diff --git a/base/data/barman-vault-secret.yaml b/base/data/barman-vault-secret.yaml
new file mode 100644
index 0000000..9b3ed7c
--- /dev/null
+++ b/base/data/barman-vault-secret.yaml
@@ -0,0 +1,39 @@
+---
+# VaultAuth for VSO to authenticate in the data namespace.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+ name: vso-auth
+ namespace: data
+spec:
+ method: kubernetes
+ mount: kubernetes
+ kubernetes:
+ role: vso
+ serviceAccount: default
+---
+# Scaleway S3 credentials for CNPG barman backups.
+# OpenBao KV path: secret/scaleway-s3 (keys: access-key-id, secret-access-key)
+# Seeded by: sunbeam seed (reads from scw CLI config)
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+ name: barman-s3-creds
+ namespace: data
+spec:
+ vaultAuthRef: vso-auth
+ mount: secret
+ type: kv-v2
+ path: scaleway-s3
+ refreshAfter: 30s
+ destination:
+ name: barman-s3-creds
+ create: true
+ overwrite: true
+ transformation:
+ excludeRaw: true
+ templates:
+ ACCESS_KEY_ID:
+ text: "{{ index .Secrets \"access-key-id\" }}"
+ ACCESS_SECRET_KEY:
+ text: "{{ index .Secrets \"secret-access-key\" }}"
diff --git a/base/data/kustomization.yaml b/base/data/kustomization.yaml
index 4df1e65..16dd8ed 100644
--- a/base/data/kustomization.yaml
+++ b/base/data/kustomization.yaml
@@ -10,7 +10,9 @@ resources:
- valkey-service.yaml
- opensearch-deployment.yaml
- opensearch-service.yaml
+ - opensearch-pvc.yaml
- openbao-keys-placeholder.yaml
+ - barman-vault-secret.yaml
helmCharts:
# helm repo add cnpg https://cloudnative-pg.github.io/charts
diff --git a/base/data/openbao-values.yaml b/base/data/openbao-values.yaml
index 531e3e8..4022d4d 100644
--- a/base/data/openbao-values.yaml
+++ b/base/data/openbao-values.yaml
@@ -17,6 +17,9 @@ server:
registry: quay.io
repository: openbao/openbao
+ # Disable anti-affinity — single-node cluster.
+ affinity: ""
+
standalone:
enabled: true
config: |
diff --git a/base/data/opensearch-deployment.yaml b/base/data/opensearch-deployment.yaml
index 587cbc9..385adf9 100644
--- a/base/data/opensearch-deployment.yaml
+++ b/base/data/opensearch-deployment.yaml
@@ -42,3 +42,10 @@ spec:
requests:
memory: 768Mi
cpu: 100m
+ volumeMounts:
+ - name: data
+ mountPath: /usr/share/opensearch/data
+ volumes:
+ - name: data
+ persistentVolumeClaim:
+ claimName: opensearch-data
diff --git a/base/data/opensearch-pvc.yaml b/base/data/opensearch-pvc.yaml
new file mode 100644
index 0000000..afd6738
--- /dev/null
+++ b/base/data/opensearch-pvc.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: opensearch-data
+ namespace: data
+spec:
+ accessModes: [ReadWriteOnce]
+ resources:
+ requests:
+ storage: 10Gi
diff --git a/base/data/postgres-cluster.yaml b/base/data/postgres-cluster.yaml
index 6794232..b7133ef 100644
--- a/base/data/postgres-cluster.yaml
+++ b/base/data/postgres-cluster.yaml
@@ -16,8 +16,9 @@ spec:
initdb:
database: postgres
owner: postgres
- secret:
- name: postgres-superuser
+ # No `secret` field — CNPG auto-generates a random superuser password
+ # and stores it in the `postgres-superuser` Secret. sunbeam seed reads
+ # that Secret to configure the OpenBao database secrets engine.
postInitSQL:
# Create all 10 logical databases and their owners.
# Passwords are set by the seed-secrets script via ALTER USER after init.
diff --git a/base/devtools/gitea-theme-cm.yaml b/base/devtools/gitea-theme-cm.yaml
new file mode 100644
index 0000000..17ede88
--- /dev/null
+++ b/base/devtools/gitea-theme-cm.yaml
@@ -0,0 +1,282 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: gitea-custom-theme
+ namespace: devtools
+data:
+ theme-sunbeam.css: |
+ /* theme-sunbeam.css — O Estúdio theme for Gitea
+ * Dark navy background + amber/honey primary, Ysabeau + Monaspace Neon.
