
--- a/base/lasuite/docs-frontend-nginx-configmap.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-# nginx config for docs-frontend.
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: docs-frontend-nginx-conf
- namespace: lasuite
-data:
- default.conf: |
- server {
- listen 8080;
- listen 3000;
- server_name localhost;
-
- root /app;
-
- gzip off;
- sub_filter_once off;
- sub_filter_types text/html application/javascript;
- sub_filter '' '';
-
- location / {
- try_files $uri index.html $uri/index.html =404;
- add_header X-Frame-Options DENY always;
- }
-
- location ~ "^/docs/[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}/?$" {
- try_files $uri /docs/[id]/index.html;
- add_header X-Frame-Options DENY always;
- }
-
- error_page 404 /404.html;
- location = /404.html {
- internal;
- }
- }
diff --git a/base/lasuite/docs-values.yaml b/base/lasuite/docs-values.yaml
deleted file mode 100644
index bc6e9ee..0000000
--- a/base/lasuite/docs-values.yaml
+++ /dev/null
@@ -1,191 +0,0 @@
-# La Suite Numérique — Docs (impress chart).
-# Env vars use the chart's dict-based envVars schema:
-# string value → rendered as env.value
-# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
-# DOMAIN_SUFFIX is substituted by sed at deploy time.
-#
-# Required secrets (created by seed script):
-# oidc-docs — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
-# docs-db-credentials — password (VaultDynamicSecret, DB engine)
-# docs-django-secret — DJANGO_SECRET_KEY (VaultStaticSecret)
-# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
-
-fullnameOverride: docs
-
-backend:
- createsuperuser:
- # No superuser — users authenticate via OIDC.
- # The chart always renders this Job; override command so it exits 0.
- command: ["true"]
-
- envVars: &backendEnvVars
- # ── Database ──────────────────────────────────────────────────────────────
- DB_NAME: docs_db
- DB_USER: docs
- DB_HOST:
- configMapKeyRef:
- name: lasuite-postgres
- key: DB_HOST
- DB_PORT:
- configMapKeyRef:
- name: lasuite-postgres
- key: DB_PORT
- DB_ENGINE:
- configMapKeyRef:
- name: lasuite-postgres
- key: DB_ENGINE
- DB_PASSWORD:
- secretKeyRef:
- name: docs-db-credentials
- key: password
-
- # ── Redis / Celery ────────────────────────────────────────────────────────
- REDIS_URL:
- configMapKeyRef:
- name: lasuite-valkey
- key: REDIS_URL
- CELERY_BROKER_URL:
- configMapKeyRef:
- name: lasuite-valkey
- key: CELERY_BROKER_URL
-
- # ── S3 ────────────────────────────────────────────────────────────────────
- AWS_STORAGE_BUCKET_NAME: sunbeam-docs
- AWS_S3_ENDPOINT_URL:
- configMapKeyRef:
- name: lasuite-s3
- key: AWS_S3_ENDPOINT_URL
- AWS_S3_REGION_NAME:
- configMapKeyRef:
- name: lasuite-s3
- key: AWS_S3_REGION_NAME
- AWS_DEFAULT_ACL:
- configMapKeyRef:
- name: lasuite-s3
- key: AWS_DEFAULT_ACL
- AWS_ACCESS_KEY_ID:
- secretKeyRef:
- name: seaweedfs-s3-credentials
- key: S3_ACCESS_KEY
- AWS_SECRET_ACCESS_KEY:
- secretKeyRef:
- name: seaweedfs-s3-credentials
- key: S3_SECRET_KEY
-
- # ── OIDC (Hydra) ──────────────────────────────────────────────────────────
- OIDC_RP_CLIENT_ID:
- secretKeyRef:
- name: oidc-docs
- key: CLIENT_ID
- OIDC_RP_CLIENT_SECRET:
- secretKeyRef:
- name: oidc-docs
- key: CLIENT_SECRET
- OIDC_RP_SIGN_ALGO:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_RP_SIGN_ALGO
- OIDC_RP_SCOPES:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_RP_SCOPES
- OIDC_OP_JWKS_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_JWKS_ENDPOINT
- OIDC_OP_AUTHORIZATION_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_AUTHORIZATION_ENDPOINT
- OIDC_OP_TOKEN_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_TOKEN_ENDPOINT
- OIDC_OP_USER_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_USER_ENDPOINT
- OIDC_OP_LOGOUT_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_LOGOUT_ENDPOINT
- OIDC_VERIFY_SSL:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_VERIFY_SSL
-
- # ── Django ────────────────────────────────────────────────────────────────
- DJANGO_SECRET_KEY:
- secretKeyRef:
- name: docs-django-secret
- key: DJANGO_SECRET_KEY
- DJANGO_CONFIGURATION: Production
- FRONTEND_THEME: estudio
- ALLOWED_HOSTS: docs.DOMAIN_SUFFIX
- DJANGO_ALLOWED_HOSTS: docs.DOMAIN_SUFFIX
- DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.DOMAIN_SUFFIX
- LOGIN_REDIRECT_URL: /
- LOGOUT_REDIRECT_URL: /
- FRONTEND_HOMEPAGE_FEATURE_ENABLED: "false"
- # Low cache timeout so theme changes propagate without pod restarts.
