Sienna Meridian Satterwhite
9092e2711b
- oidc-clients.yaml: change people redirect URI from /oidc/callback/ to /api/v1.0/callback/ (the actual path the Django app registers) - people-values.yaml: set DJANGO_CONFIGURATION=Production so Django trusts X-Forwarded-Proto from Pingora and generates https:// URLs; add ALLOWED_HOSTS and DJANGO_CSRF_TRUSTED_ORIGINS for the people subdomain
188 lines
6.0 KiB
YAML
188 lines
6.0 KiB
YAML
# HydraOAuth2Client CRDs for La Suite Numérique apps.
|
|
# Hydra Maester watches these and creates K8s Secrets (named by .spec.secretName)
|
|
# in the lasuite namespace with CLIENT_ID and CLIENT_SECRET keys.
|
|
# App pods reference those secrets for OIDC_RP_CLIENT_ID/SECRET env vars.
|
|
# redirectUris contain DOMAIN_SUFFIX which is replaced by sed at deploy time.
|
|
|
|
# ── Docs ─────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: docs
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Docs
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://docs.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-docs
|
|
skipConsent: true
|
|
---
|
|
# ── Drive ─────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: drive
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Drive
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://drive.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-drive
|
|
skipConsent: true
|
|
---
|
|
# ── Meet ─────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: meet
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Meet
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://meet.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-meet
|
|
skipConsent: true
|
|
---
|
|
# ── Conversations (chat) ──────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: conversations
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Chat
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://chat.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-conversations
|
|
skipConsent: true
|
|
---
|
|
# ── Messages (mail) ───────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: messages
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Mail
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://mail.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-messages
|
|
skipConsent: true
|
|
---
|
|
# ── People ────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: people
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: People
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://people.DOMAIN_SUFFIX/api/v1.0/callback/
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-people
|
|
skipConsent: true
|
|
---
|
|
# ── Find ──────────────────────────────────────────────────────────────────────
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: find
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Find
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://find.DOMAIN_SUFFIX/oidc/callback/
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-find
|
|
skipConsent: true
|
|
---
|
|
# ── Gitea (src) ───────────────────────────────────────────────────────────────
|
|
# Gitea reads OIDC credentials from its config, not K8s env vars.
|
|
# The secret (oidc-gitea) is created here for reference; manually configure
|
|
# Gitea admin with CLIENT_ID/CLIENT_SECRET from this secret.
|
|
# Provider name "hydra" must match the name configured in Gitea's OAuth2 settings.
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: gitea
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Gitea
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://src.DOMAIN_SUFFIX/user/oauth2/hydra/callback
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-gitea
|
|
skipConsent: true
|
|
---
|
|
# ── Hive (service account) ────────────────────────────────────────────────────
|
|
# Hive uses client_credentials to call Drive API on behalf of the sync service.
|
|
# No user consent or redirect required.
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: hive
|
|
namespace: lasuite
|
|
spec:
|
|
clientName: Hive
|
|
grantTypes:
|
|
- client_credentials
|
|
responseTypes:
|
|
- token
|
|
scope: openid
|
|
tokenEndpointAuthMethod: client_secret_basic
|
|
secretName: oidc-hive
|