studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
49 Commits 1 Branch 0 Tags
ccfe8b877a1db4725dc06d6772dafd71f2127d09
Commit Graph

4 Commits

Author SHA1 Message Date
Sienna Meridian Satterwhite
ccfe8b877a feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates 
- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS
  proxy, worker, DKIM config, and theme customization
- Add Collabora deployment for document collaboration
- Add Drive frontend nginx config and values
- Add buildkitd namespace for in-cluster container builds
- Add SeaweedFS remote sync and additional S3 buckets
- Update vault secrets across namespaces (devtools, lasuite, media,
  monitoring, ory, storage) with expanded credential management
- Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus
  remote write and additional scrape configs
- Update local/production overlays with resource patches
- Remove stale login-ui resource patch from production overlay
 2026-03-10 19:00:57 +00:00
Sienna Meridian Satterwhite
7ffddcafcd fix(ory,lasuite): harden session security and fix logout + WebSocket routing 
- Fix Hydra postLogoutRedirectUris for docs and people to match the
  actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/)
  instead of the root URL, resolving 599 logout errors.

- Fix docs y-provider WebSocket backend port: use Service port 443
  (not pod port 4444 which has no DNAT rule) in Pingora config.

- Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true
  and reduce refreshAfter from 1h to 5m across all static-creds paths
  (kratos, hydra, gitea, hive, people, docs) so credential rotation is
  reflected within 5 minutes instead of up to 1 hour.

- Set Hydra token TTLs: access_token and id_token to 5m; refresh_token
  to 720h (30 days). Kratos session carries silent re-auth so the short
  access token TTL does not require users to log in manually.

- Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After
  1h, apps silently re-auth via the active Kratos session. Disabled
  identities (sunbeam user disable) cannot re-auth on next expiry.
 2026-03-03 18:07:08 +00:00
Sienna Meridian Satterwhite
6cc60c66ff feat(ory): add kratos-admin-ui service 
Deploy the custom Kratos admin UI (Deno/Hono + Cunningham React):
- K8s Deployment + Service in ory namespace
- VSO VaultStaticSecret for cookie/csrf/admin-identity-ids secrets
- Pingora route for admin.DOMAIN_SUFFIX
 2026-03-03 11:30:52 +00:00
Sienna Meridian Satterwhite
c7b812dde8 feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO 
All Ory service credentials now flow from OpenBao through VSO instead
of being hardcoded in Helm values or Deployment env vars.

Kratos:
- Remove config.dsn; flip secret.enabled=false with nameOverride pointing
  at kratos-app-secrets (a VSO-managed Secret with secretsDefault,
  secretsCookie, smtpConnectionURI).
- Inject DSN at runtime via deployment.extraEnv from kratos-db-creds
  (VaultDynamicSecret backed by OpenBao database static role, 24h rotation).

Hydra:
- Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds
  (VaultDynamicSecret, same rotation scheme).

Login UI:
- Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with
  secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui).

vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS,
login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS.
 2026-03-02 18:32:33 +00:00