+ * Based on cunningham.ts estudioTheme from people/desk.
+ */
+
+ /* ── Base: inherit all gitea-dark variables, then override ─── */
+ @import url("/assets/css/theme-gitea-dark.css");
+
+ /* ── Font imports ──────────────────────────────────────────── */
+
+ /* Ysabeau Variable (UI font) — from Google Fonts */
+ @import url('https://fonts.googleapis.com/css2?family=Ysabeau:ital,wght@0,1..1000;1,1..1000&display=swap');
+
+ /* Monaspace Neon Variable (code font) — from jsDelivr */
+ @font-face {
+ font-family: 'Monaspace Neon';
+ src: url('https://cdn.jsdelivr.net/npm/@github/monaspace@1.101/dist/fonts/variable/MonaspaceNeonVarVF[wght,slnt].woff2') format('woff2');
+ font-weight: 200 800;
+ font-style: oblique 0deg 10deg;
+ font-display: swap;
+ }
+
+ /* ── Typography ─────────────────────────────────────────────── */
+
+ :root {
+ --fonts-regular: 'Ysabeau', -apple-system, 'Segoe UI', system-ui, sans-serif;
+ --fonts-proportional: 'Ysabeau', -apple-system, 'Segoe UI', system-ui, sans-serif;
+ --fonts-monospace: 'Monaspace Neon', ui-monospace, 'SFMono-Regular', 'SF Mono', Menlo, Consolas, 'Liberation Mono', monospace;
+ }
+
+ html, body {
+ font-size: 15px;
+ font-weight: 450;
+ }
+
+ /* Monaspace OpenType features: texture healing + stylistic sets + ligatures */
+ pre, code, kbd, samp,
+ .diff-code-inner, .markup-block-diff,
+ [class*="cm-"], .CodeMirror {
+ font-feature-settings: "calt" 1, "ss01" 1, "ss02" 1, "ss03" 1, "ss04" 1,
+ "ss05" 1, "ss06" 1, "ss07" 1, "ss08" 1, "liga" 1;
+ }
+
+ /* ── O Estúdio dark navy background ─────────────────────────── */
+ /* Greyscale from cunningham estudioTheme — inverted dark scale */
+ /* Variable names verified against gitea-dark.css source */
+
+ :root {
+ /* Page + nav */
+ --color-body: #0c1a2b; /* greyscale-000 */
+ --color-nav-bg: #182536; /* greyscale-100 */
+ --color-nav-hover-bg: #303c4b; /* greyscale-200 */
+ --color-secondary-nav-bg: #182536; /* greyscale-100 */
+
+ /* Boxes / cards */
+ --color-box-header: #182536; /* greyscale-100 */
+ --color-box-body: #0c1a2b; /* greyscale-000 */
+ --color-box-body-highlight: #303c4b; /* greyscale-200 */
+ --color-card: #182536; /* greyscale-100 */
+ --color-menu: #182536; /* greyscale-100 */
+ --color-button: #182536; /* greyscale-100 */
+ --color-expand-button: #303c4b; /* greyscale-200 */
+
+ /* Inputs / code */
+ --color-input-background: #182536; /* greyscale-100 */
+ --color-input-toggle-background: #303c4b; /* greyscale-200 */
+ --color-code-bg: #0c1a2b; /* greyscale-000 */
+ --color-secondary-bg: #303c4b; /* greyscale-200 */
+
+ /* Console (Actions log, SSH, etc.) */
+ --color-console-bg: #0c1a2b; /* greyscale-000 */
+ --color-console-border: #303c4b; /* greyscale-200 */
+ --color-console-hover-bg: #182536; /* greyscale-100 */
+ --color-console-active-bg: #303c4b; /* greyscale-200 */
+ --color-console-menu-bg: #182536; /* greyscale-100 */
+ --color-console-menu-border: #555f6b; /* greyscale-300 */
+
+ /* UI chrome */
+ --color-hover-opaque: #303c4b; /* greyscale-200 */
+ --color-timeline: #303c4b; /* greyscale-200 */
+ --color-grey: #555f6b; /* greyscale-300 */
+ --color-shadow-opaque: #07111c;
+
+ /* Borders */
+ --color-input-border: #303c4b; /* greyscale-200 */
+ --color-light-border: #182536; /* greyscale-100 */
+
+ /* Secondary scale — full 13-dark / 4-light spectrum */
+ --color-secondary: #182536; /* greyscale-100 */
+ --color-secondary-dark-1: #0c1a2b; /* greyscale-000 */
+ --color-secondary-dark-2: #07111c;
+ --color-secondary-dark-3: #040b12;
