fix: meet external-api route, drive media proxy, alertbot, misc tweaks

- Meet: add external-api backend path, CSRF trusted origins
- Drive: fix media proxy regex for preview URLs and S3 key signing
- OpenBao: enable Prometheus telemetry
- Postgres alerts: fix metric name (cnpg_backends_total)
- Gitea: bump memory limits for mirror workloads
- Alertbot: expanded deployment config
- Kratos: add find/cal/projects to allowed return URLs, settings path
- Pingora: meet external-api route fix
- Sol: config update

base/lasuite/drive-frontend-nginx-configmap.yaml

@@ -50,9 +50,15 @@ data:
       }
 
       # Protected media: auth via Drive backend, then proxy to S3 with signed headers.
-      # media-auth returns S3 SigV4 Authorization/X-Amz-Date headers; nginx captures
-      # and forwards them so SeaweedFS can verify the request.
-      location /media/ {
+      # media-auth returns SigV4 Authorization/X-Amz-Date/X-Amz-Content-SHA256
+      # headers signed for the S3 key (item/UUID/file). nginx captures them and
+      # forwards to SeaweedFS. The regex strips /media/ and optional /preview/
+      # so the proxy path matches the signed S3 key exactly.
+      location ~ ^/media/(preview/)?(.*) {
+        set $original_uri $request_uri;
+        set $s3_key $2;
+        resolver kube-dns.kube-system.svc.cluster.local valid=30s;
+        set $s3_backend http://seaweedfs-filer.storage.svc.cluster.local:8333;
         auth_request      /internal/media-auth;
         auth_request_set  $auth_header    $upstream_http_authorization;
         auth_request_set  $amz_date       $upstream_http_x_amz_date;
@@ -60,7 +66,7 @@ data:
         proxy_set_header  Authorization         $auth_header;
         proxy_set_header  X-Amz-Date           $amz_date;
         proxy_set_header  X-Amz-Content-Sha256 $amz_content;
-        proxy_pass http://seaweedfs-filer.storage.svc.cluster.local:8333/sunbeam-drive/;
+        proxy_pass $s3_backend/sunbeam-drive/$s3_key;
       }
 
       # Internal subrequest: Django checks session and item access, returns S3 auth headers.
@@ -69,8 +75,9 @@ data:
         proxy_pass         http://drive-backend.lasuite.svc.cluster.local:80/api/v1.0/items/media-auth/;
         proxy_pass_request_body off;
         proxy_set_header   Content-Length   "";
-        proxy_set_header   Host             drive.sunbeam.pt;
-        proxy_set_header   X-Original-URL   $scheme://$host$request_uri;
+        proxy_set_header   Cookie           $http_cookie;
+        proxy_set_header   Host             drive.DOMAIN_SUFFIX;
+        proxy_set_header   X-Original-URL   https://drive.DOMAIN_SUFFIX$original_uri;
       }
 
       error_page 500 502 503 504 @blank_error;

base/lasuite/meet-backend-deployment.yaml

@@ -28,6 +28,8 @@ spec:
                 name: lasuite-s3
             - configMapRef:
                 name: lasuite-oidc-provider
+            - configMapRef:
+                name: lasuite-resource-server
           env:
             - name: DB_PASSWORD
               valueFrom:
@@ -64,6 +66,16 @@ spec:
                 secretKeyRef:
                   name: oidc-meet
                   key: CLIENT_SECRET
+            - name: OIDC_RS_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-meet
+                  key: CLIENT_ID
+            - name: OIDC_RS_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-meet
+                  key: CLIENT_SECRET
             - name: AWS_S3_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
@@ -102,6 +114,8 @@ spec:
                 name: lasuite-s3
             - configMapRef:
                 name: lasuite-oidc-provider
+            - configMapRef:
+                name: lasuite-resource-server
           env:
             - name: DB_PASSWORD
               valueFrom:
@@ -138,6 +152,16 @@ spec:
                 secretKeyRef:
                   name: oidc-meet
                   key: CLIENT_SECRET
+            - name: OIDC_RS_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-meet
+                  key: CLIENT_ID
+            - name: OIDC_RS_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-meet
+                  key: CLIENT_SECRET
             - name: AWS_S3_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:

base/lasuite/meet-config.yaml

@@ -12,3 +12,10 @@ data:
   DB_USER: meet
   AWS_STORAGE_BUCKET_NAME: sunbeam-meet
   LIVEKIT_API_URL: https://livekit.DOMAIN_SUFFIX
+  EXTERNAL_API_ENABLED: "True"
+  # Resource server settings for CLI bearer token auth.
+  # Override defaults (ES256 + encrypted) to match Hydra's RS256 + opaque tokens.
+  OIDC_RS_SIGNING_ALGO: RS256
+  OIDC_RS_SCOPES: openid,email,profile,offline_access
+  OIDC_RS_ENCRYPTION_ALGO: ""
+  OIDC_RS_ENCRYPTION_ENCODING: ""

base/lasuite/shared-config.yaml

@@ -61,3 +61,19 @@ data:
   OIDC_RP_SIGN_ALGO:              RS256
   OIDC_RP_SCOPES:                 openid email profile
   OIDC_VERIFY_SSL:                "true"
+---
+# Resource server config — shared by all La Suite services.
+# Enables bearer token auth via Hydra token introspection for the external_api.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: lasuite-resource-server
+  namespace: lasuite
+data:
+  OIDC_RESOURCE_SERVER_ENABLED: "True"
+  OIDC_OP_URL: https://auth.DOMAIN_SUFFIX/
+  OIDC_OP_INTROSPECTION_ENDPOINT: http://hydra-admin.ory.svc.cluster.local:4445/admin/oauth2/introspect
+  # Audience claim value for the sunbeam CLI. All La Suite services should
+  # include this in OIDC_RS_ALLOWED_AUDIENCES so the CLI can access their
+  # external APIs with an SSO bearer token.
+  OIDC_RS_CLI_AUDIENCE: sunbeam-cli