Sienna Meridian Satterwhite
d2148335de
Kubernetes manifests for tuwunel — a Rust Matrix homeserver using RocksDB for storage. Includes deployment, service, PVC, ConfigMap (tuwunel.toml), Hydra OAuth2Client for SSO, and Vault secrets for credentials injection. Key design decisions: - enableServiceLinks: false to prevent K8s TUWUNEL_* env var conflicts - strategy: Recreate for RocksDB exclusive lock (no rolling updates) - Identity provider configured entirely via env vars (client_id/secret from hydra-maester Secret, not hardcoded) - OpenSearch model_id injected via ConfigMap from CLI post-apply hook - SSO-only auth (login_with_password=false, single_sso=true) - OpenSearch hybrid neural+BM25 search (768-dim, all-mpnet-base-v2)
40 lines
941 B
YAML
40 lines
941 B
YAML
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: vso-auth
|
|
namespace: matrix
|
|
spec:
|
|
method: kubernetes
|
|
mount: kubernetes
|
|
kubernetes:
|
|
role: vso
|
|
serviceAccount: default
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: tuwunel-secrets
|
|
namespace: matrix
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: tuwunel
|
|
refreshAfter: 60s
|
|
destination:
|
|
name: tuwunel-secrets
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
TUWUNEL_OIDC_CLIENT_ID:
|
|
text: "{{ index .Secrets \"oidc-client-id\" }}"
|
|
TUWUNEL_OIDC_CLIENT_SECRET:
|
|
text: "{{ index .Secrets \"oidc-client-secret\" }}"
|
|
TUWUNEL_TURN_SECRET:
|
|
text: "{{ index .Secrets \"turn-secret\" }}"
|
|
TUWUNEL_REGISTRATION_TOKEN:
|
|
text: "{{ index .Secrets \"registration-token\" }}"
|