From 886c4221b2dd8c473cf8dc40bf32a3c276a9ea3d Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Sat, 28 Feb 2026 14:00:31 +0000 Subject: [PATCH] fix(local): kustomize render passes cleanly - Remove base/mesh from local overlay (Linkerd installed via CLI in local-up.sh) - Fix LiveKit namespace: chart doesn't set .Release.Namespace, add explicit patches - Fix release names: livekit-server and cloudnative-pg match chart names (avoid double-prefix) - Disable hydra-maester (not needed for local dev) - Add memory limits for cloudnative-pg operator and livekit-server deployments - Remove non-functional values-ory.yaml patch (DOMAIN_SUFFIX handled by sed in local-up.sh) - Gitignore **/charts/ (kustomize helm cache, generated artifact) --- .gitignore | 2 ++ base/data/kustomization.yaml | 4 +-- base/media/kustomization.yaml | 38 ++++++++++++++++++++++++++-- base/ory/hydra-values.yaml | 5 ++++ overlays/local/kustomization.yaml | 24 +++++++----------- overlays/local/values-resources.yaml | 30 ++++++++++++++++++++++ 6 files changed, 84 insertions(+), 19 deletions(-) diff --git a/.gitignore b/.gitignore index 6cca932..7b6cae8 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ secrets/local/ *.pem *-key.pem .DS_Store +# kustomize helm chart download cache +**/charts/ diff --git a/base/data/kustomization.yaml b/base/data/kustomization.yaml index f091c9f..2259759 100644 --- a/base/data/kustomization.yaml +++ b/base/data/kustomization.yaml @@ -12,10 +12,10 @@ resources: - opensearch-service.yaml helmCharts: - # CloudNativePG operator — chart name: cloudnative-pg # helm repo add cnpg https://cloudnative-pg.github.io/charts + # releaseName=cloudnative-pg matches chart name → operator Deployment is named `cloudnative-pg` - name: cloudnative-pg repo: https://cloudnative-pg.github.io/charts version: "0.27.1" - releaseName: cnpg + releaseName: cloudnative-pg namespace: data diff --git a/base/media/kustomization.yaml b/base/media/kustomization.yaml index 145089a..d8bafb6 100644 --- a/base/media/kustomization.yaml +++ b/base/media/kustomization.yaml @@ -7,11 +7,45 @@ resources: - namespace.yaml helmCharts: - # chart name is `livekit-server`, not `livekit-helm` # helm repo add livekit https://helm.livekit.io + # releaseName=livekit-server matches chart name → Helm deduplicates the prefix, + # so resources are named `livekit-server` instead of `livekit-livekit-server`. - name: livekit-server repo: https://helm.livekit.io version: "1.9.0" - releaseName: livekit + releaseName: livekit-server namespace: media valuesFile: livekit-values.yaml + +# The livekit-server chart does not set .Release.Namespace in its templates, +# so kustomize's namespace field doesn't inject it automatically. +# Patch namespace onto each chart-rendered resource explicitly. +patches: + - patch: | + - op: add + path: /metadata/namespace + value: media + target: + kind: Deployment + name: livekit-server + - patch: | + - op: add + path: /metadata/namespace + value: media + target: + kind: Service + name: livekit-server + - patch: | + - op: add + path: /metadata/namespace + value: media + target: + kind: Service + name: livekit-server-turn + - patch: | + - op: add + path: /metadata/namespace + value: media + target: + kind: ConfigMap + name: livekit-server diff --git a/base/ory/hydra-values.yaml b/base/ory/hydra-values.yaml index cf10515..d6850e4 100644 --- a/base/ory/hydra-values.yaml +++ b/base/ory/hydra-values.yaml @@ -2,6 +2,11 @@ # DOMAIN_SUFFIX is replaced by overlay patches. # DSN and system secrets come from the overlay-specific Secret. +# Disable the maester controller — it manages OAuth2Client CRDs which we don't use locally. +# OAuth2 clients are registered directly via the Hydra admin API. +maester: + enabled: false + hydra: config: dsn: "postgresql://hydra:$(HYDRA_DB_PASSWORD)@postgres-rw.data.svc.cluster.local:5432/hydra_db" diff --git a/overlays/local/kustomization.yaml b/overlays/local/kustomization.yaml index 36d4278..569472a 100644 --- a/overlays/local/kustomization.yaml +++ b/overlays/local/kustomization.yaml @@ -3,9 +3,15 @@ kind: Kustomization # Local dev overlay — targets Lima VM running k3s on macOS # Deploy with: kubectl apply -k overlays/local/ +# +# NOTE: base/mesh (Linkerd) is excluded here. Linkerd is bootstrapped +# separately by scripts/local-up.sh via the Linkerd CLI, which avoids +# the identity cert bootstrapping problem at kustomize render time. +# +# DOMAIN_SUFFIX substitution: local-up.sh pipes `kustomize build | sed` to +# replace DOMAIN_SUFFIX with .sslip.io before kubectl apply. resources: - - ../../base/mesh - ../../base/ingress - ../../base/ory - ../../base/data @@ -15,23 +21,11 @@ resources: - ../../base/devtools patches: - # sslip.io domain suffix derived from Lima VM IP - - path: values-domain.yaml - target: - kind: ConfigMap - name: pingora-config - - # Disable rustls-acme; mount mkcert cert; enable hostPort for Lima + # Disable rustls-acme; add hostPort for TURN relay range on Lima VM - path: values-pingora.yaml target: kind: Deployment name: pingora - # Swap redirect URIs to *.sslip.io for Kratos and Hydra - - path: values-ory.yaml - target: - kind: ConfigMap - labelSelector: "app.kubernetes.io/part-of=ory" - - # Apply §10.7 memory limits across all Deployments + # Apply §10.7 memory limits to all Deployments - path: values-resources.yaml diff --git a/overlays/local/values-resources.yaml b/overlays/local/values-resources.yaml index 534502a..5c65989 100644 --- a/overlays/local/values-resources.yaml +++ b/overlays/local/values-resources.yaml @@ -3,6 +3,36 @@ # # Applied as a strategic merge patch. Each stanza targets one Deployment by name. +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cloudnative-pg + namespace: data +spec: + template: + spec: + containers: + - name: manager + resources: + limits: + memory: 256Mi + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: livekit-server + namespace: media +spec: + template: + spec: + containers: + - name: livekit-server + resources: + limits: + memory: 128Mi + --- apiVersion: apps/v1 kind: Deployment