studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9f15f5099edabf7682dd7fbc3529d57277ce6bcd
sbbb/base/lasuite/shared-config.yaml
Sienna Meridian Satterwhite 9f15f5099e fix: meet external-api route, drive media proxy, alertbot, misc tweaks 
- Meet: add external-api backend path, CSRF trusted origins
- Drive: fix media proxy regex for preview URLs and S3 key signing
- OpenBao: enable Prometheus telemetry
- Postgres alerts: fix metric name (cnpg_backends_total)
- Gitea: bump memory limits for mirror workloads
- Alertbot: expanded deployment config
- Kratos: add find/cal/projects to allowed return URLs, settings path
- Pingora: meet external-api route fix
- Sol: config update
2026-03-25 18:01:15 +00:00

80 lines
3.4 KiB
YAML
Raw Blame History

# Shared ConfigMaps for La Suite Numérique application pods.
# App Helm values reference these via configMapKeyRef so no value is duplicated.
# DOMAIN_SUFFIX is substituted by sed at deploy time.
# ── PostgreSQL connection (non-secret values) ────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
name: lasuite-postgres
namespace: lasuite
data:
DB_HOST: postgres-rw.data.svc.cluster.local
DB_PORT: "5432"
DB_ENGINE: django.db.backends.postgresql_psycopg2
---
# ── Valkey (Redis-compatible) ────────────────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
name: lasuite-valkey
namespace: lasuite
data:
REDIS_URL: redis://valkey.data.svc.cluster.local:6379/1
CELERY_BROKER_URL: redis://valkey.data.svc.cluster.local:6379/0
---
# ── SeaweedFS S3 API (non-secret values) ────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
name: lasuite-s3
namespace: lasuite
data:
AWS_S3_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333
AWS_S3_REGION_NAME: us-east-1
AWS_DEFAULT_ACL: private
---
# ── Hydra OIDC provider endpoints ───────────────────────────────────────────
# All La Suite apps use mozilla-django-oidc.
#
# Browser-facing endpoints (authorization, logout) use the public DOMAIN_SUFFIX
# URL so the browser can navigate to the Hydra login page.
#
# Backend-to-backend endpoints (token, userinfo, jwks) use the internal cluster
# service URL so Django never makes TLS connections to the proxy — it bypasses
# the sslip.io certificate entirely. No OIDC_VERIFY_SSL workaround required.
#
# DOMAIN_SUFFIX is substituted at deploy time (browser URLs only).
apiVersion: v1
kind: ConfigMap
metadata:
name: lasuite-oidc-provider
namespace: lasuite
data:
# Browser navigates to these — must be public HTTPS URLs.
OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/auth
OIDC_OP_LOGOUT_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/sessions/logout
# Django calls these server-side — use internal cluster URL (no TLS required).
OIDC_OP_TOKEN_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/oauth2/token
OIDC_OP_USER_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/userinfo
OIDC_OP_JWKS_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/.well-known/jwks.json
OIDC_RP_SIGN_ALGO: RS256
OIDC_RP_SCOPES: openid email profile
OIDC_VERIFY_SSL: "true"
---
# Resource server config — shared by all La Suite services.
# Enables bearer token auth via Hydra token introspection for the external_api.
apiVersion: v1
kind: ConfigMap
metadata:
name: lasuite-resource-server
namespace: lasuite
data:
OIDC_RESOURCE_SERVER_ENABLED: "True"
OIDC_OP_URL: https://auth.DOMAIN_SUFFIX/
OIDC_OP_INTROSPECTION_ENDPOINT: http://hydra-admin.ory.svc.cluster.local:4445/admin/oauth2/introspect
# Audience claim value for the sunbeam CLI. All La Suite services should
# include this in OIDC_RS_ALLOWED_AUDIENCES so the CLI can access their
# external APIs with an SSO bearer token.
OIDC_RS_CLI_AUDIENCE: sunbeam-cli
Reference in New Issue View Git Blame Copy Permalink