Sienna Meridian Satterwhite
f7774558e9
The impress chart renders this Job unconditionally (no if-enabled guard), then auto-deletes it after 30s (ttlSecondsAfterFinished). Each sunbeam apply recreated it and it failed because no superuser credentials are set (users authenticate via OIDC). Override the command to true so the Job exits 0 immediately and disappears cleanly.
190 lines
6.6 KiB
YAML
190 lines
6.6 KiB
YAML
# La Suite Numérique — Docs (impress chart).
|
|
# Env vars use the chart's dict-based envVars schema:
|
|
# string value → rendered as env.value
|
|
# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
|
|
# DOMAIN_SUFFIX is substituted by sed at deploy time.
|
|
#
|
|
# Required secrets (created by seed script):
|
|
# oidc-docs — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
|
|
# docs-db-credentials — password (VaultDynamicSecret, DB engine)
|
|
# docs-django-secret — DJANGO_SECRET_KEY (VaultStaticSecret)
|
|
# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
|
|
|
|
fullnameOverride: docs
|
|
|
|
backend:
|
|
createsuperuser:
|
|
# No superuser — users authenticate via OIDC.
|
|
# The chart always renders this Job; override command so it exits 0.
|
|
command: ["true"]
|
|
|
|
envVars: &backendEnvVars
|
|
# ── Database ──────────────────────────────────────────────────────────────
|
|
DB_NAME: docs_db
|
|
DB_USER: docs
|
|
DB_HOST:
|
|
configMapKeyRef:
|
|
name: lasuite-postgres
|
|
key: DB_HOST
|
|
DB_PORT:
|
|
configMapKeyRef:
|
|
name: lasuite-postgres
|
|
key: DB_PORT
|
|
DB_ENGINE:
|
|
configMapKeyRef:
|
|
name: lasuite-postgres
|
|
key: DB_ENGINE
|
|
DB_PASSWORD:
|
|
secretKeyRef:
|
|
name: docs-db-credentials
|
|
key: password
|
|
|
|
# ── Redis / Celery ────────────────────────────────────────────────────────
|
|
REDIS_URL:
|
|
configMapKeyRef:
|
|
name: lasuite-valkey
|
|
key: REDIS_URL
|
|
CELERY_BROKER_URL:
|
|
configMapKeyRef:
|
|
name: lasuite-valkey
|
|
key: CELERY_BROKER_URL
|
|
|
|
# ── S3 ────────────────────────────────────────────────────────────────────
|
|
AWS_STORAGE_BUCKET_NAME: sunbeam-docs
|
|
AWS_S3_ENDPOINT_URL:
|
|
configMapKeyRef:
|
|
name: lasuite-s3
|
|
key: AWS_S3_ENDPOINT_URL
|
|
AWS_S3_REGION_NAME:
|
|
configMapKeyRef:
|
|
name: lasuite-s3
|
|
key: AWS_S3_REGION_NAME
|
|
AWS_DEFAULT_ACL:
|
|
configMapKeyRef:
|
|
name: lasuite-s3
|
|
key: AWS_DEFAULT_ACL
|
|
AWS_ACCESS_KEY_ID:
|
|
secretKeyRef:
|
|
name: seaweedfs-s3-credentials
|
|
key: S3_ACCESS_KEY
|
|
AWS_SECRET_ACCESS_KEY:
|
|
secretKeyRef:
|
|
name: seaweedfs-s3-credentials
|
|
key: S3_SECRET_KEY
|
|
|
|
# ── OIDC (Hydra) ──────────────────────────────────────────────────────────
|
|
OIDC_RP_CLIENT_ID:
|
|
secretKeyRef:
|
|
name: oidc-docs
|
|
key: CLIENT_ID
|
|
OIDC_RP_CLIENT_SECRET:
|
|
secretKeyRef:
|
|
name: oidc-docs
|
|
key: CLIENT_SECRET
|
|
OIDC_RP_SIGN_ALGO:
|
|
configMapKeyRef:
|
|
name: lasuite-oidc-provider
|
|
key: OIDC_RP_SIGN_ALGO
|
|
OIDC_RP_SCOPES:
|
|
configMapKeyRef:
|
|
name: lasuite-oidc-provider
|
|
key: OIDC_RP_SCOPES