+ --color-secondary-dark-4: #020609;
+ --color-secondary-dark-5: #010406;
+ --color-secondary-dark-6: #000203;
+ --color-secondary-dark-7: #000000;
+ --color-secondary-dark-8: #000000;
+ --color-secondary-dark-9: #000000;
+ --color-secondary-dark-10: #000000;
+ --color-secondary-dark-11: #000000;
+ --color-secondary-dark-12: #000000;
+ --color-secondary-dark-13: #000000;
+ --color-secondary-light-1: #303c4b; /* greyscale-200 */
+ --color-secondary-light-2: #555f6b; /* greyscale-300 */
+ --color-secondary-light-3: #79818a; /* greyscale-400 */
+ --color-secondary-light-4: #9ea3aa; /* greyscale-500 */
+
+ /* Text */
+ --color-text: #e7e8ea; /* greyscale-700 */
+ --color-text-dark: #fafafb; /* greyscale-900 */
+ --color-text-light: #c2c6ca; /* greyscale-600 */
+ --color-text-light-1: #9ea3aa; /* greyscale-500 */
+ --color-text-light-2: #79818a; /* greyscale-400 */
+ --color-text-light-3: #555f6b; /* greyscale-300 */
+ }
+
+ /* ── O Estúdio amber/honey primary ──────────────────────────── */
+ /* Amber palette from cunningham estudioTheme */
+
+ :root {
+ --color-primary: #f59e0b; /* primary-500 */
+ --color-primary-dark-1: #d97706; /* primary-600 */
+ --color-primary-dark-2: #b45309; /* primary-700 */
+ --color-primary-dark-3: #92400e; /* primary-800 */
+ --color-primary-dark-4: #78350f; /* primary-900 */
+ --color-primary-dark-5: #5c2808;
+ --color-primary-dark-6: #3e1a04;
+ --color-primary-dark-7: #1c0d00;
+ --color-primary-light-1: #fbbf24; /* primary-400 */
+ --color-primary-light-2: #fcd34d; /* primary-300 */
+ --color-primary-light-3: #fde68a; /* primary-200 */
+ --color-primary-light-4: #fde9a0; /* primary-150 */
+ --color-primary-light-5: #fef3c7; /* primary-100 */
+ --color-primary-light-6: #fffbeb; /* primary-050 */
+ --color-primary-light-7: #fffef5;
+
+ --color-primary-hover: #d97706; /* primary-600 */
+ --color-primary-active: #b45309; /* primary-700 */
+ /* Amber is bright — use warm dark for contrast text */
+ --color-primary-contrast: #1c1917; /* primary-bg */
+
+ /* primary-500 = rgb(245, 158, 11) */
+ --color-primary-alpha-10: rgba(245, 158, 11, 0.10);
+ --color-primary-alpha-20: rgba(245, 158, 11, 0.20);
+ --color-primary-alpha-30: rgba(245, 158, 11, 0.30);
+ --color-primary-alpha-40: rgba(245, 158, 11, 0.40);
+ --color-primary-alpha-50: rgba(245, 158, 11, 0.50);
+ --color-primary-alpha-60: rgba(245, 158, 11, 0.60);
+ --color-primary-alpha-70: rgba(245, 158, 11, 0.70);
+ --color-primary-alpha-80: rgba(245, 158, 11, 0.80);
+ --color-primary-alpha-90: rgba(245, 158, 11, 0.90);
+
+ /* Accent variables used by Gitea for highlights + native browser accent */
+ --color-accent: #fbbf24; /* primary-400 */
+ --color-small-accent: #fef3c7; /* primary-100 */
+ --color-highlight-fg: #87651e;
+ --color-highlight-bg: #352c1c;
+ --color-reaction-hover-bg: rgba(245, 158, 11, 0.20);
+ --color-reaction-active-bg: rgba(245, 158, 11, 0.30);
+ accent-color: #f59e0b;
+ }
+
+ /* ── Explicit amber overrides (belt-and-suspenders) ──────────── */
+ /* Belt-and-suspenders rules for elements that must be amber on */
+ /* every page, in case CSS variable resolution has any gaps. */
+
+ /* Primary buttons */
+ .ui.primary.button,
+ .ui.primary.buttons .button {
+ background: #f59e0b !important;
+ color: #1c1917 !important;
+ }
+ .ui.primary.button:hover,
+ .ui.primary.buttons .button:hover {
+ background: #d97706 !important;
+ }
+ .ui.primary.button:active,
+ .ui.primary.buttons .button:active {
+ background: #b45309 !important;
+ }
