studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove: Docs (impress) and People (desk) from La Suite

Browse Source 
Collabora stays (Drive needs it for WOPI document editing).
Removed: Helm charts, values, nginx configs, patches, OIDC clients,
Vault secrets, S3 buckets, Pingora routes, Kratos return URLs,
overlay image overrides and resource patches, local-up.sh restarts.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-25 17:53:43 +00:00
parent b13555607a
commit 0a322c8a7c
15 changed files with 20 additions and 695 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
base/lasuite/docs-frontend-nginx-configmap.yaml
View File

@@ -1,35 +0,0 @@
# nginx config for docs-frontend.
apiVersion: v1
kind: ConfigMap
metadata:
name: docs-frontend-nginx-conf
namespace: lasuite
data:
default.conf: |
server {
listen 8080;
listen 3000;
server_name localhost;
root /app;
gzip off;
sub_filter_once off;
sub_filter_types text/html application/javascript;
sub_filter '</head>' '<link rel="stylesheet" href="https://integration.DOMAIN_SUFFIX/api/v2/theme.css"></head>';
location / {
try_files $uri index.html $uri/index.html =404;
add_header X-Frame-Options DENY always;
}
location ~ "^/docs/[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}/?$" {
try_files $uri /docs/[id]/index.html;
add_header X-Frame-Options DENY always;
}
error_page 404 /404.html;
location = /404.html {
internal;
}
}

191
base/lasuite/docs-values.yaml
View File

@@ -1,191 +0,0 @@
# La Suite Numérique — Docs (impress chart).
# Env vars use the chart's dict-based envVars schema:
# string value → rendered as env.value
# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
# oidc-docs — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
# docs-db-credentials — password (VaultDynamicSecret, DB engine)
# docs-django-secret — DJANGO_SECRET_KEY (VaultStaticSecret)
# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
fullnameOverride: docs
backend:
createsuperuser:
# No superuser — users authenticate via OIDC.
# The chart always renders this Job; override command so it exits 0.
command: ["true"]
envVars: &backendEnvVars
# ── Database ──────────────────────────────────────────────────────────────
DB_NAME: docs_db
DB_USER: docs
DB_HOST:
configMapKeyRef:
name: lasuite-postgres
key: DB_HOST
DB_PORT:
configMapKeyRef:
name: lasuite-postgres
key: DB_PORT
DB_ENGINE:
configMapKeyRef:
name: lasuite-postgres
key: DB_ENGINE
DB_PASSWORD:
secretKeyRef:
name: docs-db-credentials
key: password
# ── Redis / Celery ────────────────────────────────────────────────────────
REDIS_URL:
configMapKeyRef:
name: lasuite-valkey
key: REDIS_URL
CELERY_BROKER_URL:
configMapKeyRef:
name: lasuite-valkey
key: CELERY_BROKER_URL
# ── S3 ────────────────────────────────────────────────────────────────────
AWS_STORAGE_BUCKET_NAME: sunbeam-docs
AWS_S3_ENDPOINT_URL:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_ENDPOINT_URL
AWS_S3_REGION_NAME:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_REGION_NAME
AWS_DEFAULT_ACL:
configMapKeyRef:
name: lasuite-s3
key: AWS_DEFAULT_ACL
AWS_ACCESS_KEY_ID:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_ACCESS_KEY
AWS_SECRET_ACCESS_KEY:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_SECRET_KEY
# ── OIDC (Hydra) ──────────────────────────────────────────────────────────
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: oidc-docs
key: CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: oidc-docs
key: CLIENT_SECRET
OIDC_RP_SIGN_ALGO:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SIGN_ALGO
OIDC_RP_SCOPES:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SCOPES
OIDC_OP_JWKS_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_JWKS_ENDPOINT
OIDC_OP_AUTHORIZATION_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_AUTHORIZATION_ENDPOINT
OIDC_OP_TOKEN_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_TOKEN_ENDPOINT
OIDC_OP_USER_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_USER_ENDPOINT
OIDC_OP_LOGOUT_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_LOGOUT_ENDPOINT
OIDC_VERIFY_SSL:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_VERIFY_SSL
# ── Django ────────────────────────────────────────────────────────────────
DJANGO_SECRET_KEY:
secretKeyRef:
name: docs-django-secret
key: DJANGO_SECRET_KEY
DJANGO_CONFIGURATION: Production
FRONTEND_THEME: estudio
ALLOWED_HOSTS: docs.DOMAIN_SUFFIX
DJANGO_ALLOWED_HOSTS: docs.DOMAIN_SUFFIX
DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.DOMAIN_SUFFIX
LOGIN_REDIRECT_URL: /
LOGOUT_REDIRECT_URL: /
FRONTEND_HOMEPAGE_FEATURE_ENABLED: "false"
# Low cache timeout so theme changes propagate without pod restarts.
THEME_CUSTOMIZATION_CACHE_TIMEOUT: "30"
# 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
# Lockout window: disabled identity cannot re-auth within 1h of expiry.
SESSION_COOKIE_AGE: "3600"
# ── Y-Provider ────────────────────────────────────────────────────────────
# Shared secret for backend ↔ y-provider auth.
COLLABORATION_SERVER_SECRET:
secretKeyRef:
name: docs-collaboration-secret
key: secret
COLLABORATION_SERVER_URL: http://docs-y-provider.lasuite.svc.cluster.local:4444
themeCustomization:
enabled: true
# La Gaufre v2: point at our self-hosted integration service.
# DOMAIN_SUFFIX is substituted by kustomize_build at deploy time.
file_content:
header:
logo: {}
icon:
src: "https://integration.DOMAIN_SUFFIX/logos/docs.svg?v=2"
style:
width: "32px"
height: "auto"
alt: ""
withTitle: true
css_url: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"
waffle:
apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
label: "O Estúdio"
closeLabel: "Fechar"
newWindowLabelSuffix: " · nova janela"
frontend:
envVars:
NEXT_PUBLIC_API_URL: https://docs.DOMAIN_SUFFIX
NEXT_PUBLIC_COLLABORATION_WS_URL: wss://docs.DOMAIN_SUFFIX/collaboration/ws/
yProvider:
envVars:
# Shared secret so y-provider can verify requests from the backend.
COLLABORATION_SERVER_SECRET:
secretKeyRef:
name: docs-collaboration-secret
key: secret
# Impress backend URL for document access verification.
APP_URL: http://docs-backend.lasuite.svc.cluster.local:80
ingress:
enabled: false
ingressCollaborationWS:
enabled: false
ingressAdmin:
enabled: false
ingressMedia:
enabled: false