|
|
OIDC_OP_JWKS_ENDPOINT:
|
|
configMapKeyRef:
|
|
name: lasuite-oidc-provider
|
|
key: OIDC_OP_JWKS_ENDPOINT
|
|
OIDC_OP_AUTHORIZATION_ENDPOINT:
|
|
configMapKeyRef:
|
|
name: lasuite-oidc-provider
|
|
key: OIDC_OP_AUTHORIZATION_ENDPOINT
|
|
OIDC_OP_TOKEN_ENDPOINT:
|
|
configMapKeyRef:
|
|
name: lasuite-oidc-provider
|
|
key: OIDC_OP_TOKEN_ENDPOINT
|
|
OIDC_OP_USER_ENDPOINT:
|
|
configMapKeyRef:
|
|
name: lasuite-oidc-provider
|
|
key: OIDC_OP_USER_ENDPOINT
|
|
OIDC_OP_LOGOUT_ENDPOINT:
|
|
configMapKeyRef:
|
|
name: lasuite-oidc-provider
|
|
key: OIDC_OP_LOGOUT_ENDPOINT
|
|
OIDC_VERIFY_SSL:
|
|
configMapKeyRef:
|
|
name: lasuite-oidc-provider
|
|
key: OIDC_VERIFY_SSL
|
|
|
|
# ── Django ────────────────────────────────────────────────────────────────
|
|
DJANGO_SECRET_KEY:
|
|
secretKeyRef:
|
|
name: docs-django-secret
|
|
key: DJANGO_SECRET_KEY
|
|
DJANGO_CONFIGURATION: Production
|
|
ALLOWED_HOSTS: docs.DOMAIN_SUFFIX
|
|
DJANGO_ALLOWED_HOSTS: docs.DOMAIN_SUFFIX
|
|
DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.DOMAIN_SUFFIX
|
|
LOGIN_REDIRECT_URL: /
|
|
LOGOUT_REDIRECT_URL: /
|
|
FRONTEND_HOMEPAGE_FEATURE_ENABLED: "false"
|
|
# Low cache timeout so theme changes propagate without pod restarts.
|
|
THEME_CUSTOMIZATION_CACHE_TIMEOUT: "30"
|
|
# 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
|
|
# Lockout window: disabled identity cannot re-auth within 1h of expiry.
|
|
SESSION_COOKIE_AGE: "3600"
|
|
|
|
# ── Y-Provider ────────────────────────────────────────────────────────────
|
|
# Shared secret for backend ↔ y-provider auth.
|
|
COLLABORATION_SERVER_SECRET:
|
|
secretKeyRef:
|
|
name: docs-collaboration-secret
|
|
key: secret
|
|
COLLABORATION_SERVER_URL: http://docs-y-provider.lasuite.svc.cluster.local:4444
|
|
|
|
themeCustomization:
|
|
enabled: true
|
|
# La Gaufre v2: point at our self-hosted integration service.
|
|
# DOMAIN_SUFFIX is substituted by kustomize_build at deploy time.
|
|
file_content:
|
|
header:
|
|
logo: {}
|
|
icon:
|
|
src: "/assets/icon-docs.svg"
|
|
style:
|
|
width: "32px"
|
|
height: "auto"
|
|
alt: ""
|
|
withTitle: true
|
|
waffle:
|
|
apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
|
|
widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
|
|
label: "O Estúdio"
|
|
closeLabel: "Fechar"
|
|
newWindowLabelSuffix: " · nova janela"
|
|
|
|
frontend:
|
|
envVars:
|
|
NEXT_PUBLIC_API_URL: https://docs.DOMAIN_SUFFIX
|
|
NEXT_PUBLIC_COLLABORATION_WS_URL: wss://docs.DOMAIN_SUFFIX/collaboration/ws/
|
|
|
|
yProvider:
|
|
envVars:
|
|
# Shared secret so y-provider can verify requests from the backend.
|
|
COLLABORATION_SERVER_SECRET:
|
|
secretKeyRef:
|
|
name: docs-collaboration-secret
|
|
key: secret
|
|
# Impress backend URL for document access verification.
|
|
APP_URL: http://docs-backend.lasuite.svc.cluster.local:80
|
|
|
|
ingress:
|
|
enabled: false
|
|
|
|
ingressCollaborationWS:
|
|
enabled: false
|
|
|
|
ingressAdmin:
|
|
enabled: false
|
|
|
|
ingressMedia:
|
|
enabled: false
|