fix: WOPI registration on restart + Collabora readiness probes

- Add readiness/liveness probes to Collabora (GET /hosting/discovery) - Add init container to Drive backend that waits for Collabora and runs trigger_wopi_configuration on every pod start — fixes WOPI silently breaking after server restarts (chart Job only ran on sunbeam apply) - Add OIDC_RESPONSE_MODE=query to Projects config
2026-03-24 12:22:10 +00:00
parent 5e622ce316
commit 1147b1a5aa
5 changed files with 135 additions and 14 deletions
--- a/base/lasuite/drive-values.yaml
+++ b/base/lasuite/drive-values.yaml
@@ -143,11 +143,14 @@ backend:
      secretKeyRef:
        name: oidc-drive
        key: CLIENT_SECRET
-    # Only accept tokens issued to the messages OAuth2 client (ListValue, comma-separated).
+    # Accept bearer tokens from Sunbeam CLI and Messages (server-to-server).
+    # OIDC_RS_ALLOWED_AUDIENCES is set by the sunbeam seed script which reads
+    # the messages client ID from the oidc-messages secret and combines it with
+    # the static sunbeam-cli audience. Stored in vault as secret/drive.
    OIDC_RS_ALLOWED_AUDIENCES:
      secretKeyRef:
-        name: oidc-messages
-        key: CLIENT_ID
+        name: drive-rs-audiences
+        key: OIDC_RS_ALLOWED_AUDIENCES

    # ── Django ────────────────────────────────────────────────────────────────
    DJANGO_SECRET_KEY:
@@ -160,14 +163,14 @@ backend:
    DJANGO_CSRF_TRUSTED_ORIGINS:   https://drive.DOMAIN_SUFFIX
    LOGIN_REDIRECT_URL:            /
    LOGOUT_REDIRECT_URL:           /
-    SESSION_COOKIE_AGE:            "3600"
-    # Session cache TTL must match SESSION_COOKIE_AGE; default is 30s which
-    # causes sessions to expire in Valkey while the cookie remains valid.
-    CACHES_SESSION_TIMEOUT:        "3600"
-    # Silent login disabled: the callback redirects back to the returnTo URL
-    # (not LOGIN_REDIRECT_URL) on login_required, causing an infinite reload loop
-    # when the user has no Hydra session. UserProfile shows a Login button instead.
-    FRONTEND_SILENT_LOGIN_ENABLED: "false"
+    SESSION_COOKIE_AGE:            "604800"
+    # Session cache TTL must match SESSION_COOKIE_AGE.
+    CACHES_SESSION_TIMEOUT:        "604800"
+    # Silent login: when the Django session expires, the frontend redirects
+    # to the OIDC login endpoint which completes instantly (Hydra already
+    # has a session) and bounces the user back. This keeps users logged in
+    # seamlessly as long as their Hydra SSO session is valid.
+    FRONTEND_SILENT_LOGIN_ENABLED: "true"
    # Redirect unauthenticated visitors at / straight to OIDC login instead of
    # showing the La Suite marketing landing page. returnTo brings them to
    # their files after successful auth.