From 5e36322a3b609854822fa4378e710e51e52a5d33 Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Sun, 1 Mar 2026 18:03:13 +0000 Subject: [PATCH] lasuite: declarative pre-work for La Suite app deployments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add find user and find_db to postgres-cluster.yaml (11th database) - Add sunbeam-messages-imports and sunbeam-people buckets to SeaweedFS - Configure Hydra Maester with enabledNamespaces: [lasuite] so it can create and update OAuth2Client secrets in the lasuite namespace - Add find to Kratos allowed_return_urls - Add shared ConfigMaps: lasuite-postgres, lasuite-valkey, lasuite-s3, lasuite-oidc-provider — single source of truth for all app env vars - Add HydraOAuth2Client CRDs for all nine La Suite apps (docs, drive, meet, conversations, messages, people, find, gitea, hive); Maester will create oidc- secrets with CLIENT_ID and CLIENT_SECRET --- base/data/postgres-cluster.yaml | 2 + base/lasuite/kustomization.yaml | 59 +-------- base/lasuite/oidc-clients.yaml | 187 ++++++++++++++++++++++++++++ base/lasuite/seaweedfs-buckets.yaml | 2 + base/lasuite/shared-config.yaml | 55 ++++++++ base/ory/hydra-values.yaml | 6 + base/ory/kratos-values.yaml | 1 + 7 files changed, 255 insertions(+), 57 deletions(-) create mode 100644 base/lasuite/oidc-clients.yaml create mode 100644 base/lasuite/shared-config.yaml diff --git a/base/data/postgres-cluster.yaml b/base/data/postgres-cluster.yaml index 34e7546..6794232 100644 --- a/base/data/postgres-cluster.yaml +++ b/base/data/postgres-cluster.yaml @@ -41,6 +41,8 @@ spec: - CREATE DATABASE gitea_db OWNER gitea; - CREATE USER hive WITH LOGIN; - CREATE DATABASE hive_db OWNER hive; + - CREATE USER find WITH LOGIN; + - CREATE DATABASE find_db OWNER find; storage: size: 10Gi diff --git a/base/lasuite/kustomization.yaml b/base/lasuite/kustomization.yaml index 5284cd9..6eb9883 100644 --- a/base/lasuite/kustomization.yaml +++ b/base/lasuite/kustomization.yaml @@ -10,61 +10,6 @@ resources: - hive-deployment.yaml - hive-service.yaml - seaweedfs-buckets.yaml + - shared-config.yaml + - oidc-clients.yaml -# La Suite Numérique Helm charts: -# Each component's chart lives in-tree inside its own GitHub repo (under helm/ or charts/). -# There is NO published Helm repo index at a suitenumerique.github.io URL — charts must be -# pulled from each component's repo individually. -# -# Options: -# a) Use Flux HelmRepository with type=git pointing at each suitenumerique/ repo. -# b) Package each chart locally (`helm package`) and commit to this repo under charts/. -# c) Use OCI if/when they start publishing to GHCR (check each repo's CI for ghcr.io pushes). -# -# Recommended starting points: -# - https://github.com/suitenumerique/docs (helm/ directory) -# - https://github.com/suitenumerique/meet (helm/ directory) -# - https://github.com/suitenumerique/drive (helm/ directory) -# - https://github.com/suitenumerique/people (helm/ directory) -# - https://github.com/suitenumerique/messages (check for helm/ directory) -# - https://github.com/suitenumerique/conversations (check for helm/ directory) -# -# TODO: Once each app's chart path is confirmed, add helmCharts entries here. -# Placeholder entries (commented out) — verify chart name and repo format first: - -# helmCharts: -# - name: docs -# repo: oci://ghcr.io/suitenumerique/docs # hypothetical; verify on ghcr.io first -# version: "1.0.0" -# releaseName: docs -# namespace: lasuite -# -# - name: meet -# repo: oci://ghcr.io/suitenumerique/meet -# version: "1.0.0" -# releaseName: meet -# namespace: lasuite -# -# - name: drive -# repo: oci://ghcr.io/suitenumerique/drive -# version: "1.0.0" -# releaseName: drive -# namespace: lasuite -# -# - name: messages -# repo: oci://ghcr.io/suitenumerique/messages -# version: "1.0.0" -# releaseName: messages -# namespace: lasuite -# -# - name: conversations -# repo: oci://ghcr.io/suitenumerique/conversations -# version: "1.0.0" -# releaseName: conversations -# namespace: lasuite -# -# - name: people -# repo: oci://ghcr.io/suitenumerique/people -# version: "1.0.0" -# releaseName: people -# namespace: lasuite diff --git a/base/lasuite/oidc-clients.yaml b/base/lasuite/oidc-clients.yaml new file mode 100644 index 0000000..5b07297 --- /dev/null +++ b/base/lasuite/oidc-clients.yaml @@ -0,0 +1,187 @@ +# HydraOAuth2Client CRDs for La Suite Numérique apps. +# Hydra Maester watches these and creates K8s Secrets (named by .spec.secretName) +# in the lasuite namespace with CLIENT_ID and CLIENT_SECRET keys. +# App pods reference those secrets for OIDC_RP_CLIENT_ID/SECRET env vars. +# redirectUris contain DOMAIN_SUFFIX which is replaced by sed at deploy time. + +# ── Docs ───────────────────────────────────────────────────────────────────── +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: docs + namespace: lasuite +spec: + clientName: Docs + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: openid email profile + redirectUris: + - https://docs.DOMAIN_SUFFIX/oidc/callback/ + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-docs + skipConsent: true +--- +# ── Drive ───────────────────────────────────────────────────────────────────── +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: drive + namespace: lasuite +spec: + clientName: Drive + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: openid email profile + redirectUris: + - https://drive.DOMAIN_SUFFIX/oidc/callback/ + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-drive + skipConsent: true +--- +# ── Meet ───────────────────────────────────────────────────────────────────── +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: meet + namespace: lasuite +spec: + clientName: Meet + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: openid email profile + redirectUris: + - https://meet.DOMAIN_SUFFIX/oidc/callback/ + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-meet + skipConsent: true +--- +# ── Conversations (chat) ────────────────────────────────────────────────────── +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: conversations + namespace: lasuite +spec: + clientName: Chat + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: openid email profile + redirectUris: + - https://chat.DOMAIN_SUFFIX/oidc/callback/ + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-conversations + skipConsent: true +--- +# ── Messages (mail) ─────────────────────────────────────────────────────────── +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: messages + namespace: lasuite +spec: + clientName: Mail + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: openid email profile + redirectUris: + - https://mail.DOMAIN_SUFFIX/oidc/callback/ + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-messages + skipConsent: true +--- +# ── People ──────────────────────────────────────────────────────────────────── +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: people + namespace: lasuite +spec: + clientName: People + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: openid email profile + redirectUris: + - https://people.DOMAIN_SUFFIX/oidc/callback/ + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-people + skipConsent: true +--- +# ── Find ────────────────────────────────────────────────────────────────────── +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: find + namespace: lasuite +spec: + clientName: Find + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: openid email profile + redirectUris: + - https://find.DOMAIN_SUFFIX/oidc/callback/ + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-find + skipConsent: true +--- +# ── Gitea (src) ─────────────────────────────────────────────────────────────── +# Gitea reads OIDC credentials from its config, not K8s env vars. +# The secret (oidc-gitea) is created here for reference; manually configure +# Gitea admin with CLIENT_ID/CLIENT_SECRET from this secret. +# Provider name "hydra" must match the name configured in Gitea's OAuth2 settings. +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: gitea + namespace: lasuite +spec: + clientName: Gitea + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: openid email profile + redirectUris: + - https://src.DOMAIN_SUFFIX/user/oauth2/hydra/callback + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-gitea + skipConsent: true +--- +# ── Hive (service account) ──────────────────────────────────────────────────── +# Hive uses client_credentials to call Drive API on behalf of the sync service. +# No user consent or redirect required. +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: hive + namespace: lasuite +spec: + clientName: Hive + grantTypes: + - client_credentials + responseTypes: + - token + scope: openid + tokenEndpointAuthMethod: client_secret_basic + secretName: oidc-hive diff --git a/base/lasuite/seaweedfs-buckets.yaml b/base/lasuite/seaweedfs-buckets.yaml index 1544e1c..13c98f7 100644 --- a/base/lasuite/seaweedfs-buckets.yaml +++ b/base/lasuite/seaweedfs-buckets.yaml @@ -26,7 +26,9 @@ spec: sunbeam-meet \ sunbeam-drive \ sunbeam-messages \ + sunbeam-messages-imports \ sunbeam-conversations \ + sunbeam-people \ sunbeam-git-lfs \ sunbeam-game-assets; do mc mb --ignore-existing "weed/$bucket" diff --git a/base/lasuite/shared-config.yaml b/base/lasuite/shared-config.yaml new file mode 100644 index 0000000..88dbb4d --- /dev/null +++ b/base/lasuite/shared-config.yaml @@ -0,0 +1,55 @@ +# Shared ConfigMaps for La Suite Numérique application pods. +# App Helm values reference these via configMapKeyRef so no value is duplicated. +# DOMAIN_SUFFIX is substituted by sed at deploy time. + +# ── PostgreSQL connection (non-secret values) ──────────────────────────────── +apiVersion: v1 +kind: ConfigMap +metadata: + name: lasuite-postgres + namespace: lasuite +data: + DB_HOST: postgres-rw.data.svc.cluster.local + DB_PORT: "5432" + DB_ENGINE: django.db.backends.postgresql_psycopg2 +--- +# ── Valkey (Redis-compatible) ──────────────────────────────────────────────── +apiVersion: v1 +kind: ConfigMap +metadata: + name: lasuite-valkey + namespace: lasuite +data: + REDIS_URL: redis://valkey.data.svc.cluster.local:6379/1 + CELERY_BROKER_URL: redis://valkey.data.svc.cluster.local:6379/0 +--- +# ── SeaweedFS S3 API (non-secret values) ──────────────────────────────────── +apiVersion: v1 +kind: ConfigMap +metadata: + name: lasuite-s3 + namespace: lasuite +data: + AWS_S3_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333 + AWS_S3_REGION_NAME: us-east-1 + AWS_DEFAULT_ACL: private +--- +# ── Hydra OIDC provider endpoints ─────────────────────────────────────────── +# All La Suite apps use mozilla-django-oidc. These vars point to Hydra public +# endpoints via the proxy, so external DOMAIN_SUFFIX URLs work from inside the +# cluster without split-DNS. +# DOMAIN_SUFFIX is substituted by sed at deploy time. +apiVersion: v1 +kind: ConfigMap +metadata: + name: lasuite-oidc-provider + namespace: lasuite +data: + OIDC_OP_JWKS_ENDPOINT: https://auth.DOMAIN_SUFFIX/.well-known/jwks.json + OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/auth + OIDC_OP_TOKEN_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/token + OIDC_OP_USER_ENDPOINT: https://auth.DOMAIN_SUFFIX/userinfo + OIDC_OP_LOGOUT_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/sessions/logout + OIDC_RP_SIGN_ALGO: RS256 + OIDC_RP_SCOPES: openid email profile + OIDC_VERIFY_SSL: "true" diff --git a/base/ory/hydra-values.yaml b/base/ory/hydra-values.yaml index 9ca0b7f..eaf8ccd 100644 --- a/base/ory/hydra-values.yaml +++ b/base/ory/hydra-values.yaml @@ -30,6 +30,12 @@ hydra: secret: enabled: false +# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace. +# 'hydra-maester' is the subchart alias — values flow down under this key. +hydra-maester: + enabledNamespaces: + - lasuite + deployment: resources: limits: diff --git a/base/ory/kratos-values.yaml b/base/ory/kratos-values.yaml index 217052a..282c108 100644 --- a/base/ory/kratos-values.yaml +++ b/base/ory/kratos-values.yaml @@ -20,6 +20,7 @@ kratos: - https://chat.DOMAIN_SUFFIX/ - https://people.DOMAIN_SUFFIX/ - https://src.DOMAIN_SUFFIX/ + - https://find.DOMAIN_SUFFIX/ flows: login: ui_url: https://auth.DOMAIN_SUFFIX/login