studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a101ea4b06db155497c50524bd2ff9a3376c3ff1
sbbb/base/lasuite/oidc-clients.yaml
Sienna Meridian Satterwhite f3faf31d4b Fix meet: ALLOWED_HOSTS, OIDC callback, and LiveKit connectivity 
- meet-config: rename ALLOWED_HOSTS → DJANGO_ALLOWED_HOSTS (django-configurations
  ListValue uses DJANGO_ prefix by default; without it the list was empty and
  every browser request got 400 DisallowedHost)
- meet-config: set LIVEKIT_API_URL to public https://livekit.DOMAIN_SUFFIX so
  the meet frontend can reach LiveKit for WebSocket signaling
- pingora-config: add livekit.DOMAIN_SUFFIX → livekit-server:80 WebSocket route
- cert-manager: add livekit.DOMAIN_SUFFIX to TLS cert dnsNames
- oidc-clients: fix meet redirect URI /oidc/callback/ → /api/v1.0/callback/
  (meet embeds mozilla-django-oidc inside the api/v1.0/ prefix); add
  postLogoutRedirectUri for clean logout
- livekit-values: replace hardcoded devkey:secret-placeholder with key_file
  loaded from a VSO-managed K8s Secret (secret/livekit in OpenBao)
- media/vault-secrets: add VaultAuth + VaultStaticSecret for media namespace
  to sync livekit API credentials from OpenBao
2026-03-06 13:56:29 +00:00

194 lines
6.3 KiB
YAML
Raw Blame History

# HydraOAuth2Client CRDs for La Suite Numérique apps.
# Hydra Maester watches these and creates K8s Secrets (named by .spec.secretName)
# in the lasuite namespace with CLIENT_ID and CLIENT_SECRET keys.
# App pods reference those secrets for OIDC_RP_CLIENT_ID/SECRET env vars.
# redirectUris contain DOMAIN_SUFFIX which is replaced by sed at deploy time.
# ── Docs ─────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: docs
namespace: lasuite
spec:
clientName: Docs
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://docs.DOMAIN_SUFFIX/api/v1.0/callback/
postLogoutRedirectUris:
- https://docs.DOMAIN_SUFFIX/api/v1.0/logout-callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-docs
skipConsent: true
---
# ── Drive ─────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: drive
namespace: lasuite
spec:
clientName: Drive
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://drive.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-drive
skipConsent: true
---
# ── Meet ─────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: meet
namespace: lasuite
spec:
clientName: Meet
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://meet.DOMAIN_SUFFIX/api/v1.0/callback/
postLogoutRedirectUris:
- https://meet.DOMAIN_SUFFIX/api/v1.0/logout-callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-meet
skipConsent: true
---
# ── Conversations (chat) ──────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: conversations
namespace: lasuite
spec:
clientName: Chat
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://chat.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-conversations
skipConsent: true
---
# ── Messages (mail) ───────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: messages
namespace: lasuite
spec:
clientName: Mail
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://mail.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-messages
skipConsent: true
---
# ── People ────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: people
namespace: lasuite
spec:
clientName: People
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://people.DOMAIN_SUFFIX/api/v1.0/callback/
postLogoutRedirectUris:
- https://people.DOMAIN_SUFFIX/api/v1.0/logout-callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-people
skipConsent: true
---
# ── Find ──────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: find
namespace: lasuite
spec:
clientName: Find
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://find.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-find
skipConsent: true
---
# ── Gitea (src) ───────────────────────────────────────────────────────────────
# Gitea reads OIDC credentials from its config, not K8s env vars.
# The secret (oidc-gitea) is created here for reference; manually configure
# Gitea admin with CLIENT_ID/CLIENT_SECRET from this secret.
# Provider name "hydra" must match the name configured in Gitea's OAuth2 settings.
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: gitea
namespace: lasuite
spec:
clientName: Gitea
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://src.DOMAIN_SUFFIX/user/oauth2/Sunbeam/callback
tokenEndpointAuthMethod: client_secret_basic
secretName: oidc-gitea
skipConsent: true
---
# ── Hive (service account) ────────────────────────────────────────────────────
# Hive uses client_credentials to call Drive API on behalf of the sync service.
# No user consent or redirect required.
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: hive
namespace: lasuite
spec:
clientName: Hive
grantTypes:
- client_credentials
responseTypes:
- token
scope: openid
tokenEndpointAuthMethod: client_secret_basic
secretName: oidc-hive
Reference in New Issue View Git Blame Copy Permalink