- THEME_CUSTOMIZATION_CACHE_TIMEOUT: "30"
- # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
- # Lockout window: disabled identity cannot re-auth within 1h of expiry.
- SESSION_COOKIE_AGE: "3600"
-
- # ── Y-Provider ────────────────────────────────────────────────────────────
- # Shared secret for backend ↔ y-provider auth.
- COLLABORATION_SERVER_SECRET:
- secretKeyRef:
- name: docs-collaboration-secret
- key: secret
- COLLABORATION_SERVER_URL: http://docs-y-provider.lasuite.svc.cluster.local:4444
-
- themeCustomization:
- enabled: true
- # La Gaufre v2: point at our self-hosted integration service.
- # DOMAIN_SUFFIX is substituted by kustomize_build at deploy time.
- file_content:
- header:
- logo: {}
- icon:
- src: "https://integration.DOMAIN_SUFFIX/logos/docs.svg?v=2"
- style:
- width: "32px"
- height: "auto"
- alt: ""
- withTitle: true
- css_url: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"
- waffle:
- apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
- widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
- label: "O Estúdio"
- closeLabel: "Fechar"
- newWindowLabelSuffix: " · nova janela"
-
-frontend:
- envVars:
- NEXT_PUBLIC_API_URL: https://docs.DOMAIN_SUFFIX
- NEXT_PUBLIC_COLLABORATION_WS_URL: wss://docs.DOMAIN_SUFFIX/collaboration/ws/
-
-yProvider:
- envVars:
- # Shared secret so y-provider can verify requests from the backend.
- COLLABORATION_SERVER_SECRET:
- secretKeyRef:
- name: docs-collaboration-secret
- key: secret
- # Impress backend URL for document access verification.
- APP_URL: http://docs-backend.lasuite.svc.cluster.local:80
-
-ingress:
- enabled: false
-
-ingressCollaborationWS:
- enabled: false
-
-ingressAdmin:
- enabled: false
-
-ingressMedia:
- enabled: false
diff --git a/base/lasuite/integration-deployment.yaml b/base/lasuite/integration-deployment.yaml
index c86d1ef..80ed247 100644
--- a/base/lasuite/integration-deployment.yaml
+++ b/base/lasuite/integration-deployment.yaml
@@ -1,7 +1,7 @@
# La Gaufre integration service — O Estúdio app launcher (La Gaufre v2).
# Serves the lagaufre.js v2 widget, SVG logos, and the v2 services API.
-# Apps load gaufre.js (via people-frontend sub_filter) which in turn initialises
-# the v2 widget with the button already rendered by @gouvfr-lasuite/ui-kit.
+# Apps load gaufre.js which in turn initialises the v2 widget with the
+# button already rendered by @gouvfr-lasuite/ui-kit.
#
# Image: src.DOMAIN_SUFFIX/studio/integration:latest
# Built from sunbeam/integration-service/ (context: sunbeam/ root)
diff --git a/base/lasuite/kustomization.yaml b/base/lasuite/kustomization.yaml
index 9e595c4..230451a 100644
--- a/base/lasuite/kustomization.yaml
+++ b/base/lasuite/kustomization.yaml
@@ -14,7 +14,6 @@ resources:
- oidc-clients.yaml
- vault-secrets.yaml
- integration-deployment.yaml
- - people-frontend-nginx-configmap.yaml
- collabora-deployment.yaml
- collabora-service.yaml
- meet-config.yaml
@@ -55,8 +54,6 @@ resources:
- projects-deployment.yaml
patches:
- # Rewrite hardcoded production integration URL + inject theme CSS in people-frontend
- - path: patch-people-frontend-nginx.yaml
# Mount media auth proxy nginx config in drive-frontend
- path: patch-drive-frontend-nginx.yaml
# Wait for Collabora + run trigger_wopi_configuration on every Drive pod start
@@ -66,14 +63,6 @@ patches:
# Charts with a published Helm repo use helmCharts below.
# find has no published repo yet — deploy manually when OpenSearch is ready.
helmCharts:
- # helm repo add people https://suitenumerique.github.io/people/
- - name: desk
- repo: https://suitenumerique.github.io/people/
- version: "0.0.7"
- releaseName: people
- namespace: lasuite
- valuesFile: people-values.yaml
-
# helm repo add drive https://suitenumerique.github.io/drive/
- name: drive
repo: https://suitenumerique.github.io/drive/
diff --git a/base/lasuite/patch-docs-frontend-nginx.yaml b/base/lasuite/patch-docs-frontend-nginx.yaml
deleted file mode 100644
index e655de4..0000000
--- a/base/lasuite/patch-docs-frontend-nginx.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# Patch: mount custom nginx config into docs-frontend to inject brand theme CSS.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: docs-frontend
- namespace: lasuite
-spec:
- template:
- spec:
- containers:
- - name: docs
- volumeMounts:
- - name: nginx-conf
- mountPath: /etc/nginx/conf.d/default.conf
- subPath: default.conf
- volumes:
- - name: nginx-conf
- configMap:
- name: docs-frontend-nginx-conf
diff --git a/base/lasuite/patch-people-frontend-nginx.yaml b/base/lasuite/patch-people-frontend-nginx.yaml
deleted file mode 100644
index 02737a4..0000000
--- a/base/lasuite/patch-people-frontend-nginx.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Patch: mount the nginx ConfigMap into people-frontend to rewrite the
-# hardcoded production integration URL at serve time.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: people-frontend
- namespace: lasuite
-spec:
- template:
- spec:
- containers:
- - name: desk
- volumeMounts:
- - name: nginx-conf
- mountPath: /etc/nginx/conf.d/default.conf
- subPath: default.conf
- volumes:
- - name: nginx-conf
- configMap:
- name: people-frontend-nginx-conf
diff --git a/base/lasuite/people-frontend-nginx-configmap.yaml b/base/lasuite/people-frontend-nginx-configmap.yaml
deleted file mode 100644
index ef684e2..0000000
--- a/base/lasuite/people-frontend-nginx-configmap.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-# nginx config for people-frontend that rewrites the hardcoded production
-# integration URL baked into the desk static Next.js build.
-#
-# sub_filter rewrites integration.lasuite.numerique.gouv.fr → integration.DOMAIN_SUFFIX
-# so the gaufre.js widget and services.json come from our own integration service.
-# gzip must be off for sub_filter to work on JS responses.
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: people-frontend-nginx-conf
- namespace: lasuite
-data:
- default.conf: |
- server {
- listen 3000;
- listen 8080;
- server_name localhost;
- server_tokens off;
-
- root /usr/share/nginx/html;
-
- gzip off;
- sub_filter 'integration.lasuite.numerique.gouv.fr' 'integration.DOMAIN_SUFFIX';
- sub_filter '' '';
- sub_filter_once off;
- sub_filter_types text/html application/javascript;
-
- location / {
- try_files $uri index.html $uri/ =404;
- }
-
- location /teams/ {
- error_page 404 /teams/[id]/;
- }
-
- location /mail-domains/ {
- error_page 404 /mail-domains/[slug]/;
- }
-
- error_page 404 /404.html;
- location = /404.html {
- internal;
- }
- }
diff --git a/base/lasuite/people-values.yaml b/base/lasuite/people-values.yaml
deleted file mode 100644
index 6590bda..0000000
--- a/base/lasuite/people-values.yaml
+++ /dev/null
@@ -1,143 +0,0 @@
-# La Suite Numérique — People (desk chart).
-# Env vars use the chart's dict-based envVars schema:
-# string value → rendered as env.value
-# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
-# DOMAIN_SUFFIX is substituted by sed at deploy time.
-#
-# Required secrets (created by seed script):
-# oidc-people — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
-# people-db-credentials — password
-# people-django-secret — DJANGO_SECRET_KEY
-# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
-
-fullnameOverride: people
-
-backend:
- createsuperuser:
- # Superuser creation disabled — users authenticate via OIDC.