+ .ui.basic.primary.button,
+ .ui.basic.primary.buttons .button {
+ color: #f59e0b !important;
+ border-color: #f59e0b !important;
+ background: none !important;
+ }
+
+ /* Links */
+ a { color: #f59e0b; }
+ a:hover { color: #d97706; }
+
+ /* Active nav/tab items and underlines */
+ .ui.secondary.menu .active.item,
+ .ui.tabular.menu .active.item,
+ .menu .active.item {
+ border-color: #f59e0b !important;
+ color: #f59e0b !important;
+ }
+ .repository .file-list .item.selected,
+ .ui.menu .active.item:hover {
+ color: #f59e0b !important;
+ }
+
+ /* Active border on bottom of tabs */
+ .ui.pointing.secondary.menu .active.item,
+ .ui.pointing.secondary.menu .active.item:hover {
+ border-bottom-color: #f59e0b !important;
+ }
+
+ /* Labels and badges using primary */
+ .ui.label.primary, .ui.labels.primary .label {
+ background: #f59e0b !important;
+ color: #1c1917 !important;
+ }
+
+ /* Gitea logo — inline SVG fallback (1.25+ uses ![]()
, see logo.svg mount) */
+ .gitea-logo, svg.gitea-logo path { fill: #f59e0b !important; }
+
+ /* ── Dark overrides for Fomantic UI message components ───────── */
+ /* index.css uses hardcoded light-theme hex values for these; */
+ /* they must be overridden explicitly — CSS vars don't reach them. */
+
+ .ui.message {
+ background: var(--color-secondary) !important;
+ color: var(--color-text) !important;
+ box-shadow: none !important;
+ }
+ .ui.warning.message,
+ .ui.yellow.message {
+ background: var(--color-warning-bg) !important;
+ color: var(--color-warning-text) !important;
+ border-color: var(--color-warning-border) !important;
+ }
+ .ui.warning.message .header,
+ .ui.yellow.message .header {
+ color: var(--color-warning-text) !important;
+ }
+ .ui.negative.message,
+ .ui.error.message,
+ .ui.red.message {
+ background: var(--color-error-bg) !important;
+ color: var(--color-error-text) !important;
+ border-color: var(--color-error-border) !important;
+ }
+ .ui.negative.message .header,
+ .ui.error.message .header {
+ color: var(--color-error-text) !important;
+ }
+ .ui.positive.message,
+ .ui.success.message,
+ .ui.green.message {
+ background: var(--color-success-bg) !important;
+ color: var(--color-success-text) !important;
+ border-color: var(--color-success-border) !important;
+ }
+ .ui.info.message,
+ .ui.teal.message,
+ .ui.blue.message {
+ background: var(--color-info-bg) !important;
+ color: var(--color-info-text) !important;
+ border-color: var(--color-info-border) !important;
+ }
+
+ /* Dropdown warning state (also hardcoded in index.css) */
+ .ui.selection.dropdown.warning {
+ background: var(--color-input-background) !important;
+ border-color: var(--color-warning-border) !important;
+ color: var(--color-text) !important;
+ }
+
+ # Amber Gitea logo — replaces the default green logo.svg
+ # Gitea 1.25+ serves the logo as 
, so CSS
+ # fill rules don't apply. We mount a custom amber SVG instead.
+ logo.svg: |
+
diff --git a/base/devtools/gitea-values.yaml b/base/devtools/gitea-values.yaml
index 50ced7c..dc17032 100644
--- a/base/devtools/gitea-values.yaml
+++ b/base/devtools/gitea-values.yaml
@@ -19,11 +19,21 @@ gitea:
email: gitea@local.domain
config:
+ ui:
+ DEFAULT_THEME: sunbeam
+ THEMES: sunbeam
+
server:
DOMAIN: src.DOMAIN_SUFFIX
ROOT_URL: https://src.DOMAIN_SUFFIX/
SSH_DOMAIN: src.DOMAIN_SUFFIX
- LFS_START_SERVER: "true"
+ # Gitea advertises port 22 (users clone with git@src.DOMAIN_SUFFIX:org/repo.git).
+ # The pod listens on 2222; Pingora forwards external port 22 → pod port 2222.
