# La Suite Numérique — People (desk chart). # Env vars use the chart's dict-based envVars schema: # string value → rendered as env.value # map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef) # DOMAIN_SUFFIX is substituted by sed at deploy time. # # Required secrets (created by seed script): # oidc-people — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester) # people-db-credentials — password # people-django-secret — DJANGO_SECRET_KEY # seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared) fullnameOverride: people backend: createsuperuser: # Superuser creation disabled — users authenticate via OIDC. enabled: false envVars: &commonEnvVars # ── Database ───────────────────────────────────────────────────────────── DB_NAME: people_db DB_USER: people DB_HOST: configMapKeyRef: name: lasuite-postgres key: DB_HOST DB_PORT: configMapKeyRef: name: lasuite-postgres key: DB_PORT DB_ENGINE: configMapKeyRef: name: lasuite-postgres key: DB_ENGINE DB_PASSWORD: secretKeyRef: name: people-db-credentials key: password # ── Redis / Celery ──────────────────────────────────────────────────────── REDIS_URL: configMapKeyRef: name: lasuite-valkey key: REDIS_URL CELERY_BROKER_URL: configMapKeyRef: name: lasuite-valkey key: CELERY_BROKER_URL # ── S3 (profile media) ──────────────────────────────────────────────────── AWS_STORAGE_BUCKET_NAME: sunbeam-people AWS_S3_ENDPOINT_URL: configMapKeyRef: name: lasuite-s3 key: AWS_S3_ENDPOINT_URL AWS_S3_REGION_NAME: configMapKeyRef: name: lasuite-s3 key: AWS_S3_REGION_NAME AWS_DEFAULT_ACL: configMapKeyRef: name: lasuite-s3 key: AWS_DEFAULT_ACL AWS_ACCESS_KEY_ID: secretKeyRef: name: seaweedfs-s3-credentials key: S3_ACCESS_KEY AWS_SECRET_ACCESS_KEY: secretKeyRef: name: seaweedfs-s3-credentials key: S3_SECRET_KEY # ── OIDC (Hydra) ────────────────────────────────────────────────────────── OIDC_RP_CLIENT_ID: secretKeyRef: name: oidc-people key: CLIENT_ID OIDC_RP_CLIENT_SECRET: secretKeyRef: name: oidc-people key: CLIENT_SECRET OIDC_RP_SIGN_ALGO: configMapKeyRef: name: lasuite-oidc-provider key: OIDC_RP_SIGN_ALGO OIDC_RP_SCOPES: configMapKeyRef: name: lasuite-oidc-provider key: OIDC_RP_SCOPES OIDC_OP_JWKS_ENDPOINT: configMapKeyRef: name: lasuite-oidc-provider key: OIDC_OP_JWKS_ENDPOINT OIDC_OP_AUTHORIZATION_ENDPOINT: configMapKeyRef: name: lasuite-oidc-provider key: OIDC_OP_AUTHORIZATION_ENDPOINT OIDC_OP_TOKEN_ENDPOINT: configMapKeyRef: name: lasuite-oidc-provider key: OIDC_OP_TOKEN_ENDPOINT OIDC_OP_USER_ENDPOINT: configMapKeyRef: name: lasuite-oidc-provider key: OIDC_OP_USER_ENDPOINT OIDC_OP_LOGOUT_ENDPOINT: configMapKeyRef: name: lasuite-oidc-provider key: OIDC_OP_LOGOUT_ENDPOINT OIDC_VERIFY_SSL: configMapKeyRef: name: lasuite-oidc-provider key: OIDC_VERIFY_SSL # ── Django ──────────────────────────────────────────────────────────────── DJANGO_SECRET_KEY: secretKeyRef: name: people-django-secret key: DJANGO_SECRET_KEY # Production settings class enables SECURE_PROXY_SSL_HEADER so Django builds # https:// URLs when Pingora forwards X-Forwarded-Proto: https. DJANGO_CONFIGURATION: Production # Production's ALLOWED_HOSTS reads ALLOWED_HOSTS (no DJANGO_ prefix). ALLOWED_HOSTS: people.DOMAIN_SUFFIX DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX # Redirect to frontend SPA root after successful OIDC login/logout. LOGIN_REDIRECT_URL: / LOGOUT_REDIRECT_URL: / # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in. SESSION_COOKIE_AGE: "3600" # celeryWorker and celeryBeat intentionally have no envVars here. # The desk chart template automatically injects backend.envVars into all # celery containers (see celery_beat_deployment.yaml: $backendEnvVars). # Adding envVars here would duplicate every env var. ingress: enabled: false ingressAdmin: enabled: false