Sienna Meridian Satterwhite
fcb80f1f37
Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role
93 lines
2.4 KiB
YAML
93 lines
2.4 KiB
YAML
# Base Ory Hydra Helm values.
|
|
# DOMAIN_SUFFIX is replaced at apply time via sed.
|
|
# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
|
|
# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).
|
|
|
|
hydra:
|
|
automigration:
|
|
enabled: true
|
|
config:
|
|
urls:
|
|
self:
|
|
issuer: https://auth.DOMAIN_SUFFIX/
|
|
consent: https://auth.DOMAIN_SUFFIX/consent
|
|
login: https://auth.DOMAIN_SUFFIX/login
|
|
logout: https://auth.DOMAIN_SUFFIX/logout
|
|
error: https://auth.DOMAIN_SUFFIX/error
|
|
|
|
ttl:
|
|
# Login session persists 30 days — matches Kratos session lifespan so the
|
|
# Hydra session cookie survives browser restarts and prompt=none keeps working.
|
|
authentication_session: 720h
|
|
# Access/ID tokens renewed via refresh token; 1h keeps the window short.
|
|
access_token: 1h
|
|
id_token: 1h
|
|
# Refresh tokens last 30 days; Kratos session carries silent re-auth.
|
|
# Revoking a Kratos session (sunbeam user disable) prevents refresh.
|
|
refresh_token: 720h
|
|
|
|
oauth2:
|
|
expose_internal_errors: false
|
|
pkce:
|
|
enforced_for_public_clients: true
|
|
|
|
log:
|
|
format: json
|
|
leak_sensitive_values: false
|
|
|
|
clients:
|
|
http:
|
|
disallow_private_ip_ranges: true
|
|
|
|
serve:
|
|
cookies:
|
|
same_site_mode: Lax
|
|
domain: DOMAIN_SUFFIX
|
|
public:
|
|
cors:
|
|
enabled: true
|
|
allowed_origins:
|
|
- https://*.DOMAIN_SUFFIX
|
|
|
|
# Disable chart's secret generation — we create the "hydra" secret via seed script
|
|
# with keys: secretsSystem, secretsCookie, pairwise-salt.
|
|
secret:
|
|
enabled: false
|
|
|
|
# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.
|
|
# 'hydra-maester' is the subchart alias — values flow down under this key.
|
|
hydra-maester:
|
|
enabledNamespaces:
|
|
- lasuite
|
|
- matrix
|
|
- monitoring
|
|
- devtools
|
|
|
|
# ServiceMonitor created as standalone resource (hydra-servicemonitor.yaml) —
|
|
# chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
|
|
# kustomize helm template doesn't provide.
|
|
|
|
janitor:
|
|
enabled: true
|
|
cleanupGrants: true
|
|
cleanupRequests: true
|
|
cleanupTokens: true
|
|
|
|
cronjob:
|
|
janitor:
|
|
schedule: "0 */6 * * *"
|
|
|
|
deployment:
|
|
extraEnv:
|
|
- name: DSN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: hydra-db-creds
|
|
key: dsn
|
|
resources:
|
|
limits:
|
|
memory: 256Mi
|
|
requests:
|
|
memory: 64Mi
|
|
cpu: 25m
|