feat(lasuite): add Projects (Planka Kanban) service

Deploy Planka-based project management at projects.DOMAIN_SUFFIX: - ConfigMap with OIDC, S3, SMTP, La Gaufre widget config - Deployment + Service (init container for DB migrations, Sails on 1337) - OAuth2Client (client_secret_basic, redirect to /oidc-callback) - VaultDynamicSecret for DATABASE_URL, VaultStaticSecret for SECRET_KEY - Pingora route with websocket support (Socket.io) - Image overrides in both local and production overlays - TLS cert dnsNames updated for projects subdomain - Integration service.json updated with Projects entry - seaweedfs-s3-credentials rolloutRestartTargets includes projects
2026-03-20 13:41:54 +00:00
parent b9d9ad72fe
commit bfe0280732
10 changed files with 300 additions and 8 deletions
--- a/base/lasuite/vault-secrets.yaml
+++ b/base/lasuite/vault-secrets.yaml
@@ -49,6 +49,8 @@ spec:
      name: messages-backend
    - kind: Deployment
      name: messages-worker
+    - kind: Deployment
+      name: projects
  destination:
    name: seaweedfs-s3-credentials
    create: true
@@ -637,3 +639,79 @@ spec:
          text: "{{ index .Secrets \"caldav-outbound-api-key\" }}"
        CALDAV_INTERNAL_API_KEY:
          text: "{{ index .Secrets \"caldav-internal-api-key\" }}"
+---
+# Projects DB credentials from OpenBao database secrets engine (static role, 24h rotation).
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: projects-db-url
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: database
+  path: static-creds/projects
+  allowStaticCreds: true
+  refreshAfter: 5m
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: projects
+  destination:
+    name: projects-db-url
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        url:
+          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/projects_db"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: projects-app-secrets
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: projects
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: projects
+  destination:
+    name: projects-app-secrets
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        SECRET_KEY:
+          text: "{{ index .Secrets \"secret-key\" }}"
+---
+# Postfix DKIM signing key from OpenBao KV.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: postfix-dkim
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: postfix-dkim
+  refreshAfter: 1h
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: postfix
+  destination:
+    name: postfix-dkim
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        private.key:
+          text: "{{ index .Secrets \"private-key\" }}"
+        selector:
+          text: "{{ index .Secrets \"selector\" }}"