- enabled: false
-
- envVars: &commonEnvVars
- # ── Database ─────────────────────────────────────────────────────────────
- DB_NAME: people_db
- DB_USER: people
- DB_HOST:
- configMapKeyRef:
- name: lasuite-postgres
- key: DB_HOST
- DB_PORT:
- configMapKeyRef:
- name: lasuite-postgres
- key: DB_PORT
- DB_ENGINE:
- configMapKeyRef:
- name: lasuite-postgres
- key: DB_ENGINE
- DB_PASSWORD:
- secretKeyRef:
- name: people-db-credentials
- key: password
-
- # ── Redis / Celery ────────────────────────────────────────────────────────
- REDIS_URL:
- configMapKeyRef:
- name: lasuite-valkey
- key: REDIS_URL
- CELERY_BROKER_URL:
- configMapKeyRef:
- name: lasuite-valkey
- key: CELERY_BROKER_URL
-
- # ── S3 (profile media) ────────────────────────────────────────────────────
- AWS_STORAGE_BUCKET_NAME: sunbeam-people
- AWS_S3_ENDPOINT_URL:
- configMapKeyRef:
- name: lasuite-s3
- key: AWS_S3_ENDPOINT_URL
- AWS_S3_REGION_NAME:
- configMapKeyRef:
- name: lasuite-s3
- key: AWS_S3_REGION_NAME
- AWS_DEFAULT_ACL:
- configMapKeyRef:
- name: lasuite-s3
- key: AWS_DEFAULT_ACL
- AWS_ACCESS_KEY_ID:
- secretKeyRef:
- name: seaweedfs-s3-credentials
- key: S3_ACCESS_KEY
- AWS_SECRET_ACCESS_KEY:
- secretKeyRef:
- name: seaweedfs-s3-credentials
- key: S3_SECRET_KEY
-
- # ── OIDC (Hydra) ──────────────────────────────────────────────────────────
- OIDC_RP_CLIENT_ID:
- secretKeyRef:
- name: oidc-people
- key: CLIENT_ID
- OIDC_RP_CLIENT_SECRET:
- secretKeyRef:
- name: oidc-people
- key: CLIENT_SECRET
- OIDC_RP_SIGN_ALGO:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_RP_SIGN_ALGO
- OIDC_RP_SCOPES:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_RP_SCOPES
- OIDC_OP_JWKS_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_JWKS_ENDPOINT
- OIDC_OP_AUTHORIZATION_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_AUTHORIZATION_ENDPOINT
- OIDC_OP_TOKEN_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_TOKEN_ENDPOINT
- OIDC_OP_USER_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_USER_ENDPOINT
- OIDC_OP_LOGOUT_ENDPOINT:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_OP_LOGOUT_ENDPOINT
- OIDC_VERIFY_SSL:
- configMapKeyRef:
- name: lasuite-oidc-provider
- key: OIDC_VERIFY_SSL
-
- # ── Django ────────────────────────────────────────────────────────────────
- DJANGO_SECRET_KEY:
- secretKeyRef:
- name: people-django-secret
- key: DJANGO_SECRET_KEY
- # Production settings class enables SECURE_PROXY_SSL_HEADER so Django builds
- # https:// URLs when Pingora forwards X-Forwarded-Proto: https.
- DJANGO_CONFIGURATION: Production
- # Production's ALLOWED_HOSTS reads ALLOWED_HOSTS (no DJANGO_ prefix).
- ALLOWED_HOSTS: people.DOMAIN_SUFFIX
- DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX
- DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
- # Redirect to frontend SPA root after successful OIDC login/logout.
- LOGIN_REDIRECT_URL: /
- LOGOUT_REDIRECT_URL: /
- # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
- SESSION_COOKIE_AGE: "3600"
-
-# celeryWorker and celeryBeat intentionally have no envVars here.
-# The desk chart template automatically injects backend.envVars into all
-# celery containers (see celery_beat_deployment.yaml: $backendEnvVars).
-# Adding envVars here would duplicate every env var.
