studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(lasuite): add People service (desk chart); migrate La Suite secrets to VSO

Browse Source 
People (desk chart v0.0.7):
- Add people-values.yaml with all env vars wired to ConfigMaps and Secrets.
  DB password, S3 credentials, OIDC client, and Django secret key all come
  from VSO-managed K8s Secrets via secretKeyRef — nothing hardcoded.
- Add Helm chart entry to kustomization.yaml (repo: suitenumerique/people).

La Suite VSO secrets (vault-secrets.yaml):
- seaweedfs-s3-credentials VSS (shared S3 creds → S3_ACCESS_KEY / S3_SECRET_KEY)
- hive-db-url VDS (database/static-creds/hive → postgresql:// DSN, 24h rotation)
- hive-oidc VSS (secret/hive → client-id / client-secret)
- people-db-credentials VDS (database/static-creds/people → password, 24h rotation)
- people-django-secret VSS (secret/people → DJANGO_SECRET_KEY)
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-02 18:33:28 +00:00
parent 8cb705fecc
commit 302b7ba56b
3 changed files with 277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
base/lasuite/kustomization.yaml
View File

@@ -12,4 +12,17 @@ resources:
- seaweedfs-buckets.yaml
- shared-config.yaml
- oidc-clients.yaml
- vault-secrets.yaml
# La Suite Numérique Helm charts.
# Charts with a published Helm repo use helmCharts below.
# find has no published repo yet — deploy manually when OpenSearch is ready.
helmCharts:
# helm repo add people https://suitenumerique.github.io/people/
- name: desk
repo: https://suitenumerique.github.io/people/
version: "0.0.7"
releaseName: people
namespace: lasuite
valuesFile: people-values.yaml

133
base/lasuite/people-values.yaml Normal file
View File

@@ -0,0 +1,133 @@
# La Suite Numérique — People (desk chart).
# Env vars use the chart's dict-based envVars schema:
# string value → rendered as env.value
# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
# oidc-people — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
# people-db-credentials — password
# people-django-secret — DJANGO_SECRET_KEY
# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
fullnameOverride: people
backend:
createsuperuser:
# Superuser creation disabled — users authenticate via OIDC.
enabled: false
envVars: &commonEnvVars
# ── Database ─────────────────────────────────────────────────────────────
DB_NAME: people_db
DB_USER: people
DB_HOST:
configMapKeyRef:
name: lasuite-postgres
key: DB_HOST
DB_PORT:
configMapKeyRef:
name: lasuite-postgres
key: DB_PORT
DB_ENGINE:
configMapKeyRef:
name: lasuite-postgres
key: DB_ENGINE
DB_PASSWORD:
secretKeyRef:
name: people-db-credentials
key: password
# ── Redis / Celery ────────────────────────────────────────────────────────
REDIS_URL:
configMapKeyRef:
name: lasuite-valkey
key: REDIS_URL
CELERY_BROKER_URL:
configMapKeyRef:
name: lasuite-valkey
key: CELERY_BROKER_URL
# ── S3 (profile media) ────────────────────────────────────────────────────
AWS_STORAGE_BUCKET_NAME: sunbeam-people
AWS_S3_ENDPOINT_URL:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_ENDPOINT_URL
AWS_S3_REGION_NAME:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_REGION_NAME
AWS_DEFAULT_ACL:
configMapKeyRef:
name: lasuite-s3
key: AWS_DEFAULT_ACL
AWS_ACCESS_KEY_ID:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_ACCESS_KEY
AWS_SECRET_ACCESS_KEY:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_SECRET_KEY
# ── OIDC (Hydra) ──────────────────────────────────────────────────────────
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: oidc-people
key: CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: oidc-people
key: CLIENT_SECRET
OIDC_RP_SIGN_ALGO:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SIGN_ALGO
OIDC_RP_SCOPES:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SCOPES
OIDC_OP_JWKS_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_JWKS_ENDPOINT
OIDC_OP_AUTHORIZATION_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_AUTHORIZATION_ENDPOINT
OIDC_OP_TOKEN_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_TOKEN_ENDPOINT
OIDC_OP_USER_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_USER_ENDPOINT
OIDC_OP_LOGOUT_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_LOGOUT_ENDPOINT
OIDC_VERIFY_SSL:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_VERIFY_SSL
# ── Django ────────────────────────────────────────────────────────────────
DJANGO_SECRET_KEY:
secretKeyRef:
name: people-django-secret
key: DJANGO_SECRET_KEY
DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX
DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
# celeryWorker and celeryBeat intentionally have no envVars here.
# The desk chart template automatically injects backend.envVars into all
# celery containers (see celery_beat_deployment.yaml: $backendEnvVars).
# Adding envVars here would duplicate every env var.
ingress:
enabled: false
ingressAdmin:
enabled: false

131
base/lasuite/vault-secrets.yaml Normal file
View File

@@ -0,0 +1,131 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vso-auth
namespace: lasuite
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: vso
serviceAccount: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: seaweedfs-s3-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: seaweedfs
refreshAfter: 30s
destination:
name: seaweedfs-s3-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
S3_ACCESS_KEY:
text: "{{ index .Secrets \"access-key\" }}"
S3_SECRET_KEY:
text: "{{ index .Secrets \"secret-key\" }}"
---
# Hive DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: hive-db-url
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/hive
refreshAfter: 1h
rolloutRestartTargets:
- kind: Deployment
name: hive
destination:
name: hive-db-url
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
url:
text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hive_db"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: hive-oidc
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: hive
refreshAfter: 30s
destination:
name: hive-oidc
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
"client-id":
text: "{{ index .Secrets \"oidc-client-id\" }}"
"client-secret":
text: "{{ index .Secrets \"oidc-client-secret\" }}"
---
# People DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: people-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/people
refreshAfter: 1h
rolloutRestartTargets:
- kind: Deployment
name: people-backend
- kind: Deployment
name: people-celery-worker
- kind: Deployment
name: people-celery-beat
destination:
name: people-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: people-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: people
refreshAfter: 30s
destination:
name: people-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"