sbbb/base/lasuite/people-values.yaml

# La Suite Numérique — People (desk chart).
# Env vars use the chart's dict-based envVars schema:
#   string value → rendered as env.value
#   map value    → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
#   oidc-people          — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
#   people-db-credentials — password
#   people-django-secret  — DJANGO_SECRET_KEY
#   seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)

fullnameOverride: people

backend:
  createsuperuser:
    # Superuser creation disabled — users authenticate via OIDC.
    enabled: false

  envVars: &commonEnvVars
    # ── Database ─────────────────────────────────────────────────────────────
    DB_NAME: people_db
    DB_USER: people
    DB_HOST:
      configMapKeyRef:
        name: lasuite-postgres
        key: DB_HOST
    DB_PORT:
      configMapKeyRef:
        name: lasuite-postgres
        key: DB_PORT
    DB_ENGINE:
      configMapKeyRef:
        name: lasuite-postgres
        key: DB_ENGINE
    DB_PASSWORD:
      secretKeyRef:
        name: people-db-credentials
        key: password

    # ── Redis / Celery ────────────────────────────────────────────────────────
    REDIS_URL:
      configMapKeyRef:
        name: lasuite-valkey
        key: REDIS_URL
    CELERY_BROKER_URL:
      configMapKeyRef:
        name: lasuite-valkey
        key: CELERY_BROKER_URL

    # ── S3 (profile media) ────────────────────────────────────────────────────
    AWS_STORAGE_BUCKET_NAME: sunbeam-people
    AWS_S3_ENDPOINT_URL:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_S3_ENDPOINT_URL
    AWS_S3_REGION_NAME:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_S3_REGION_NAME
    AWS_DEFAULT_ACL:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_DEFAULT_ACL
    AWS_ACCESS_KEY_ID:
      secretKeyRef:
        name: seaweedfs-s3-credentials
        key: S3_ACCESS_KEY
    AWS_SECRET_ACCESS_KEY:
      secretKeyRef:
        name: seaweedfs-s3-credentials
        key: S3_SECRET_KEY

    # ── OIDC (Hydra) ──────────────────────────────────────────────────────────
    OIDC_RP_CLIENT_ID:
      secretKeyRef:
        name: oidc-people
        key: CLIENT_ID
    OIDC_RP_CLIENT_SECRET:
      secretKeyRef:
        name: oidc-people
        key: CLIENT_SECRET
    OIDC_RP_SIGN_ALGO:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_RP_SIGN_ALGO
    OIDC_RP_SCOPES:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_RP_SCOPES
    OIDC_OP_JWKS_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_JWKS_ENDPOINT
    OIDC_OP_AUTHORIZATION_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_AUTHORIZATION_ENDPOINT
    OIDC_OP_TOKEN_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_TOKEN_ENDPOINT
    OIDC_OP_USER_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_USER_ENDPOINT
    OIDC_OP_LOGOUT_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_LOGOUT_ENDPOINT
    OIDC_VERIFY_SSL:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_VERIFY_SSL

    # ── Django ────────────────────────────────────────────────────────────────
    DJANGO_SECRET_KEY:
      secretKeyRef:
        name: people-django-secret
        key: DJANGO_SECRET_KEY
    # Production settings class enables SECURE_PROXY_SSL_HEADER so Django builds
    # https:// URLs when Pingora forwards X-Forwarded-Proto: https.
    DJANGO_CONFIGURATION:      Production
    # Production's ALLOWED_HOSTS reads ALLOWED_HOSTS (no DJANGO_ prefix).
    ALLOWED_HOSTS:             people.DOMAIN_SUFFIX
    DJANGO_ALLOWED_HOSTS:      people.DOMAIN_SUFFIX
    DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
    # Redirect to frontend SPA root after successful OIDC login/logout.
    LOGIN_REDIRECT_URL:        /
    LOGOUT_REDIRECT_URL:       /
    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
    SESSION_COOKIE_AGE: "3600"

# celeryWorker and celeryBeat intentionally have no envVars here.
# The desk chart template automatically injects backend.envVars into all
# celery containers (see celery_beat_deployment.yaml: $backendEnvVars).
# Adding envVars here would duplicate every env var.

ingress:
  enabled: false

ingressAdmin:
  enabled: false