-
-ingress:
- enabled: false
-
-ingressAdmin:
- enabled: false
diff --git a/base/lasuite/seaweedfs-buckets.yaml b/base/lasuite/seaweedfs-buckets.yaml
index da66ffa..29e6f61 100644
--- a/base/lasuite/seaweedfs-buckets.yaml
+++ b/base/lasuite/seaweedfs-buckets.yaml
@@ -22,13 +22,11 @@ spec:
mc alias set weed "$ENDPOINT" "$S3_ACCESS_KEY" "$S3_SECRET_KEY"
for bucket in \
- sunbeam-docs \
sunbeam-meet \
sunbeam-drive \
sunbeam-messages \
sunbeam-messages-imports \
sunbeam-conversations \
- sunbeam-people \
sunbeam-git-lfs \
sunbeam-game-assets \
sunbeam-ml-models; do
diff --git a/base/lasuite/vault-secrets.yaml b/base/lasuite/vault-secrets.yaml
index 87a338f..02f1184 100644
--- a/base/lasuite/vault-secrets.yaml
+++ b/base/lasuite/vault-secrets.yaml
@@ -25,18 +25,6 @@ spec:
rolloutRestartTargets:
- kind: Deployment
name: hive
- - kind: Deployment
- name: people-backend
- - kind: Deployment
- name: people-celery-worker
- - kind: Deployment
- name: people-celery-beat
- - kind: Deployment
- name: docs-backend
- - kind: Deployment
- name: docs-celery-worker
- - kind: Deployment
- name: docs-y-provider
- kind: Deployment
name: drive-backend
- kind: Deployment
@@ -114,146 +102,6 @@ spec:
"client-secret":
text: "{{ index .Secrets \"oidc-client-secret\" }}"
---
-# People DB credentials from OpenBao database secrets engine (static role, 24h rotation).
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultDynamicSecret
-metadata:
- name: people-db-credentials
- namespace: lasuite
-spec:
- vaultAuthRef: vso-auth
- mount: database
- path: static-creds/people
- allowStaticCreds: true
- refreshAfter: 5m
- rolloutRestartTargets:
- - kind: Deployment
- name: people-backend
- - kind: Deployment
- name: people-celery-worker
- - kind: Deployment
- name: people-celery-beat
- destination:
- name: people-db-credentials
- create: true
- overwrite: true
- transformation:
- excludeRaw: true
- templates:
- password:
- text: "{{ index .Secrets \"password\" }}"
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
- name: people-django-secret
- namespace: lasuite
-spec:
- vaultAuthRef: vso-auth
- mount: secret
- type: kv-v2
- path: people
- refreshAfter: 30s
- rolloutRestartTargets:
- - kind: Deployment
- name: people-backend
- - kind: Deployment
- name: people-celery-worker
- - kind: Deployment
- name: people-celery-beat
- destination:
- name: people-django-secret
- create: true
- overwrite: true
- transformation:
- excludeRaw: true
- templates:
- DJANGO_SECRET_KEY:
- text: "{{ index .Secrets \"django-secret-key\" }}"
----
-# Docs DB credentials from OpenBao database secrets engine (static role, 24h rotation).
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultDynamicSecret
-metadata:
- name: docs-db-credentials
- namespace: lasuite
-spec:
- vaultAuthRef: vso-auth
- mount: database
- path: static-creds/docs
- allowStaticCreds: true
- refreshAfter: 5m
- rolloutRestartTargets:
- - kind: Deployment
- name: docs-backend
- - kind: Deployment
- name: docs-celery-worker
- - kind: Deployment
- name: docs-y-provider
- destination:
- name: docs-db-credentials
- create: true
- overwrite: true
- transformation:
- excludeRaw: true
- templates:
- password:
- text: "{{ index .Secrets \"password\" }}"
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
- name: docs-django-secret
- namespace: lasuite
-spec:
- vaultAuthRef: vso-auth
- mount: secret
- type: kv-v2
- path: docs
- refreshAfter: 30s
- rolloutRestartTargets:
- - kind: Deployment
- name: docs-backend
- - kind: Deployment
- name: docs-celery-worker
- - kind: Deployment
- name: docs-y-provider
- destination:
- name: docs-django-secret
- create: true
- overwrite: true
- transformation:
- excludeRaw: true
- templates:
- DJANGO_SECRET_KEY:
- text: "{{ index .Secrets \"django-secret-key\" }}"
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
- name: docs-collaboration-secret
- namespace: lasuite
-spec:
- vaultAuthRef: vso-auth
- mount: secret
- type: kv-v2
- path: docs
- refreshAfter: 30s
- rolloutRestartTargets:
- - kind: Deployment
- name: docs-backend
- - kind: Deployment
- name: docs-y-provider
- destination:
- name: docs-collaboration-secret
- create: true
- overwrite: true
- transformation:
- excludeRaw: true
- templates:
- secret:
- text: "{{ index .Secrets \"collaboration-secret\" }}"
----
# Meet DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
@@ -715,3 +563,21 @@ spec:
text: "{{ index .Secrets \"private-key\" }}"
selector:
text: "{{ index .Secrets \"selector\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+ name: drive-rs-audiences
+ namespace: lasuite
+spec:
+ vaultAuthRef: vso-auth
+ mount: secret
+ type: kv-v2
+ path: drive-rs-audiences
+ refreshAfter: 1h
+ destination:
+ name: drive-rs-audiences
+ create: true
+ rolloutRestartTargets:
+ - kind: Deployment
+ name: drive-backend
diff --git a/overlays/local/kustomization.yaml b/overlays/local/kustomization.yaml
index bf002ab..6ba3bdf 100644
--- a/overlays/local/kustomization.yaml
+++ b/overlays/local/kustomization.yaml
@@ -31,20 +31,6 @@ images:
