Replace the inline gaufre.js/nginx.conf ConfigMap approach with a
purpose-built custom image (sunbeam/integration-service) that builds
the lagaufre.js v2 widget from the suitenumerique/integration source
and serves it via nginx.
Changes:
- Rewrite integration-deployment.yaml: custom image, v2 services.json
format, only actually-deployed services (docs, meet, people)
- Add people-frontend nginx sub_filter overlay to rewrite the hardcoded
production integration URL baked into the Next.js bundle at build time
- Register integration image in local overlay kustomization
Django backends call the OIDC token, userinfo, and JWKS endpoints
server-side. Pointing these at the public auth.DOMAIN_SUFFIX URL caused
an SSLError in pods because mkcert CA certificates are not trusted inside
containers.
Split the configmap entries:
- OIDC_OP_AUTHORIZATION_ENDPOINT and OIDC_OP_LOGOUT_ENDPOINT remain as
public HTTPS URLs -- the browser navigates to these.
- OIDC_OP_TOKEN_ENDPOINT, OIDC_OP_USER_ENDPOINT, OIDC_OP_JWKS_ENDPOINT
now point to http://hydra-public.ory.svc.cluster.local:4444 -- Django
calls these directly, bypassing the proxy and its TLS certificate.
Affects all La Suite apps (docs, people) that use lasuite-oidc-provider.
Deploys the suitenumerique/lasuite-integration app that serves the La
Gaufre app launcher (gaufre.js) and acts as the federation hub for the
La Suite Numérique app switching menu.
The service runs at integration.DOMAIN_SUFFIX and exposes
/api/v1/gaufre.js — referenced by docs, people, and other La Suite
apps via GAUFREJS_URL to render the unified app switcher.
- Switch all user-facing app OAuth2 clients to client_secret_post
(mozilla-django-oidc sends credentials in POST body by default)
- Set LOGIN_REDIRECT_URL=/ so Django redirects to frontend after login
- Add local overlay patch to disable OIDC SSL verification
(mkcert CA not trusted inside pods; production uses real certs)
- oidc-clients.yaml: change people redirect URI from /oidc/callback/ to
/api/v1.0/callback/ (the actual path the Django app registers)
- people-values.yaml: set DJANGO_CONFIGURATION=Production so Django trusts
X-Forwarded-Proto from Pingora and generates https:// URLs; add
ALLOWED_HOSTS and DJANGO_CSRF_TRUSTED_ORIGINS for the people subdomain
- Add find user and find_db to postgres-cluster.yaml (11th database)
- Add sunbeam-messages-imports and sunbeam-people buckets to SeaweedFS
- Configure Hydra Maester with enabledNamespaces: [lasuite] so it can
create and update OAuth2Client secrets in the lasuite namespace
- Add find to Kratos allowed_return_urls
- Add shared ConfigMaps: lasuite-postgres, lasuite-valkey, lasuite-s3,
lasuite-oidc-provider — single source of truth for all app env vars
- Add HydraOAuth2Client CRDs for all nine La Suite apps (docs, drive,
meet, conversations, messages, people, find, gitea, hive); Maester
will create oidc-<app> secrets with CLIENT_ID and CLIENT_SECRET
