feat(infra): production bootstrap — cert-manager, longhorn, monitoring

Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo + Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning. Production overlay: add patches for postgres sizing, SeaweedFS volume, OpenSearch storage, LiveKit service, Pingora host ports, resource limits, and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames for all *.sunbeam.pt subdomains.
2026-03-06 12:06:27 +00:00
parent f7774558e9
commit 7ff35d3e0c
23 changed files with 855 additions and 35 deletions
--- a/base/monitoring/grafana-oauth2client.yaml
+++ b/base/monitoring/grafana-oauth2client.yaml
@@ -0,0 +1,32 @@
+# Hydra OAuth2Client for Grafana OIDC sign-in.
+#
+# Hydra Maester watches this CRD and:
+#   1. Registers the client with Hydra
+#   2. Creates K8s Secret "grafana-oidc" in monitoring namespace
+#      with CLIENT_ID and CLIENT_SECRET keys.
+#
+# Grafana picks up the secret via envFromSecret and interpolates
+# ${CLIENT_ID} / ${CLIENT_SECRET} in grafana.ini at startup.
+#
+# DOMAIN_SUFFIX is substituted by sunbeam apply.
+---
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: grafana
+  namespace: monitoring
+spec:
+  clientName: Grafana
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  scope: openid email profile
+  redirectUris:
+    - https://grafana.DOMAIN_SUFFIX/login/generic_oauth
+  postLogoutRedirectUris:
+    - https://grafana.DOMAIN_SUFFIX/
+  tokenEndpointAuthMethod: client_secret_post
+  secretName: grafana-oidc
+  skipConsent: true