4
base/lasuite/integration-deployment.yaml
View File

@@ -1,7 +1,7 @@
# La Gaufre integration service — O Estúdio app launcher (La Gaufre v2).
# Serves the lagaufre.js v2 widget, SVG logos, and the v2 services API.
# Apps load gaufre.js (via people-frontend sub_filter) which in turn initialises
# the v2 widget with the button already rendered by @gouvfr-lasuite/ui-kit.
# Apps load gaufre.js which in turn initialises the v2 widget with the
# button already rendered by @gouvfr-lasuite/ui-kit.
#
# Image: src.DOMAIN_SUFFIX/studio/integration:latest
# Built from sunbeam/integration-service/ (context: sunbeam/ root)

11
base/lasuite/kustomization.yaml
View File

@@ -14,7 +14,6 @@ resources:
- oidc-clients.yaml
- vault-secrets.yaml
- integration-deployment.yaml
- people-frontend-nginx-configmap.yaml
- collabora-deployment.yaml
- collabora-service.yaml
- meet-config.yaml
@@ -55,8 +54,6 @@ resources:
- projects-deployment.yaml
patches:
# Rewrite hardcoded production integration URL + inject theme CSS in people-frontend
- path: patch-people-frontend-nginx.yaml
# Mount media auth proxy nginx config in drive-frontend
- path: patch-drive-frontend-nginx.yaml
# Wait for Collabora + run trigger_wopi_configuration on every Drive pod start
@@ -66,14 +63,6 @@ patches:
# Charts with a published Helm repo use helmCharts below.
# find has no published repo yet — deploy manually when OpenSearch is ready.
helmCharts:
# helm repo add people https://suitenumerique.github.io/people/
- name: desk
repo: https://suitenumerique.github.io/people/
version: "0.0.7"
releaseName: people
namespace: lasuite
valuesFile: people-values.yaml
# helm repo add drive https://suitenumerique.github.io/drive/
- name: drive
repo: https://suitenumerique.github.io/drive/

