studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
897013bcb7e8d938c67eadabf09c3d319252e77d
sbbb/base/lasuite/people-values.yaml
Sienna Meridian Satterwhite f13beed1c4 fix(lasuite): fix OIDC config for People login 
- Switch all user-facing app OAuth2 clients to client_secret_post
  (mozilla-django-oidc sends credentials in POST body by default)
- Set LOGIN_REDIRECT_URL=/ so Django redirects to frontend after login
- Add local overlay patch to disable OIDC SSL verification
  (mkcert CA not trusted inside pods; production uses real certs)
2026-03-03 11:31:28 +00:00

141 lines
4.9 KiB
YAML
Raw Blame History

# La Suite Numérique — People (desk chart).
# Env vars use the chart's dict-based envVars schema:
# string value → rendered as env.value
# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
# oidc-people — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
# people-db-credentials — password
# people-django-secret — DJANGO_SECRET_KEY
# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
fullnameOverride: people
backend:
createsuperuser:
# Superuser creation disabled — users authenticate via OIDC.
enabled: false
envVars: &commonEnvVars
# ── Database ─────────────────────────────────────────────────────────────
DB_NAME: people_db
DB_USER: people
DB_HOST:
configMapKeyRef:
name: lasuite-postgres
key: DB_HOST
DB_PORT:
configMapKeyRef:
name: lasuite-postgres
key: DB_PORT
DB_ENGINE:
configMapKeyRef:
name: lasuite-postgres
key: DB_ENGINE
DB_PASSWORD:
secretKeyRef:
name: people-db-credentials
key: password
# ── Redis / Celery ────────────────────────────────────────────────────────
REDIS_URL:
configMapKeyRef:
name: lasuite-valkey
key: REDIS_URL
CELERY_BROKER_URL:
configMapKeyRef:
name: lasuite-valkey
key: CELERY_BROKER_URL
# ── S3 (profile media) ────────────────────────────────────────────────────
AWS_STORAGE_BUCKET_NAME: sunbeam-people
AWS_S3_ENDPOINT_URL:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_ENDPOINT_URL
AWS_S3_REGION_NAME:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_REGION_NAME
AWS_DEFAULT_ACL:
configMapKeyRef:
name: lasuite-s3
key: AWS_DEFAULT_ACL
AWS_ACCESS_KEY_ID:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_ACCESS_KEY
AWS_SECRET_ACCESS_KEY:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_SECRET_KEY
# ── OIDC (Hydra) ──────────────────────────────────────────────────────────
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: oidc-people
key: CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: oidc-people
key: CLIENT_SECRET
OIDC_RP_SIGN_ALGO:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SIGN_ALGO
OIDC_RP_SCOPES:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SCOPES
OIDC_OP_JWKS_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_JWKS_ENDPOINT
OIDC_OP_AUTHORIZATION_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_AUTHORIZATION_ENDPOINT
OIDC_OP_TOKEN_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_TOKEN_ENDPOINT
OIDC_OP_USER_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_USER_ENDPOINT
OIDC_OP_LOGOUT_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_LOGOUT_ENDPOINT
OIDC_VERIFY_SSL:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_VERIFY_SSL
# ── Django ────────────────────────────────────────────────────────────────
DJANGO_SECRET_KEY:
secretKeyRef:
name: people-django-secret
key: DJANGO_SECRET_KEY
# Production settings class enables SECURE_PROXY_SSL_HEADER so Django builds
# https:// URLs when Pingora forwards X-Forwarded-Proto: https.
DJANGO_CONFIGURATION: Production
# Production's ALLOWED_HOSTS reads ALLOWED_HOSTS (no DJANGO_ prefix).
ALLOWED_HOSTS: people.DOMAIN_SUFFIX
DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX
DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
# Redirect to frontend SPA root after successful OIDC login.
LOGIN_REDIRECT_URL: /
# celeryWorker and celeryBeat intentionally have no envVars here.
# The desk chart template automatically injects backend.envVars into all
# celery containers (see celery_beat_deployment.yaml: $backendEnvVars).
# Adding envVars here would duplicate every env var.
ingress:
enabled: false
ingressAdmin:
enabled: false
Reference in New Issue View Git Blame Copy Permalink