studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
103 Commits 1 Branch 0 Tags
efe574f48eadd86344c2ea24c637b233ca85ca09
Commit Graph

4 Commits

Author SHA1 Message Date
Sienna Meridian Satterwhite
fcb80f1f37 feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01 
Penpot (designer.sunbeam.pt):
- Frontend/backend/exporter deployments with OIDC-only auth via Hydra
- VSO-managed DB, S3, and app secrets from OpenBao
- PostgreSQL user/db in CNPG postInitSQL
- Hydra Maester enabledNamespaces extended to devtools

Penpot MCP server (mcp-designer.sunbeam.pt):
- Pre-built Node.js image pushed to Gitea registry
- Auth-gated via Pingora auth_request → Hydra /userinfo
- WebSocket path for browser plugin connection

Wildcard TLS:
- Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook
- Certificate collapsed to *.sunbeam.pt + sunbeam.pt
- Added scaleway-certmanager-webhook Helm chart
- VSO secret for Scaleway DNS API credentials in cert-manager namespace
- Added cert-manager to OpenBao VSO auth role
 2026-04-04 12:53:27 +01:00
Sienna Meridian Satterwhite
ccfe8b877a feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates 
- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS
  proxy, worker, DKIM config, and theme customization
- Add Collabora deployment for document collaboration
- Add Drive frontend nginx config and values
- Add buildkitd namespace for in-cluster container builds
- Add SeaweedFS remote sync and additional S3 buckets
- Update vault secrets across namespaces (devtools, lasuite, media,
  monitoring, ory, storage) with expanded credential management
- Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus
  remote write and additional scrape configs
- Update local/production overlays with resource patches
- Remove stale login-ui resource patch from production overlay
 2026-03-10 19:00:57 +00:00
Sienna Meridian Satterwhite
7ffddcafcd fix(ory,lasuite): harden session security and fix logout + WebSocket routing 
- Fix Hydra postLogoutRedirectUris for docs and people to match the
  actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/)
  instead of the root URL, resolving 599 logout errors.

- Fix docs y-provider WebSocket backend port: use Service port 443
  (not pod port 4444 which has no DNAT rule) in Pingora config.

- Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true
  and reduce refreshAfter from 1h to 5m across all static-creds paths
  (kratos, hydra, gitea, hive, people, docs) so credential rotation is
  reflected within 5 minutes instead of up to 1 hour.

- Set Hydra token TTLs: access_token and id_token to 5m; refresh_token
  to 720h (30 days). Kratos session carries silent re-auth so the short
  access token TTL does not require users to log in manually.

- Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After
  1h, apps silently re-auth via the active Kratos session. Disabled
  identities (sunbeam user disable) cannot re-auth on next expiry.
 2026-03-03 18:07:08 +00:00
Sienna Meridian Satterwhite
8cb705fecc feat(devtools): migrate Gitea to OpenBao DB static role; sync admin creds via VSO 
- gitea-db-credentials is now a VaultDynamicSecret reading from
  database/static-creds/gitea (OpenBao static role, 24h password rotation).
  Replaces the previous KV-based Secret that used a hardcoded localdev password.
- gitea-admin-credentials and gitea-s3-credentials remain VaultStaticSecrets
  synced from secret/gitea and secret/seaweedfs respectively.
- gitea-values.yaml adds gitea.admin.existingSecret so the chart reads the
  admin username/password from the VSO-managed Secret instead of values.
 2026-03-02 18:33:16 +00:00