feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes

Meet: add backend/frontend/celery deployments and services, meet-config ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS, meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client. La Suite overlay discipline: move people/docs frontend nginx ConfigMaps and patches from overlays/local to base so both environments share them. Remove values-ory.yaml (folded into base). Add docs-frontend nginx config with sub_filter theming. Add local gitea mkcert CA patch. Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and split meet route into frontend default + backend paths for /api/, /admin/, /oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production overlay (host ports moved to patch-pingora-hostport.yaml). Update both overlay kustomizations to reference all new resources and add meet-backend/meet-frontend image entries.
2026-03-06 12:08:21 +00:00
parent d32d1435f9
commit 424db43ccf
22 changed files with 569 additions and 49 deletions
--- a/base/lasuite/vault-secrets.yaml
+++ b/base/lasuite/vault-secrets.yaml
@@ -202,3 +202,76 @@ spec:
      templates:
        secret:
          text: "{{ index .Secrets \"collaboration-secret\" }}"
+---
+# Meet DB credentials from OpenBao database secrets engine (static role, 24h rotation).
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: meet-db-credentials
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: database
+  path: static-creds/meet
+  allowStaticCreds: true
+  refreshAfter: 5m
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: meet-backend
+    - kind: Deployment
+      name: meet-celery-worker
+  destination:
+    name: meet-db-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        password:
+          text: "{{ index .Secrets \"password\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: meet-django-secret
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: meet
+  refreshAfter: 30s
+  destination:
+    name: meet-django-secret
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        DJANGO_SECRET_KEY:
+          text: "{{ index .Secrets \"django-secret-key\" }}"
+        APPLICATION_JWT_SECRET_KEY:
+          text: "{{ index .Secrets \"application-jwt-secret-key\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: meet-livekit
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: livekit
+  refreshAfter: 30s
+  destination:
+    name: meet-livekit
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        LIVEKIT_API_KEY:
+          text: "{{ index .Secrets \"api-key\" }}"
+        LIVEKIT_API_SECRET:
+          text: "{{ index .Secrets \"api-secret\" }}"