# amd64-only La Suite images — mirrored to our Gitea registry with a patched
# OCI index that adds an arm64 alias so Rosetta can run them on the Lima VM.
# DOMAIN_SUFFIX is substituted by local-up.py at deploy time (sed replacement).
- - name: lasuite/people-backend
- newName: src.DOMAIN_SUFFIX/studio/people-backend
- - name: lasuite/people-frontend
- newName: src.DOMAIN_SUFFIX/studio/people-frontend
- newTag: latest
-
- # amd64-only impress (Docs) images — same mirror pattern.
- - name: lasuite/impress-backend
- newName: src.DOMAIN_SUFFIX/studio/impress-backend
- - name: lasuite/impress-frontend
- newName: src.DOMAIN_SUFFIX/studio/impress-frontend
- - name: lasuite/impress-y-provider
- newName: src.DOMAIN_SUFFIX/studio/impress-y-provider
-
# Meet — built from source and pushed to Gitea registry.
- name: meet-backend
newName: src.DOMAIN_SUFFIX/studio/meet-backend
diff --git a/overlays/local/values-resources.yaml b/overlays/local/values-resources.yaml
index c0585ea..7bc5ba0 100644
--- a/overlays/local/values-resources.yaml
+++ b/overlays/local/values-resources.yaml
@@ -149,33 +149,6 @@ spec:
limits:
memory: 64Mi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: people-backend
- namespace: lasuite
-spec:
- replicas: 1
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: people-celery-worker
- namespace: lasuite
-spec:
- replicas: 1
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: people-frontend
- namespace: lasuite
-spec:
- replicas: 1
-
---
apiVersion: apps/v1
kind: Deployment
diff --git a/overlays/production/kustomization.yaml b/overlays/production/kustomization.yaml
index da3e7ee..67a07f8 100644
--- a/overlays/production/kustomization.yaml
+++ b/overlays/production/kustomization.yaml
@@ -39,11 +39,6 @@ images:
newName: src.DOMAIN_SUFFIX/studio/meet-frontend
newTag: latest
- # people-frontend — built from source with estudio theme baked in.
- - name: lasuite/people-frontend
- newName: src.DOMAIN_SUFFIX/studio/people-frontend
- newTag: latest
-
# Messages — built from source and pushed to Gitea registry.
- name: messages-backend
newName: src.DOMAIN_SUFFIX/studio/messages-backend
diff --git a/overlays/production/values-resources.yaml b/overlays/production/values-resources.yaml
index 482559e..b22b7a8 100644
--- a/overlays/production/values-resources.yaml
+++ b/overlays/production/values-resources.yaml
@@ -166,33 +166,6 @@ spec:
limits:
memory: 256Mi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: people-backend
- namespace: lasuite
-spec:
- replicas: 2
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: people-celery-worker
- namespace: lasuite
-spec:
- replicas: 2
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: people-frontend
- namespace: lasuite
-spec:
- replicas: 2
-
---
apiVersion: apps/v1
kind: Deployment
diff --git a/scripts/local-up.sh b/scripts/local-up.sh
index 4c72191..b2ae2a9 100755
--- a/scripts/local-up.sh
+++ b/scripts/local-up.sh
@@ -167,9 +167,6 @@ for ns_deploy in \
"devtools/gitea" \
"storage/seaweedfs-filer" \
"lasuite/hive" \
- "lasuite/people-backend" \
- "lasuite/people-celery-worker" \
- "lasuite/people-celery-beat" \
"media/livekit-server"; do
ns="${ns_deploy%%/*}"
dep="${ns_deploy##*/}"