Previously s3.json was embedded in the seaweedfs-filer-config ConfigMap
with hardcoded minioadmin credentials, and the config volume was mounted
at /etc/seaweedfs/ (overwriting filer.toml with its own directory mount).
- Remove s3.json from ConfigMap; fix the config volume to mount only
filer.toml via subPath so both files coexist under /etc/seaweedfs/.
- Add vault-secrets.yaml with VaultStaticSecrets that VSO syncs from
OpenBao secret/seaweedfs: seaweedfs-s3-credentials (S3_ACCESS_KEY /
S3_SECRET_KEY) and seaweedfs-s3-json (s3.json as a JSON template).
- Mount seaweedfs-s3-json Secret at /etc/seaweedfs/s3.json via subPath.
kubectl apply --server-side was managing the `data: {}` field, which
caused it to wipe the key/root-token entries written by the seed script
on subsequent applies. Removing the field entirely means server-side
apply never touches data, so seed-written keys survive re-applies.
- Add base/vso/ with Helm chart (v0.9.0 from helm.releases.hashicorp.com),
namespace, and test-rbac.yaml granting the Helm test pod's default SA
permission to create/read/delete Secrets, ConfigMaps, and Leases so the
bundled connectivity test passes.
- Wire ../../base/vso into overlays/local/kustomization.yaml.
- Add image aliases for lasuite/people-backend and lasuite/people-frontend
so kustomize rewrites those pulls to our Gitea registry (amd64-only images
that are patched and mirrored by sunbeam.py).
- Rename local-up.py → sunbeam.py; update docstring and argparser description
- Add setup_lima_vm_registry(): installs mkcert root CA into Lima VM system trust
store and writes k3s registries.yaml (Gitea auth); restarts k3s if changed
- Add bootstrap_gitea(): waits for pod Running+Ready, sets admin password via
gitea CLI, clears must_change_password via Postgres UPDATE (Gitea enforces
this flag at API level regardless of auth method), creates studio/internal orgs
- Add mirror_amd64_images(): pulls amd64-only images, patches OCI index with an
arm64 alias pointing at the same manifest (Rosetta runs it transparently),
imports patched image into k3s containerd, pushes to Gitea container registry
- Add AMD64_ONLY_IMAGES list (currently: lasuite/people-{backend,frontend})
- Add --gitea partial flag: registry trust + Gitea bootstrap + mirror
- Add --status flag: pod health table across all managed namespaces
- Fix create_secret to use --field-manager=sunbeam so kustomize apply (manager
kubectl) never wipes data fields written by the seed script
- Add people-frontend to SERVICES_TO_RESTART (was missing)
local-up.py is a stdlib-only Python rewrite of local-up.sh +
local-seed-secrets.sh. Key improvements:
- Correctly parses limactl list --json NDJSON output (json.load()
choked on NDJSON, causing spurious VM creation attempts)
- Handles all Lima VM states: none, Running, Stopped, Broken, etc.
- Inlines seed secrets (no separate local-seed-secrets.sh subprocess)
- Partial runs: --seed, --apply, --restart flags
- Consistent idempotency: every step checks state before acting
- Adds people-backend/celery to restart list; find to PG users list
local-up.sh patched: yq in prereqs, NDJSON-safe VM detection,
--server-side for Linkerd apply, people in restart list, Mail URL.
- Add find user and find_db to postgres-cluster.yaml (11th database)
- Add sunbeam-messages-imports and sunbeam-people buckets to SeaweedFS
- Configure Hydra Maester with enabledNamespaces: [lasuite] so it can
create and update OAuth2Client secrets in the lasuite namespace
- Add find to Kratos allowed_return_urls
- Add shared ConfigMaps: lasuite-postgres, lasuite-valkey, lasuite-s3,
lasuite-oidc-provider — single source of truth for all app env vars
- Add HydraOAuth2Client CRDs for all nine La Suite apps (docs, drive,
meet, conversations, messages, people, find, gitea, hive); Maester
will create oidc-<app> secrets with CLIENT_ID and CLIENT_SECRET