19
base/lasuite/patch-docs-frontend-nginx.yaml
View File

@@ -1,19 +0,0 @@
# Patch: mount custom nginx config into docs-frontend to inject brand theme CSS.
apiVersion: apps/v1
kind: Deployment
metadata:
name: docs-frontend
namespace: lasuite
spec:
template:
spec:
containers:
- name: docs
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
volumes:
- name: nginx-conf
configMap:
name: docs-frontend-nginx-conf

20
base/lasuite/patch-people-frontend-nginx.yaml
View File

@@ -1,20 +0,0 @@
# Patch: mount the nginx ConfigMap into people-frontend to rewrite the
# hardcoded production integration URL at serve time.
apiVersion: apps/v1
kind: Deployment
metadata:
name: people-frontend
namespace: lasuite
spec:
template:
spec:
containers:
- name: desk
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
volumes:
- name: nginx-conf
configMap:
name: people-frontend-nginx-conf

44
base/lasuite/people-frontend-nginx-configmap.yaml
View File

@@ -1,44 +0,0 @@
# nginx config for people-frontend that rewrites the hardcoded production
# integration URL baked into the desk static Next.js build.
#
# sub_filter rewrites integration.lasuite.numerique.gouv.fr → integration.DOMAIN_SUFFIX
# so the gaufre.js widget and services.json come from our own integration service.
# gzip must be off for sub_filter to work on JS responses.
apiVersion: v1
kind: ConfigMap
metadata:
name: people-frontend-nginx-conf
namespace: lasuite
data:
default.conf: |
server {
listen 3000;
listen 8080;
server_name localhost;
server_tokens off;
root /usr/share/nginx/html;
gzip off;
sub_filter 'integration.lasuite.numerique.gouv.fr' 'integration.DOMAIN_SUFFIX';
sub_filter '</head>' '<link rel="stylesheet" href="https://integration.DOMAIN_SUFFIX/api/v2/theme.css"></head>';
sub_filter_once off;
sub_filter_types text/html application/javascript;
location / {
try_files $uri index.html $uri/ =404;
}
location /teams/ {
error_page 404 /teams/[id]/;
}
location /mail-domains/ {
error_page 404 /mail-domains/[slug]/;
}
error_page 404 /404.html;
location = /404.html {
internal;
}
}

143
base/lasuite/people-values.yaml
View File

@@ -1,143 +0,0 @@
# La Suite Numérique — People (desk chart).
# Env vars use the chart's dict-based envVars schema:
# string value → rendered as env.value
# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
# oidc-people — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
# people-db-credentials — password
# people-django-secret — DJANGO_SECRET_KEY
# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
fullnameOverride: people
backend:
createsuperuser:
# Superuser creation disabled — users authenticate via OIDC.
enabled: false
envVars: &commonEnvVars
# ── Database ─────────────────────────────────────────────────────────────
DB_NAME: people_db
DB_USER: people
DB_HOST:
configMapKeyRef:
name: lasuite-postgres
key: DB_HOST
DB_PORT:
configMapKeyRef:
name: lasuite-postgres
key: DB_PORT
DB_ENGINE:
configMapKeyRef:
name: lasuite-postgres
key: DB_ENGINE
DB_PASSWORD:
secretKeyRef:
name: people-db-credentials
key: password
# ── Redis / Celery ────────────────────────────────────────────────────────
REDIS_URL:
configMapKeyRef:
name: lasuite-valkey
key: REDIS_URL
CELERY_BROKER_URL:
configMapKeyRef:
name: lasuite-valkey
key: CELERY_BROKER_URL
# ── S3 (profile media) ────────────────────────────────────────────────────
AWS_STORAGE_BUCKET_NAME: sunbeam-people
AWS_S3_ENDPOINT_URL:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_ENDPOINT_URL
AWS_S3_REGION_NAME:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_REGION_NAME
AWS_DEFAULT_ACL:
configMapKeyRef:
name: lasuite-s3
key: AWS_DEFAULT_ACL
AWS_ACCESS_KEY_ID:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_ACCESS_KEY
AWS_SECRET_ACCESS_KEY:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_SECRET_KEY
# ── OIDC (Hydra) ──────────────────────────────────────────────────────────
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: oidc-people
key: CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: oidc-people
key: CLIENT_SECRET
OIDC_RP_SIGN_ALGO:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SIGN_ALGO
OIDC_RP_SCOPES:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SCOPES
OIDC_OP_JWKS_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_JWKS_ENDPOINT
OIDC_OP_AUTHORIZATION_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_AUTHORIZATION_ENDPOINT
OIDC_OP_TOKEN_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_TOKEN_ENDPOINT
OIDC_OP_USER_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_USER_ENDPOINT
OIDC_OP_LOGOUT_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_LOGOUT_ENDPOINT
OIDC_VERIFY_SSL:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_VERIFY_SSL
# ── Django ────────────────────────────────────────────────────────────────
DJANGO_SECRET_KEY:
secretKeyRef:
name: people-django-secret
key: DJANGO_SECRET_KEY
# Production settings class enables SECURE_PROXY_SSL_HEADER so Django builds
# https:// URLs when Pingora forwards X-Forwarded-Proto: https.
DJANGO_CONFIGURATION: Production
# Production's ALLOWED_HOSTS reads ALLOWED_HOSTS (no DJANGO_ prefix).
ALLOWED_HOSTS: people.DOMAIN_SUFFIX
DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX
DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
# Redirect to frontend SPA root after successful OIDC login/logout.
LOGIN_REDIRECT_URL: /
LOGOUT_REDIRECT_URL: /
# 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
SESSION_COOKIE_AGE: "3600"
# celeryWorker and celeryBeat intentionally have no envVars here.
# The desk chart template automatically injects backend.envVars into all
# celery containers (see celery_beat_deployment.yaml: $backendEnvVars).
# Adding envVars here would duplicate every env var.
ingress:
enabled: false
ingressAdmin:
enabled: false

