- Fix Hydra postLogoutRedirectUris for docs and people to match the
actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/)
instead of the root URL, resolving 599 logout errors.
- Fix docs y-provider WebSocket backend port: use Service port 443
(not pod port 4444 which has no DNAT rule) in Pingora config.
- Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true
and reduce refreshAfter from 1h to 5m across all static-creds paths
(kratos, hydra, gitea, hive, people, docs) so credential rotation is
reflected within 5 minutes instead of up to 1 hour.
- Set Hydra token TTLs: access_token and id_token to 5m; refresh_token
to 720h (30 days). Kratos session carries silent re-auth so the short
access token TTL does not require users to log in manually.
- Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After
1h, apps silently re-auth via the active Kratos session. Disabled
identities (sunbeam user disable) cannot re-auth on next expiry.
Deploy the custom Kratos admin UI (Deno/Hono + Cunningham React):
- K8s Deployment + Service in ory namespace
- VSO VaultStaticSecret for cookie/csrf/admin-identity-ids secrets
- Pingora route for admin.DOMAIN_SUFFIX
people.* now routes / to people-frontend (nginx/React SPA).
Path prefixes /api/, /admin/, and /o/ are forwarded to people-backend
(Django/gunicorn), matching the app's URL structure.
Previously all people.* traffic hit people-backend directly, causing
Django to return 404 "Page not found at /" for the root path.
The [[routes.paths]] mechanism already existed in the proxy (used by
the auth route) — only a config update was needed.
pingora-config.yaml: kratos-public and people-backend K8s Services
expose port 80, not 4433/8000. The wrong ports caused Pingora to
return timeouts for /kratos/* and all people.* routes.
ory/kustomization.yaml: remove kustomization-level namespace: ory
transformer. All non-Helm resources already declare namespace: ory
explicitly. The transformer was incorrectly moving hydra-maester's
enabledNamespaces Role (generated for the lasuite namespace) into ory,
producing a duplicate-name conflict during kustomize build.
The People backend service is named people-backend (not people) in the
desk chart. Add a route for find-backend to front the future OpenSearch
Dashboards service.
