Sienna Meridian Satterwhite
9f15f5099e
- Meet: add external-api backend path, CSRF trusted origins - Drive: fix media proxy regex for preview URLs and S3 key signing - OpenBao: enable Prometheus telemetry - Postgres alerts: fix metric name (cnpg_backends_total) - Gitea: bump memory limits for mirror workloads - Alertbot: expanded deployment config - Kratos: add find/cal/projects to allowed return URLs, settings path - Pingora: meet external-api route fix - Sol: config update
80 lines
3.4 KiB
YAML
80 lines
3.4 KiB
YAML
# Shared ConfigMaps for La Suite Numérique application pods.
|
|
# App Helm values reference these via configMapKeyRef so no value is duplicated.
|
|
# DOMAIN_SUFFIX is substituted by sed at deploy time.
|
|
|
|
# ── PostgreSQL connection (non-secret values) ────────────────────────────────
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: lasuite-postgres
|
|
namespace: lasuite
|
|
data:
|
|
DB_HOST: postgres-rw.data.svc.cluster.local
|
|
DB_PORT: "5432"
|
|
DB_ENGINE: django.db.backends.postgresql_psycopg2
|
|
---
|
|
# ── Valkey (Redis-compatible) ────────────────────────────────────────────────
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: lasuite-valkey
|
|
namespace: lasuite
|
|
data:
|
|
REDIS_URL: redis://valkey.data.svc.cluster.local:6379/1
|
|
CELERY_BROKER_URL: redis://valkey.data.svc.cluster.local:6379/0
|
|
---
|
|
# ── SeaweedFS S3 API (non-secret values) ────────────────────────────────────
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: lasuite-s3
|
|
namespace: lasuite
|
|
data:
|
|
AWS_S3_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333
|
|
AWS_S3_REGION_NAME: us-east-1
|
|
AWS_DEFAULT_ACL: private
|
|
---
|
|
# ── Hydra OIDC provider endpoints ───────────────────────────────────────────
|
|
# All La Suite apps use mozilla-django-oidc.
|
|
#
|
|
# Browser-facing endpoints (authorization, logout) use the public DOMAIN_SUFFIX
|
|
# URL so the browser can navigate to the Hydra login page.
|
|
#
|
|
# Backend-to-backend endpoints (token, userinfo, jwks) use the internal cluster
|
|
# service URL so Django never makes TLS connections to the proxy — it bypasses
|
|
# the sslip.io certificate entirely. No OIDC_VERIFY_SSL workaround required.
|
|
#
|
|
# DOMAIN_SUFFIX is substituted at deploy time (browser URLs only).
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: lasuite-oidc-provider
|
|
namespace: lasuite
|
|
data:
|
|
# Browser navigates to these — must be public HTTPS URLs.
|
|
OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/auth
|
|
OIDC_OP_LOGOUT_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/sessions/logout
|
|
# Django calls these server-side — use internal cluster URL (no TLS required).
|
|
OIDC_OP_TOKEN_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/oauth2/token
|
|
OIDC_OP_USER_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/userinfo
|
|
OIDC_OP_JWKS_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/.well-known/jwks.json
|
|
OIDC_RP_SIGN_ALGO: RS256
|
|
OIDC_RP_SCOPES: openid email profile
|
|
OIDC_VERIFY_SSL: "true"
|
|
---
|
|
# Resource server config — shared by all La Suite services.
|
|
# Enables bearer token auth via Hydra token introspection for the external_api.
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: lasuite-resource-server
|
|
namespace: lasuite
|
|
data:
|
|
OIDC_RESOURCE_SERVER_ENABLED: "True"
|
|
OIDC_OP_URL: https://auth.DOMAIN_SUFFIX/
|
|
OIDC_OP_INTROSPECTION_ENDPOINT: http://hydra-admin.ory.svc.cluster.local:4445/admin/oauth2/introspect
|
|
# Audience claim value for the sunbeam CLI. All La Suite services should
|
|
# include this in OIDC_RS_ALLOWED_AUDIENCES so the CLI can access their
|
|
# external APIs with an SSO bearer token.
|
|
OIDC_RS_CLI_AUDIENCE: sunbeam-cli
|