studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
632099893af9303659ce13772fe6a8a9711e2e0a
sbbb/base/lasuite/drive-values.yaml
Sienna Meridian Satterwhite 1147b1a5aa fix: WOPI registration on restart + Collabora readiness probes 
- Add readiness/liveness probes to Collabora (GET /hosting/discovery)
- Add init container to Drive backend that waits for Collabora and runs
  trigger_wopi_configuration on every pod start — fixes WOPI silently
  breaking after server restarts (chart Job only ran on sunbeam apply)
- Add OIDC_RESPONSE_MODE=query to Projects config
2026-03-24 12:22:10 +00:00

216 lines
8.5 KiB
YAML
Raw Blame History

# La Suite Numérique — Drive (drive chart).
# Env vars use the chart's dict-based envVars schema:
# string value → rendered as env.value
# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
# oidc-drive — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
# drive-db-credentials — password (VaultDynamicSecret, DB engine)
# drive-django-secret — DJANGO_SECRET_KEY (VaultStaticSecret)
# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
fullnameOverride: drive
backend:
livenessProbe:
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
createsuperuser:
# No superuser — users authenticate via OIDC.
# The chart always renders this Job; override command so it exits 0.
command: ["true"]
envVars: &backendEnvVars
# ── Database ──────────────────────────────────────────────────────────────
DB_NAME: drive_db
DB_USER: drive
DB_HOST:
configMapKeyRef:
name: lasuite-postgres
key: DB_HOST
DB_PORT:
configMapKeyRef:
name: lasuite-postgres
key: DB_PORT
# Drive uses psycopg3 backend (no _psycopg2 suffix).
DB_ENGINE: django.db.backends.postgresql
DB_PASSWORD:
secretKeyRef:
name: drive-db-credentials
key: password
# ── Redis / Celery ────────────────────────────────────────────────────────
REDIS_URL:
configMapKeyRef:
name: lasuite-valkey
key: REDIS_URL
# Drive uses DJANGO_CELERY_BROKER_URL (not CELERY_BROKER_URL).
DJANGO_CELERY_BROKER_URL:
configMapKeyRef:
name: lasuite-valkey
key: CELERY_BROKER_URL
# ── S3 (file storage) ─────────────────────────────────────────────────────
AWS_STORAGE_BUCKET_NAME: sunbeam-drive
AWS_S3_ENDPOINT_URL:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_ENDPOINT_URL
AWS_S3_REGION_NAME:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_REGION_NAME
AWS_DEFAULT_ACL:
configMapKeyRef:
name: lasuite-s3
key: AWS_DEFAULT_ACL
# Drive uses AWS_S3_ACCESS_KEY_ID / AWS_S3_SECRET_ACCESS_KEY (with _S3_ prefix).
AWS_S3_ACCESS_KEY_ID:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_ACCESS_KEY
AWS_S3_SECRET_ACCESS_KEY:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_SECRET_KEY
# Public S3 endpoint for browser-side presigned upload URLs.
AWS_S3_DOMAIN_REPLACE: https://s3.DOMAIN_SUFFIX
# Base URL for media file references so nginx auth proxy receives full paths.
MEDIA_BASE_URL: https://drive.DOMAIN_SUFFIX
# ── OIDC (Hydra) ──────────────────────────────────────────────────────────
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: oidc-drive
key: CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: oidc-drive
key: CLIENT_SECRET
OIDC_RP_SIGN_ALGO:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SIGN_ALGO
OIDC_RP_SCOPES:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SCOPES
OIDC_OP_JWKS_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_JWKS_ENDPOINT
OIDC_OP_AUTHORIZATION_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_AUTHORIZATION_ENDPOINT
OIDC_OP_TOKEN_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_TOKEN_ENDPOINT
OIDC_OP_USER_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_USER_ENDPOINT
OIDC_OP_LOGOUT_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_LOGOUT_ENDPOINT
OIDC_VERIFY_SSL:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_VERIFY_SSL
# ── Resource Server (Drive as OAuth2 RS for Messages integration) ─────────
OIDC_RESOURCE_SERVER_ENABLED: "True"
