Sienna Meridian Satterwhite
2e89854f86
Adds the impress Helm chart (suitenumerique/docs, v4.5.0) to the lasuite
namespace with full Pingora routing, VSO secrets, and local overlay
resource tuning.
Routing (pingora-config.yaml):
- docs.* frontend -> docs-frontend:80 (nginx, static Next.js export)
- /api/* and /admin/* -> docs-backend:80 (Django/uvicorn)
- /collaboration/ws/* -> docs-y-provider:4444 (Hocuspocus WebSocket)
- integration.* -> integration:80 (La Gaufre hub, same file)
Secrets (vault-secrets.yaml):
- VaultDynamicSecret docs-db-credentials (DB engine, static role)
- VaultStaticSecret docs-django-secret (DJANGO_SECRET_KEY)
- VaultStaticSecret docs-collaboration-secret (y-provider shared secret)
OIDC client (oidc-clients.yaml):
- Fix redirect_uri from /oidc/callback/ to /api/v1.0/callback/ -- impress
mounts all OIDC URLs under api/{API_VERSION}/ via lasuite.oidc_login,
same pattern as people.
Local overlay (values-resources.yaml):
- docs-backend: 512Mi limit, WEB_CONCURRENCY=2 (4 uvicorn workers
exceeded 384Mi at startup on the arm64 Lima VM)
- docs-celery-worker: 384Mi limit, CELERY_WORKER_CONCURRENCY=2
- docs-y-provider: 256Mi limit
- seaweedfs-filer: raised from 256Mi to 512Mi (OOMKilled during 188MB
multipart S3 upload of impress-y-provider image layer)
Local overlay (kustomization.yaml):
- Image mirrors for impress-backend, impress-frontend, impress-y-provider
(amd64-only images retagged to Gitea via cmd_mirror before deploy)
188 lines
6.0 KiB
YAML
188 lines
6.0 KiB
YAML
# HydraOAuth2Client CRDs for La Suite Numérique apps.
|
|
# Hydra Maester watches these and creates K8s Secrets (named by .spec.secretName)
|
|
# in the lasuite namespace with CLIENT_ID and CLIENT_SECRET keys.
|
|
# App pods reference those secrets for OIDC_RP_CLIENT_ID/SECRET env vars.
|
|
# redirectUris contain DOMAIN_SUFFIX which is replaced by sed at deploy time.
|
|
|
|
# ── Docs ─────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: docs
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Docs
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://docs.DOMAIN_SUFFIX/api/v1.0/callback/
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-docs
|
|
skipConsent: true
|
|
---
|
|
# ── Drive ─────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: drive
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Drive
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://drive.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-drive
|
|
skipConsent: true
|
|
---
|
|
# ── Meet ─────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: meet
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Meet
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://meet.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-meet
|
|
skipConsent: true
|
|
---
|
|
# ── Conversations (chat) ──────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: conversations
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Chat
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://chat.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-conversations
|
|
skipConsent: true
|
|
---
|
|
# ── Messages (mail) ───────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: messages
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Mail
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://mail.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-messages
|
|
skipConsent: true
|
|
---
|
|
# ── People ────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: people
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: People
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://people.DOMAIN_SUFFIX/api/v1.0/callback/
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-people
|
|
skipConsent: true
|
|
---
|
|
# ── Find ──────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: find
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Find
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://find.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-find
|
|
skipConsent: true
|
|
---
|
|
# ── Gitea (src) ───────────────────────────────────────────────────────────────
|
|
# Gitea reads OIDC credentials from its config, not K8s env vars.
|
|
# The secret (oidc-gitea) is created here for reference; manually configure
|
|
# Gitea admin with CLIENT_ID/CLIENT_SECRET from this secret.
|
|
# Provider name "hydra" must match the name configured in Gitea's OAuth2 settings.
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: gitea
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Gitea
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://src.DOMAIN_SUFFIX/user/oauth2/hydra/callback
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-gitea
|
|
skipConsent: true
|
|
---
|
|
# ── Hive (service account) ────────────────────────────────────────────────────
|
|
# Hive uses client_credentials to call Drive API on behalf of the sync service.
|
|
# No user consent or redirect required.
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: hive
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Hive
|
|
grantTypes:
|
|
- client_credentials
|
|
responseTypes:
|
|
- token
|
|
scope: openid
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-hive
|