studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: remove La Suite services (except Meet + Collabora), delete local overlay

Browse Source 
La Suite Messages, Calendars, Drive, Projects, Hive, Integration, and
Postfix are replaced by Stalwart (mail) and Tuwunel (messaging). Meet
and Collabora remain for video conferencing and document editing.

Local overlay was POC only — all deployment targets production now.

Deleted: 37 La Suite manifests, Drive Helm chart, 7 local overlay files,
stale MTA-in hostPort patch. Cleaned up production image overrides and
resource patches for removed services.
This commit is contained in:
Sienna Meridian Satterwhite
2026-04-06 18:03:55 +01:00
parent 8662c79212
commit 6acf598f92
49 changed files with 0 additions and 2577 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
overlays/local/kustomization.yaml
View File

@@ -1,85 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Local dev overlay — targets Lima VM running k3s on macOS
# Deploy with: kubectl apply -k overlays/local/
#
# NOTE: base/mesh (Linkerd) is excluded here. Linkerd is bootstrapped
# separately by scripts/local-up.sh via the Linkerd CLI, which avoids
# the identity cert bootstrapping problem at kustomize render time.
#
# DOMAIN_SUFFIX substitution: local-up.sh pipes `kustomize build | sed` to
# replace DOMAIN_SUFFIX with <LIMA_IP>.sslip.io before kubectl apply.
resources:
- ../../base/build
- ../../base/ingress
- ../../base/ory
- ../../base/data
- ../../base/storage
- ../../base/lasuite
- ../../base/media
- ../../base/devtools
- ../../base/stalwart
- ../../base/vso
images:
# La Gaufre v2 integration service — lagaufre.js widget + SVG logos + nginx
- name: integration
newName: src.DOMAIN_SUFFIX/studio/integration
newTag: latest
# amd64-only La Suite images — mirrored to our Gitea registry with a patched
# OCI index that adds an arm64 alias so Rosetta can run them on the Lima VM.
# DOMAIN_SUFFIX is substituted by local-up.py at deploy time (sed replacement).
# Meet — built from source and pushed to Gitea registry.
- name: meet-backend
newName: src.DOMAIN_SUFFIX/studio/meet-backend
newTag: latest
- name: meet-frontend
newName: src.DOMAIN_SUFFIX/studio/meet-frontend
newTag: latest
# Projects (Kanban) — built and pushed by `sunbeam build projects`
- name: projects
newName: src.DOMAIN_SUFFIX/studio/projects
newTag: latest
# Calendars — built from source and pushed to Gitea registry.
- name: calendars-backend
newName: src.DOMAIN_SUFFIX/studio/calendars-backend
newTag: latest
- name: calendars-caldav
newName: src.DOMAIN_SUFFIX/studio/calendars-caldav
newTag: latest
- name: calendars-frontend
newName: src.DOMAIN_SUFFIX/studio/calendars-frontend
newTag: latest
patches:
# Disable SSL verification for OIDC server-side calls — mkcert CA not trusted in pods
- path: patch-oidc-verify-ssl.yaml
target:
kind: ConfigMap
name: lasuite-oidc-provider
# Add hostPort for TURN relay range + bind :80/:443 on Lima VM
- path: values-pingora.yaml
target:
kind: Deployment
name: pingora
# Downgrade LiveKit TURN service from LoadBalancer → ClusterIP (klipper would take hostPort 443)
- path: values-livekit.yaml
target:
kind: Service
name: livekit-server-turn
# Set SSL_CERT_FILE so Gitea's Go TLS trusts the mkcert wildcard CA for OIDC calls
- path: patch-gitea-mkcert-ca.yaml
target:
kind: Deployment
name: gitea
# Apply §10.7 memory limits to all Deployments
- path: values-resources.yaml

13
overlays/local/patch-gitea-mkcert-ca.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
namespace: devtools
spec:
template:
spec:
containers:
- name: gitea
env:
- name: SSL_CERT_FILE
value: /run/ca/ca.crt