+ SSH_PORT: "22"
+ SSH_LISTEN_PORT: "2222"
+ SSH_EXPOSE_ANONYMOUS: "false"
+ LFS_START_SERVER: "true"
+ LANDING_PAGE: /studio
database:
DB_TYPE: postgres
@@ -46,6 +56,12 @@ gitea:
TYPE: redis
CONN_STR: redis://valkey.data.svc.cluster.local:6379/2?pool_size=100&idle_timeout=180s
+ oauth2_client:
+ # Auto-redirect to Hydra OIDC on login — makes OIDC the primary auth method.
+ OAUTH2_AUTO_REDIRECT_TO_PROVIDER: Sunbeam
+ # Register new OIDC users automatically.
+ ENABLE_AUTO_REGISTRATION: "true"
+
storage:
STORAGE_TYPE: minio
MINIO_ENDPOINT: seaweedfs-filer.storage.svc.cluster.local:8333
@@ -70,6 +86,33 @@ gitea:
name: gitea-s3-credentials
key: secret-key
+initPreScript: |
+ mkdir -p /data/gitea/public/assets/css
+ mkdir -p /data/gitea/public/assets/img
+
+extraVolumes:
+ - name: custom-theme
+ configMap:
+ name: gitea-custom-theme
+ - name: mkcert-ca
+ configMap:
+ name: gitea-mkcert-ca
+ optional: true # only exists in local env; production omits it safely
+
+extraContainerVolumeMounts:
+ - name: custom-theme
+ mountPath: /data/gitea/public/assets/css/theme-sunbeam.css
+ subPath: theme-sunbeam.css
+ readOnly: true
+ - name: custom-theme
+ mountPath: /data/gitea/public/assets/img/logo.svg
+ subPath: logo.svg
+ readOnly: true
+ - name: mkcert-ca
+ mountPath: /run/ca/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
resources:
limits:
memory: 256Mi
@@ -77,6 +120,11 @@ resources:
memory: 128Mi
cpu: 100m
+service:
+ ssh:
+ # Pod listens on 2222 (SSH_LISTEN_PORT); Pingora proxies external port 22 → here.
+ port: 2222
+
persistence:
enabled: true
size: 5Gi
diff --git a/base/devtools/kustomization.yaml b/base/devtools/kustomization.yaml
index bd786e1..c3f57ed 100644
--- a/base/devtools/kustomization.yaml
+++ b/base/devtools/kustomization.yaml
@@ -6,6 +6,7 @@ namespace: devtools
resources:
- namespace.yaml
- vault-secrets.yaml
+ - gitea-theme-cm.yaml
helmCharts:
# helm repo add gitea-charts https://dl.gitea.com/charts/
diff --git a/base/media/livekit-values.yaml b/base/media/livekit-values.yaml
index 5180184..8debe65 100644
--- a/base/media/livekit-values.yaml
+++ b/base/media/livekit-values.yaml
@@ -14,11 +14,13 @@ livekit:
use_external_ip: true
turn:
- enabled: true
- domain: meet.DOMAIN_SUFFIX
- tls_port: 5349
- udp_port: 3478
- external_tls: true
+ enabled: true
+ domain: meet.DOMAIN_SUFFIX
+ tls_port: 5349
+ udp_port: 3478
+ external_tls: true
+ relay_range_start: 13333
+ relay_range_end: 23333
redis:
# Valkey is protocol-compatible with Redis; LiveKit sees this as a Redis endpoint
@@ -30,6 +32,10 @@ livekit:
devkey: secret-placeholder
deployment:
+ # hostNetwork gives LiveKit direct access to the host network namespace,
+ # which is the only practical way to expose the 10k-port TURN relay range
+ # (13333-23333) without listing individual hostPorts in the pod spec.
+ hostNetwork: true
resources:
limits:
memory: 128Mi
diff --git a/base/ory/kratos-selfservice-urls.yaml b/base/ory/kratos-selfservice-urls.yaml
new file mode 100644
index 0000000..d2fdd8a
--- /dev/null
+++ b/base/ory/kratos-selfservice-urls.yaml
@@ -0,0 +1,23 @@
+# Kratos selfservice UI URLs — patch over the Helm-rendered kratos-config ConfigMap.
