# HydraOAuth2Client CRDs for La Suite Numérique apps.
# Hydra Maester watches these and creates K8s Secrets (named by .spec.secretName)
# in the lasuite namespace with CLIENT_ID and CLIENT_SECRET keys.
# App pods reference those secrets for OIDC_RP_CLIENT_ID/SECRET env vars.
# redirectUris contain DOMAIN_SUFFIX which is replaced by sed at deploy time.

# ── Docs ─────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: docs
  namespace: lasuite
spec:
  clientName: Docs
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile
  redirectUris:
    - https://docs.DOMAIN_SUFFIX/api/v1.0/callback/
  postLogoutRedirectUris:
    - https://docs.DOMAIN_SUFFIX/api/v1.0/logout-callback/
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-docs
  skipConsent: true
---
# ── Drive ─────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: drive
  namespace: lasuite
spec:
  clientName: Drive
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile
  redirectUris:
    - https://drive.DOMAIN_SUFFIX/api/v1.0/callback/
  postLogoutRedirectUris:
    - https://drive.DOMAIN_SUFFIX/api/v1.0/logout-callback/
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-drive
  skipConsent: true
---
# ── Meet ─────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: meet
  namespace: lasuite
spec:
  clientName: Meet
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile
  redirectUris:
    - https://meet.DOMAIN_SUFFIX/api/v1.0/callback/
  postLogoutRedirectUris:
    - https://meet.DOMAIN_SUFFIX/api/v1.0/logout-callback/
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-meet
  skipConsent: true
---
# ── Conversations (chat) — replaced by Tuwunel in matrix namespace ───────────
# OAuth2Client for tuwunel is in base/matrix/hydra-oauth2client.yaml
---
# ── Messages (mail) ───────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: messages
  namespace: lasuite
spec:
  clientName: Mail
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile offline_access
  redirectUris:
    - https://mail.DOMAIN_SUFFIX/api/v1.0/callback/
  postLogoutRedirectUris:
    - https://mail.DOMAIN_SUFFIX/api/v1.0/logout-callback/
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-messages
  skipConsent: true
---
# ── People ────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: people
  namespace: lasuite
spec:
  clientName: People
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile
  redirectUris:
    - https://people.DOMAIN_SUFFIX/api/v1.0/callback/
  postLogoutRedirectUris:
    - https://people.DOMAIN_SUFFIX/api/v1.0/logout-callback/
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-people
  skipConsent: true
---
# ── Find ──────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: find
  namespace: lasuite
spec:
  clientName: Find
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile
  redirectUris:
    - https://find.DOMAIN_SUFFIX/oidc/callback/
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-find
  skipConsent: true
---
# ── Gitea (src) ───────────────────────────────────────────────────────────────
# Gitea reads OIDC credentials from its config, not K8s env vars.
# The secret (oidc-gitea) is created here for reference; manually configure
# Gitea admin with CLIENT_ID/CLIENT_SECRET from this secret.
# Provider name "hydra" must match the name configured in Gitea's OAuth2 settings.
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: gitea
  namespace: lasuite
spec:
  clientName: Gitea
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile
  redirectUris:
    - https://src.DOMAIN_SUFFIX/user/oauth2/Sunbeam/callback
  tokenEndpointAuthMethod: client_secret_basic
  secretName: oidc-gitea
  skipConsent: true
---
# ── Hive (service account) ────────────────────────────────────────────────────
# Hive uses client_credentials to call Drive API on behalf of the sync service.
# No user consent or redirect required.
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: hive
  namespace: lasuite
spec:
  clientName: Hive
  grantTypes:
    - client_credentials
  responseTypes:
    - token
  scope: openid
  tokenEndpointAuthMethod: client_secret_basic
  secretName: oidc-hive