# Hydra issuer URL — must match the `iss` claim in introspection responses.
OIDC_OP_URL: https://auth.DOMAIN_SUFFIX/
# Hydra token introspection endpoint (admin port — no client auth required).
OIDC_OP_INTROSPECTION_ENDPOINT: http://hydra-admin.ory.svc.cluster.local:4445/admin/oauth2/introspect
# Drive authenticates to Hydra introspection using its own OIDC client creds.
OIDC_RS_CLIENT_ID:
secretKeyRef:
name: oidc-drive
key: CLIENT_ID
OIDC_RS_CLIENT_SECRET:
secretKeyRef:
name: oidc-drive
key: CLIENT_SECRET
# Accept bearer tokens from Sunbeam CLI and Messages (server-to-server).
# OIDC_RS_ALLOWED_AUDIENCES is set by the sunbeam seed script which reads
# the messages client ID from the oidc-messages secret and combines it with
# the static sunbeam-cli audience. Stored in vault as secret/drive.
OIDC_RS_ALLOWED_AUDIENCES:
secretKeyRef:
name: drive-rs-audiences
key: OIDC_RS_ALLOWED_AUDIENCES
# ── Django ────────────────────────────────────────────────────────────────
DJANGO_SECRET_KEY:
secretKeyRef:
name: drive-django-secret
key: DJANGO_SECRET_KEY
DJANGO_CONFIGURATION: Production
ALLOWED_HOSTS: drive.DOMAIN_SUFFIX
DJANGO_ALLOWED_HOSTS: drive.DOMAIN_SUFFIX
DJANGO_CSRF_TRUSTED_ORIGINS: https://drive.DOMAIN_SUFFIX
LOGIN_REDIRECT_URL: /
LOGOUT_REDIRECT_URL: /
SESSION_COOKIE_AGE: "604800"
# Session cache TTL must match SESSION_COOKIE_AGE.
CACHES_SESSION_TIMEOUT: "604800"
# Silent login: when the Django session expires, the frontend redirects
# to the OIDC login endpoint which completes instantly (Hydra already
# has a session) and bounces the user back. This keeps users logged in
# seamlessly as long as their Hydra SSO session is valid.
FRONTEND_SILENT_LOGIN_ENABLED: "true"
# Redirect unauthenticated visitors at / straight to OIDC login instead of
# showing the La Suite marketing landing page. returnTo brings them to
# their files after successful auth.
FRONTEND_EXTERNAL_HOME_URL: "https://drive.DOMAIN_SUFFIX/api/v1.0/authenticate/?returnTo=https%3A%2F%2Fdrive.DOMAIN_SUFFIX%2Fexplorer%2Fitems%2Fmy-files"
# Allow Messages to call Drive SDK relay cross-origin.
SDK_CORS_ALLOWED_ORIGINS: "https://mail.DOMAIN_SUFFIX"
CORS_ALLOWED_ORIGINS: "https://mail.DOMAIN_SUFFIX"
# Allow all file types — self-hosted instance, no need to restrict uploads.
RESTRICT_UPLOAD_FILE_TYPE: "False"
# ── WOPI / Collabora ──────────────────────────────────────────────────────
# Comma-separated list of enabled WOPI client names.
# Inject Sunbeam theme CSS from the integration service.
FRONTEND_CSS_URL: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"
WOPI_CLIENTS: collabora
# Discovery XML endpoint — Collabora registers supported MIME types here.
WOPI_COLLABORA_DISCOVERY_URL: http://collabora.lasuite.svc.cluster.local:9980/hosting/discovery
# Base URL Drive uses when building wopi_src callback URLs for Collabora.
WOPI_SRC_BASE_URL: https://drive.DOMAIN_SUFFIX
themeCustomization:
enabled: true
file_content:
css_url: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"
waffle:
apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
label: "O Estúdio"
closeLabel: "Fechar"
newWindowLabelSuffix: " · nova janela"
ingress:
enabled: false
ingressAdmin:
enabled: false
ingressMedia:
enabled: false
Reference in New Issue View Git Blame Copy Permalink