+# DOMAIN_SUFFIX is substituted by sunbeam apply.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: kratos-config
+ namespace: ory
+data:
+ selfservice.default_browser_return_url: "https://auth.DOMAIN_SUFFIX/"
+ selfservice.flows.login.ui_url: "https://auth.DOMAIN_SUFFIX/login"
+ selfservice.flows.registration.ui_url: "https://auth.DOMAIN_SUFFIX/registration"
+ selfservice.flows.recovery.ui_url: "https://auth.DOMAIN_SUFFIX/recovery"
+ selfservice.flows.settings.ui_url: "https://auth.DOMAIN_SUFFIX/settings"
+ selfservice.allowed_return_urls: |
+ - https://auth.DOMAIN_SUFFIX/
+ - https://docs.DOMAIN_SUFFIX/
+ - https://meet.DOMAIN_SUFFIX/
+ - https://drive.DOMAIN_SUFFIX/
+ - https://mail.DOMAIN_SUFFIX/
+ - https://chat.DOMAIN_SUFFIX/
+ - https://people.DOMAIN_SUFFIX/
+ - https://src.DOMAIN_SUFFIX/
+ - https://admin.DOMAIN_SUFFIX/
diff --git a/base/ory/kustomization.yaml b/base/ory/kustomization.yaml
index 0a7f243..72928ad 100644
--- a/base/ory/kustomization.yaml
+++ b/base/ory/kustomization.yaml
@@ -15,8 +15,11 @@ resources:
- hydra-oauth2client-crd.yaml
- vault-secrets.yaml
-# The hydra-maester sub-chart does not set .Release.Namespace in its Deployment template.
patches:
+ # Set Kratos selfservice UI URLs (DOMAIN_SUFFIX substituted at apply time).
+ - path: kratos-selfservice-urls.yaml
+
+ # The hydra-maester sub-chart does not set .Release.Namespace in its Deployment template.
- patch: |
- op: add
path: /metadata/namespace
diff --git a/base/storage/kustomization.yaml b/base/storage/kustomization.yaml
index fa97b3c..7442318 100644
--- a/base/storage/kustomization.yaml
+++ b/base/storage/kustomization.yaml
@@ -9,4 +9,5 @@ resources:
- seaweedfs-master.yaml
- seaweedfs-volume.yaml
- seaweedfs-filer.yaml
+ - seaweedfs-filer-pvc.yaml
- vault-secrets.yaml
diff --git a/base/storage/seaweedfs-filer-pvc.yaml b/base/storage/seaweedfs-filer-pvc.yaml
new file mode 100644
index 0000000..933238a
--- /dev/null
+++ b/base/storage/seaweedfs-filer-pvc.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: seaweedfs-filer-data
+ namespace: storage
+spec:
+ accessModes: [ReadWriteOnce]
+ resources:
+ requests:
+ storage: 5Gi
diff --git a/base/storage/seaweedfs-filer.yaml b/base/storage/seaweedfs-filer.yaml
index 51f515e..01b923d 100644
--- a/base/storage/seaweedfs-filer.yaml
+++ b/base/storage/seaweedfs-filer.yaml
@@ -13,6 +13,13 @@ spec:
labels:
app: seaweedfs-filer
spec:
+ initContainers:
+ - name: fix-permissions
+ image: busybox
+ command: ["sh", "-c", "chmod 777 /data/filer"]
+ volumeMounts:
+ - name: filer-data
+ mountPath: /data/filer
containers:
- name: filer
image: chrislusf/seaweedfs:latest
@@ -61,7 +68,8 @@ spec:
secret:
secretName: seaweedfs-s3-json
- name: filer-data
- emptyDir: {}
+ persistentVolumeClaim:
+ claimName: seaweedfs-filer-data
---
apiVersion: v1
kind: Service
diff --git a/base/vso/kustomization.yaml b/base/vso/kustomization.yaml
index 29dd0c5..99ee68d 100644
--- a/base/vso/kustomization.yaml
+++ b/base/vso/kustomization.yaml
@@ -5,7 +5,6 @@ namespace: vault-secrets-operator
resources:
- namespace.yaml
- - test-rbac.yaml
helmCharts:
# helm repo add hashicorp https://helm.releases.hashicorp.com
diff --git a/justfile b/justfile
index 9f8a65a..7d2288e 100644
--- a/justfile
+++ b/justfile
@@ -8,10 +8,6 @@ install:
test:
PYTHONPATH=../cli python3 -m unittest discover -s ../cli/sunbeam/tests -p 'test_*.py' -v
-# Run any sunbeam CLI verb (e.g.: just sunbeam status ory)
-sunbeam *args:
- PYTHONPATH=../cli python3 -m sunbeam {{args}}
-
# Start Lima VM and deploy full stack
up:
bash scripts/local-up.sh