2
base/lasuite/seaweedfs-buckets.yaml
View File

@@ -22,13 +22,11 @@ spec:
mc alias set weed "$ENDPOINT" "$S3_ACCESS_KEY" "$S3_SECRET_KEY"
for bucket in \
sunbeam-docs \
sunbeam-meet \
sunbeam-drive \
sunbeam-messages \
sunbeam-messages-imports \
sunbeam-conversations \
sunbeam-people \
sunbeam-git-lfs \
sunbeam-game-assets \
sunbeam-ml-models; do

170
base/lasuite/vault-secrets.yaml
View File

@@ -25,18 +25,6 @@ spec:
rolloutRestartTargets:
- kind: Deployment
name: hive
- kind: Deployment
name: people-backend
- kind: Deployment
name: people-celery-worker
- kind: Deployment
name: people-celery-beat
- kind: Deployment
name: docs-backend
- kind: Deployment
name: docs-celery-worker
- kind: Deployment
name: docs-y-provider
- kind: Deployment
name: drive-backend
- kind: Deployment
@@ -114,146 +102,6 @@ spec:
"client-secret":
text: "{{ index .Secrets \"oidc-client-secret\" }}"
---
# People DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: people-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/people
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: people-backend
- kind: Deployment
name: people-celery-worker
- kind: Deployment
name: people-celery-beat
destination:
name: people-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: people-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: people
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: people-backend
- kind: Deployment
name: people-celery-worker
- kind: Deployment
name: people-celery-beat
destination:
name: people-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"
---
# Docs DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: docs-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/docs
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: docs-backend
- kind: Deployment
name: docs-celery-worker
- kind: Deployment
name: docs-y-provider
destination:
name: docs-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: docs-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: docs
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: docs-backend
- kind: Deployment
name: docs-celery-worker
- kind: Deployment
name: docs-y-provider
destination:
name: docs-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: docs-collaboration-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: docs
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: docs-backend
- kind: Deployment
name: docs-y-provider
destination:
name: docs-collaboration-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
secret:
text: "{{ index .Secrets \"collaboration-secret\" }}"
---
# Meet DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
@@ -715,3 +563,21 @@ spec:
text: "{{ index .Secrets \"private-key\" }}"
selector:
text: "{{ index .Secrets \"selector\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: drive-rs-audiences
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: drive-rs-audiences
refreshAfter: 1h
destination:
name: drive-rs-audiences
create: true
rolloutRestartTargets:
- kind: Deployment
name: drive-backend