7
overlays/local/patch-oidc-verify-ssl.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: lasuite-oidc-provider
namespace: lasuite
data:
OIDC_VERIFY_SSL: "false"

21
overlays/local/values-domain.yaml
View File

@@ -1,21 +0,0 @@
# Patch: replace DOMAIN_SUFFIX placeholder with <LIMA_IP>.sslip.io
# in the Pingora ConfigMap's routing table.
#
# How to apply: the local-up.sh script calls:
# LIMA_IP=$(limactl shell sunbeam hostname -I | awk '{print $1}')
# sed "s/DOMAIN_SUFFIX/${LIMA_IP}.sslip.io/g" overlays/local/values-domain.yaml | kubectl apply -f -
#
# Or use kustomize's replacements feature if the IP is known at kustomize time.
#
# This is a strategic merge patch on the pingora-config ConfigMap.
apiVersion: v1
kind: ConfigMap
metadata:
name: pingora-config
namespace: ingress
data:
# DOMAIN_SUFFIX is substituted at deploy time by local-up.sh.
# The local overlay domain is: <LIMA_IP>.sslip.io
# Example: 192.168.5.2.sslip.io
domain-suffix: "LIMA_IP.sslip.io"

10
overlays/local/values-livekit.yaml
View File

@@ -1,10 +0,0 @@
# Local override: change LiveKit TURN service type from LoadBalancer to ClusterIP.
# k3s klipper-lb would otherwise bind hostPort 443, conflicting with Pingora.
# External TURN on port 443 is not needed in local dev (no NAT traversal required).
apiVersion: v1
kind: Service
metadata:
name: livekit-server-turn
namespace: media
spec:
type: ClusterIP

37
overlays/local/values-pingora.yaml
View File

@@ -1,37 +0,0 @@
# Patch: local Pingora overrides
# - ACME disabled (mkcert wildcard cert from pingora-tls Secret)
# - hostPort for TURN relay range on the Lima VM
apiVersion: apps/v1
kind: Deployment
metadata:
name: pingora
namespace: ingress
spec:
template:
spec:
containers:
- name: pingora
imagePullPolicy: IfNotPresent
ports:
# Bind HTTP/HTTPS directly to the Lima VM's host network
- name: http
containerPort: 80
hostPort: 80
protocol: TCP
- name: https
containerPort: 443
hostPort: 443
protocol: TCP
# Expose full TURN relay range as hostPort so the Lima VM forwards UDP
- name: turn-start
containerPort: 49152
hostPort: 49152
protocol: UDP
- name: turn-end
containerPort: 49252
hostPort: 49252
protocol: UDP
# acme.enabled = false is the default in pingora-config.yaml.
# The mkcert cert Secret (pingora-tls) is created by scripts/local-certs.sh
# before kustomize runs, so it is always present on first apply.

188
overlays/local/values-resources.yaml
View File

@@ -1,188 +0,0 @@
# Patch: apply §10.7 memory limits to all Deployments in the local overlay.
# These are intentionally tight to stay within the 12 GB Lima VM budget.
#
# Applied as a strategic merge patch. Each stanza targets one Deployment by name.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloudnative-pg
namespace: data
spec:
template:
spec:
containers:
- name: manager
resources:
limits:
memory: 256Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: livekit-server
namespace: media
spec:
template:
spec:
containers:
- name: livekit-server
resources:
limits:
memory: 128Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pingora
namespace: ingress
spec:
template:
spec:
containers:
- name: pingora
resources:
limits:
memory: 128Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: valkey
namespace: data
spec:
template:
spec:
containers:
- name: valkey
resources:
limits:
memory: 64Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: opensearch
namespace: data
spec:
template:
spec:
containers:
- name: opensearch
env:
# Reduce JVM heap so it fits within the 512Mi container limit.
# Base sets -Xms512m -Xmx1g which immediately OOMs the container.
- name: OPENSEARCH_JAVA_OPTS
value: "-Xms192m -Xmx256m"
resources:
limits:
memory: 512Mi
requests:
memory: 256Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: seaweedfs-filer
namespace: storage
spec:
template:
spec:
containers:
- name: filer
resources:
limits:
memory: 512Mi
requests:
memory: 128Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hydra-hydra-maester
namespace: ory
spec:
template:
spec:
containers:
- name: hydra-maester
resources:
limits:
memory: 64Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: login-ui
namespace: ory
spec:
template:
spec:
containers:
- name: login-ui
resources:
limits:
memory: 192Mi
requests:
memory: 64Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hive
namespace: lasuite
spec:
template:
spec:
containers:
- name: hive
resources:
limits:
memory: 64Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: collabora
namespace: lasuite
spec:
template:
spec:
containers:
- name: collabora
resources:
limits:
memory: 512Mi
cpu: 500m
requests:
memory: 256Mi
cpu: 50m
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: buildkitd
namespace: build
spec:
template:
spec:
containers:
- name: buildkitd
resources:
requests:
cpu: "250m"
memory: "256Mi"
limits:
cpu: "2"
memory: "2Gi"

