studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e0f1803e33ea4622e1ab4b753cd82d74d7e2f85d
sbbb/base/lasuite/people-values.yaml
Sienna Meridian Satterwhite 302b7ba56b feat(lasuite): add People service (desk chart); migrate La Suite secrets to VSO 
People (desk chart v0.0.7):
- Add people-values.yaml with all env vars wired to ConfigMaps and Secrets.
  DB password, S3 credentials, OIDC client, and Django secret key all come
  from VSO-managed K8s Secrets via secretKeyRef — nothing hardcoded.
- Add Helm chart entry to kustomization.yaml (repo: suitenumerique/people).

La Suite VSO secrets (vault-secrets.yaml):
- seaweedfs-s3-credentials VSS (shared S3 creds → S3_ACCESS_KEY / S3_SECRET_KEY)
- hive-db-url VDS (database/static-creds/hive → postgresql:// DSN, 24h rotation)
- hive-oidc VSS (secret/hive → client-id / client-secret)
- people-db-credentials VDS (database/static-creds/people → password, 24h rotation)
- people-django-secret VSS (secret/people → DJANGO_SECRET_KEY)
2026-03-02 18:33:28 +00:00

134 lines
4.5 KiB
YAML
Raw Blame History

# La Suite Numérique — People (desk chart).
# Env vars use the chart's dict-based envVars schema:
# string value → rendered as env.value
# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
# oidc-people — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
# people-db-credentials — password
# people-django-secret — DJANGO_SECRET_KEY
# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
fullnameOverride: people
backend:
createsuperuser:
# Superuser creation disabled — users authenticate via OIDC.
enabled: false
envVars: &commonEnvVars
# ── Database ─────────────────────────────────────────────────────────────
DB_NAME: people_db
DB_USER: people
DB_HOST:
configMapKeyRef:
name: lasuite-postgres
key: DB_HOST
DB_PORT:
configMapKeyRef:
name: lasuite-postgres
key: DB_PORT
DB_ENGINE:
configMapKeyRef:
name: lasuite-postgres
key: DB_ENGINE
DB_PASSWORD:
secretKeyRef:
name: people-db-credentials
key: password
# ── Redis / Celery ────────────────────────────────────────────────────────
REDIS_URL:
configMapKeyRef:
name: lasuite-valkey
key: REDIS_URL
CELERY_BROKER_URL:
configMapKeyRef:
name: lasuite-valkey
key: CELERY_BROKER_URL
# ── S3 (profile media) ────────────────────────────────────────────────────
AWS_STORAGE_BUCKET_NAME: sunbeam-people
AWS_S3_ENDPOINT_URL:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_ENDPOINT_URL
AWS_S3_REGION_NAME:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_REGION_NAME
AWS_DEFAULT_ACL:
configMapKeyRef:
name: lasuite-s3
key: AWS_DEFAULT_ACL
AWS_ACCESS_KEY_ID:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_ACCESS_KEY
AWS_SECRET_ACCESS_KEY:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_SECRET_KEY
# ── OIDC (Hydra) ──────────────────────────────────────────────────────────
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: oidc-people
key: CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: oidc-people
key: CLIENT_SECRET
OIDC_RP_SIGN_ALGO:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SIGN_ALGO
OIDC_RP_SCOPES:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SCOPES
OIDC_OP_JWKS_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_JWKS_ENDPOINT
OIDC_OP_AUTHORIZATION_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_AUTHORIZATION_ENDPOINT
OIDC_OP_TOKEN_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_TOKEN_ENDPOINT
OIDC_OP_USER_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_USER_ENDPOINT
OIDC_OP_LOGOUT_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_LOGOUT_ENDPOINT
OIDC_VERIFY_SSL:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_VERIFY_SSL
# ── Django ────────────────────────────────────────────────────────────────
DJANGO_SECRET_KEY:
secretKeyRef:
name: people-django-secret
key: DJANGO_SECRET_KEY
DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX
DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
# celeryWorker and celeryBeat intentionally have no envVars here.
# The desk chart template automatically injects backend.envVars into all
# celery containers (see celery_beat_deployment.yaml: $backendEnvVars).
# Adding envVars here would duplicate every env var.
ingress:
enabled: false
ingressAdmin:
enabled: false
Reference in New Issue View Git Blame Copy Permalink