Meet: add backend/frontend/celery deployments and services, meet-config
ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS,
meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client.
La Suite overlay discipline: move people/docs frontend nginx ConfigMaps
and patches from overlays/local to base so both environments share them.
Remove values-ory.yaml (folded into base). Add docs-frontend nginx config
with sub_filter theming. Add local gitea mkcert CA patch.
Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and
split meet route into frontend default + backend paths for /api/, /admin/,
/oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production
overlay (host ports moved to patch-pingora-hostport.yaml).
Update both overlay kustomizations to reference all new resources and
add meet-backend/meet-frontend image entries.
Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn
distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo
+ Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning.
Production overlay: add patches for postgres sizing, SeaweedFS volume,
OpenSearch storage, LiveKit service, Pingora host ports, resource limits,
and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames
for all *.sunbeam.pt subdomains.
Replace the inline gaufre.js/nginx.conf ConfigMap approach with a
purpose-built custom image (sunbeam/integration-service) that builds
the lagaufre.js v2 widget from the suitenumerique/integration source
and serves it via nginx.
Changes:
- Rewrite integration-deployment.yaml: custom image, v2 services.json
format, only actually-deployed services (docs, meet, people)
- Add people-frontend nginx sub_filter overlay to rewrite the hardcoded
production integration URL baked into the Next.js bundle at build time
- Register integration image in local overlay kustomization
Local Lima VM (12 GB) doesn't need HA replicas. Each extra pod with a
Linkerd sidecar wastes ~64 MB. Scale people-backend, people-celery-worker,
and people-frontend to 1 replica each.
- Switch all user-facing app OAuth2 clients to client_secret_post
(mozilla-django-oidc sends credentials in POST body by default)
- Set LOGIN_REDIRECT_URL=/ so Django redirects to frontend after login
- Add local overlay patch to disable OIDC SSL verification
(mkcert CA not trusted inside pods; production uses real certs)
Remove scripts/sunbeam.py — superseded by the new cli/ package.
Add install/test/sunbeam targets to justfile pointing at ../cli/.
fix(vso): add deletecollection to test-rbac Role — CachingClientFactory
calls deletecollection on secrets during init; the old Role only had
delete, causing vault-secrets-operator-test to CrashLoopBackOff.
fix(ingress): pingora imagePullPolicy IfNotPresent — Always caused
unnecessary pulls on every pod restart in local dev.
Image is now built and pushed by `sunbeam.py --build` rather than imported
directly into k3s containerd. imagePullPolicy changes from Never to Always
so every rollout restart pulls the freshly pushed image.
LiveKit: switch to Recreate deployment strategy. hostPorts (TURN UDP relay
range) block RollingUpdate because the new pod cannot schedule while the
old one still holds the ports.
OpenSearch: set OPENSEARCH_JAVA_OPTS to -Xms192m -Xmx256m. The upstream
default (-Xms512m -Xmx1g) immediately OOMs the container given our 512Mi
memory limit.
login-ui: raise memory limit from 64Mi to 192Mi and add a 64Mi request;
the previous limit was too tight and caused OOMKilled restarts under load.
- Add base/vso/ with Helm chart (v0.9.0 from helm.releases.hashicorp.com),
namespace, and test-rbac.yaml granting the Helm test pod's default SA
permission to create/read/delete Secrets, ConfigMaps, and Leases so the
bundled connectivity test passes.
- Wire ../../base/vso into overlays/local/kustomization.yaml.
- Add image aliases for lasuite/people-backend and lasuite/people-frontend
so kustomize rewrites those pulls to our Gitea registry (amd64-only images
that are patched and mirrored by sunbeam.py).
