feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates

- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay
2026-03-10 19:00:57 +00:00
parent e5741c4df6
commit ccfe8b877a
50 changed files with 1885 additions and 236 deletions
--- a/base/ory/vault-secrets.yaml
+++ b/base/ory/vault-secrets.yaml
@@ -23,6 +23,9 @@ spec:
  type: kv-v2
  path: hydra
  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: hydra
  destination:
    name: hydra
    create: true
@@ -49,6 +52,11 @@ spec:
  type: kv-v2
  path: kratos
  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: kratos
+    - kind: StatefulSet
+      name: kratos-courier
  destination:
    name: kratos-app-secrets
    create: true
@@ -90,30 +98,6 @@ spec:
        dsn:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/kratos_db?sslmode=disable"
 ---
-# Login UI session cookie + CSRF protection secrets.
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: login-ui-secrets
-  namespace: ory
-spec:
-  vaultAuthRef: vso-auth
-  mount: secret
-  type: kv-v2
-  path: login-ui
-  refreshAfter: 30s
-  destination:
-    name: login-ui-secrets
-    create: true
-    overwrite: true
-    transformation:
-      excludeRaw: true
-      templates:
-        cookie-secret:
-          text: "{{ index .Secrets \"cookie-secret\" }}"
-        csrf-cookie-secret:
-          text: "{{ index .Secrets \"csrf-cookie-secret\" }}"
---
 # Hydra DB credentials from OpenBao database secrets engine (static role, 24h rotation).
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultDynamicSecret
@@ -151,6 +135,9 @@ spec:
  type: kv-v2
  path: kratos-admin
  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: kratos-admin-ui
  destination:
    name: kratos-admin-ui-secrets
    create: true
@@ -164,3 +151,7 @@ spec:
          text: "{{ index .Secrets \"csrf-cookie-secret\" }}"
        admin-identity-ids:
          text: "{{ index .Secrets \"admin-identity-ids\" }}"
+        s3-access-key:
+          text: "{{ index .Secrets \"s3-access-key\" }}"
+        s3-secret-key:
+          text: "{{ index .Secrets \"s3-secret-key\" }}"