41
overlays/production/kustomization.yaml
View File

@@ -27,11 +27,6 @@ resources:
- postgres-scheduled-backup.yaml
images:
# La Gaufre integration service — built and pushed by `sunbeam build integration`
- name: integration
newName: src.DOMAIN_SUFFIX/studio/integration
newTag: latest
# Meet — built from source and pushed to Gitea registry.
- name: meet-backend
newName: src.DOMAIN_SUFFIX/studio/meet-backend
@@ -40,42 +35,6 @@ images:
newName: src.DOMAIN_SUFFIX/studio/meet-frontend
newTag: latest
# Messages — built from source and pushed to Gitea registry.
- name: messages-backend
newName: src.DOMAIN_SUFFIX/studio/messages-backend
newTag: latest
- name: messages-frontend
newName: src.DOMAIN_SUFFIX/studio/messages-frontend
newTag: latest
- name: messages-mta-in
newName: src.DOMAIN_SUFFIX/studio/messages-mta-in
newTag: latest
- name: messages-mta-out
newName: src.DOMAIN_SUFFIX/studio/messages-mta-out
newTag: latest
- name: messages-mpa
newName: src.DOMAIN_SUFFIX/studio/messages-mpa
newTag: latest
- name: messages-socks-proxy
newName: src.DOMAIN_SUFFIX/studio/messages-socks-proxy
newTag: latest
# Calendars — built from source and pushed to Gitea registry.
- name: calendars-backend
newName: src.DOMAIN_SUFFIX/studio/calendars-backend
newTag: latest
- name: calendars-caldav
newName: src.DOMAIN_SUFFIX/studio/calendars-caldav
newTag: latest
- name: calendars-frontend
newName: src.DOMAIN_SUFFIX/studio/calendars-frontend
newTag: latest
# Projects (Kanban) — built and pushed by `sunbeam build projects`
- name: projects
newName: src.DOMAIN_SUFFIX/studio/projects
newTag: latest
# Tuwunel Matrix homeserver — built and pushed by `sunbeam build tuwunel`
- name: tuwunel
newName: src.DOMAIN_SUFFIX/studio/tuwunel

15
overlays/production/patch-mta-in-hostport.yaml
View File

@@ -1,15 +0,0 @@
# Bind MTA-in port 25 to the host so inbound email reaches the pod directly.
apiVersion: apps/v1
kind: Deployment
metadata:
name: messages-mta-in
namespace: lasuite
spec:
template:
spec:
containers:
- name: messages-mta-in
ports:
- containerPort: 25
hostPort: 25
protocol: TCP

17
overlays/production/values-resources.yaml
View File

@@ -149,23 +149,6 @@ spec:
limits:
memory: 128Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hive
namespace: lasuite
spec:
template:
spec:
containers:
- name: hive
resources:
requests:
memory: 64Mi
limits:
memory: 256Mi
---
apiVersion: apps/v1
kind: Deployment