Sienna Meridian Satterwhite
d2148335de
Kubernetes manifests for tuwunel — a Rust Matrix homeserver using RocksDB for storage. Includes deployment, service, PVC, ConfigMap (tuwunel.toml), Hydra OAuth2Client for SSO, and Vault secrets for credentials injection. Key design decisions: - enableServiceLinks: false to prevent K8s TUWUNEL_* env var conflicts - strategy: Recreate for RocksDB exclusive lock (no rolling updates) - Identity provider configured entirely via env vars (client_id/secret from hydra-maester Secret, not hardcoded) - OpenSearch model_id injected via ConfigMap from CLI post-apply hook - SSO-only auth (login_with_password=false, single_sso=true) - OpenSearch hybrid neural+BM25 search (768-dim, all-mpnet-base-v2)
23 lines
652 B
YAML
23 lines
652 B
YAML
# Tuwunel OIDC client — registered with Hydra via hydra-maester.
|
|
# Hydra Maester creates K8s Secret "oidc-tuwunel" in the matrix namespace
|
|
# with CLIENT_ID and CLIENT_SECRET keys.
|
|
# redirectUri is patched post-apply by sunbeam CLI (requires client_id
|
|
# from the hydra-maester-generated secret).
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: tuwunel
|
|
namespace: matrix
|
|
spec:
|
|
clientName: Matrix
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris: []
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-tuwunel
|
|
skipConsent: true
|