diff --git a/base/lasuite/kustomization.yaml b/base/lasuite/kustomization.yaml index 6eb9883..e0580e6 100644 --- a/base/lasuite/kustomization.yaml +++ b/base/lasuite/kustomization.yaml @@ -12,4 +12,17 @@ resources: - seaweedfs-buckets.yaml - shared-config.yaml - oidc-clients.yaml + - vault-secrets.yaml + +# La Suite Numérique Helm charts. +# Charts with a published Helm repo use helmCharts below. +# find has no published repo yet — deploy manually when OpenSearch is ready. +helmCharts: + # helm repo add people https://suitenumerique.github.io/people/ + - name: desk + repo: https://suitenumerique.github.io/people/ + version: "0.0.7" + releaseName: people + namespace: lasuite + valuesFile: people-values.yaml diff --git a/base/lasuite/people-values.yaml b/base/lasuite/people-values.yaml new file mode 100644 index 0000000..4369dd2 --- /dev/null +++ b/base/lasuite/people-values.yaml @@ -0,0 +1,133 @@ +# La Suite Numérique — People (desk chart). +# Env vars use the chart's dict-based envVars schema: +# string value → rendered as env.value +# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef) +# DOMAIN_SUFFIX is substituted by sed at deploy time. +# +# Required secrets (created by seed script): +# oidc-people — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester) +# people-db-credentials — password +# people-django-secret — DJANGO_SECRET_KEY +# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared) + +fullnameOverride: people + +backend: + createsuperuser: + # Superuser creation disabled — users authenticate via OIDC. + enabled: false + + envVars: &commonEnvVars + # ── Database ───────────────────────────────────────────────────────────── + DB_NAME: people_db + DB_USER: people + DB_HOST: + configMapKeyRef: + name: lasuite-postgres + key: DB_HOST + DB_PORT: + configMapKeyRef: + name: lasuite-postgres + key: DB_PORT + DB_ENGINE: + configMapKeyRef: + name: lasuite-postgres + key: DB_ENGINE + DB_PASSWORD: + secretKeyRef: + name: people-db-credentials + key: password + + # ── Redis / Celery ──────────────────────────────────────────────────────── + REDIS_URL: + configMapKeyRef: + name: lasuite-valkey + key: REDIS_URL + CELERY_BROKER_URL: + configMapKeyRef: + name: lasuite-valkey + key: CELERY_BROKER_URL + + # ── S3 (profile media) ──────────────────────────────────────────────────── + AWS_STORAGE_BUCKET_NAME: sunbeam-people + AWS_S3_ENDPOINT_URL: + configMapKeyRef: + name: lasuite-s3 + key: AWS_S3_ENDPOINT_URL + AWS_S3_REGION_NAME: + configMapKeyRef: + name: lasuite-s3 + key: AWS_S3_REGION_NAME + AWS_DEFAULT_ACL: + configMapKeyRef: + name: lasuite-s3 + key: AWS_DEFAULT_ACL + AWS_ACCESS_KEY_ID: + secretKeyRef: + name: seaweedfs-s3-credentials + key: S3_ACCESS_KEY + AWS_SECRET_ACCESS_KEY: + secretKeyRef: + name: seaweedfs-s3-credentials + key: S3_SECRET_KEY + + # ── OIDC (Hydra) ────────────────────────────────────────────────────────── + OIDC_RP_CLIENT_ID: + secretKeyRef: + name: oidc-people + key: CLIENT_ID + OIDC_RP_CLIENT_SECRET: + secretKeyRef: + name: oidc-people + key: CLIENT_SECRET + OIDC_RP_SIGN_ALGO: + configMapKeyRef: + name: lasuite-oidc-provider + key: OIDC_RP_SIGN_ALGO + OIDC_RP_SCOPES: + configMapKeyRef: + name: lasuite-oidc-provider + key: OIDC_RP_SCOPES + OIDC_OP_JWKS_ENDPOINT: + configMapKeyRef: + name: lasuite-oidc-provider + key: OIDC_OP_JWKS_ENDPOINT + OIDC_OP_AUTHORIZATION_ENDPOINT: + configMapKeyRef: + name: lasuite-oidc-provider + key: OIDC_OP_AUTHORIZATION_ENDPOINT + OIDC_OP_TOKEN_ENDPOINT: + configMapKeyRef: + name: lasuite-oidc-provider + key: OIDC_OP_TOKEN_ENDPOINT + OIDC_OP_USER_ENDPOINT: + configMapKeyRef: + name: lasuite-oidc-provider + key: OIDC_OP_USER_ENDPOINT + OIDC_OP_LOGOUT_ENDPOINT: + configMapKeyRef: + name: lasuite-oidc-provider + key: OIDC_OP_LOGOUT_ENDPOINT + OIDC_VERIFY_SSL: + configMapKeyRef: + name: lasuite-oidc-provider + key: OIDC_VERIFY_SSL + + # ── Django ──────────────────────────────────────────────────────────────── + DJANGO_SECRET_KEY: + secretKeyRef: + name: people-django-secret + key: DJANGO_SECRET_KEY + DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX + DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX + +# celeryWorker and celeryBeat intentionally have no envVars here. +# The desk chart template automatically injects backend.envVars into all +# celery containers (see celery_beat_deployment.yaml: $backendEnvVars). +# Adding envVars here would duplicate every env var. + +ingress: + enabled: false + +ingressAdmin: + enabled: false diff --git a/base/lasuite/vault-secrets.yaml b/base/lasuite/vault-secrets.yaml new file mode 100644 index 0000000..1a07850 --- /dev/null +++ b/base/lasuite/vault-secrets.yaml @@ -0,0 +1,131 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vso-auth + namespace: lasuite +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: vso + serviceAccount: default +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: seaweedfs-s3-credentials + namespace: lasuite +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: seaweedfs + refreshAfter: 30s + destination: + name: seaweedfs-s3-credentials + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + S3_ACCESS_KEY: + text: "{{ index .Secrets \"access-key\" }}" + S3_SECRET_KEY: + text: "{{ index .Secrets \"secret-key\" }}" +--- +# Hive DB credentials from OpenBao database secrets engine (static role, 24h rotation). +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultDynamicSecret +metadata: + name: hive-db-url + namespace: lasuite +spec: + vaultAuthRef: vso-auth + mount: database + path: static-creds/hive + refreshAfter: 1h + rolloutRestartTargets: + - kind: Deployment + name: hive + destination: + name: hive-db-url + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + url: + text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hive_db" +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: hive-oidc + namespace: lasuite +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: hive + refreshAfter: 30s + destination: + name: hive-oidc + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + "client-id": + text: "{{ index .Secrets \"oidc-client-id\" }}" + "client-secret": + text: "{{ index .Secrets \"oidc-client-secret\" }}" +--- +# People DB credentials from OpenBao database secrets engine (static role, 24h rotation). +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultDynamicSecret +metadata: + name: people-db-credentials + namespace: lasuite +spec: + vaultAuthRef: vso-auth + mount: database + path: static-creds/people + refreshAfter: 1h + rolloutRestartTargets: + - kind: Deployment + name: people-backend + - kind: Deployment + name: people-celery-worker + - kind: Deployment + name: people-celery-beat + destination: + name: people-db-credentials + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + password: + text: "{{ index .Secrets \"password\" }}" +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: people-django-secret + namespace: lasuite +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: people + refreshAfter: 30s + destination: + name: people-django-secret + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + DJANGO_SECRET_KEY: + text: "{{ index .Secrets \"django-secret-key\" }}"