studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f3faf31d4b6314dd75081c9730f48e84291d9171
sbbb/overlays/production/cert-manager.yaml
Sienna Meridian Satterwhite f3faf31d4b Fix meet: ALLOWED_HOSTS, OIDC callback, and LiveKit connectivity 
- meet-config: rename ALLOWED_HOSTS → DJANGO_ALLOWED_HOSTS (django-configurations
  ListValue uses DJANGO_ prefix by default; without it the list was empty and
  every browser request got 400 DisallowedHost)
- meet-config: set LIVEKIT_API_URL to public https://livekit.DOMAIN_SUFFIX so
  the meet frontend can reach LiveKit for WebSocket signaling
- pingora-config: add livekit.DOMAIN_SUFFIX → livekit-server:80 WebSocket route
- cert-manager: add livekit.DOMAIN_SUFFIX to TLS cert dnsNames
- oidc-clients: fix meet redirect URI /oidc/callback/ → /api/v1.0/callback/
  (meet embeds mozilla-django-oidc inside the api/v1.0/ prefix); add
  postLogoutRedirectUri for clean logout
- livekit-values: replace hardcoded devkey:secret-placeholder with key_file
  loaded from a VSO-managed K8s Secret (secret/livekit in OpenBao)
- media/vault-secrets: add VaultAuth + VaultStaticSecret for media namespace
  to sync livekit API credentials from OpenBao
2026-03-06 13:56:29 +00:00

70 lines
2.0 KiB
YAML
Raw Blame History

# cert-manager issuers and certificate for production TLS.
#
# WORKFLOW: start with letsencrypt-staging to verify the HTTP-01 challenge
# flow works without burning production rate limits. Once the staging cert
# is issued successfully, flip the Certificate issuerRef to letsencrypt-production
# and delete the old Secret so cert-manager re-issues with a trusted cert.
#
# ACME_EMAIL is substituted by sunbeam apply.
---
# Let's Encrypt staging — untrusted cert but no rate limits. Use for initial setup.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: ACME_EMAIL
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- http01:
ingress:
serviceType: ClusterIP
---
# Let's Encrypt production — trusted cert, strict rate limits.
# Switch to this once staging confirms challenges resolve correctly.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ACME_EMAIL
privateKeySecretRef:
name: letsencrypt-production-account-key
solvers:
- http01:
ingress:
serviceType: ClusterIP
---
# Certificate covering all proxy subdomains.
# Start with letsencrypt-staging. Once verified, change issuerRef.name to
# letsencrypt-production and delete the pingora-tls Secret to force re-issue.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: pingora-tls
namespace: ingress
spec:
secretName: pingora-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
dnsNames:
- docs.DOMAIN_SUFFIX
- meet.DOMAIN_SUFFIX
- drive.DOMAIN_SUFFIX
- mail.DOMAIN_SUFFIX
- chat.DOMAIN_SUFFIX
- people.DOMAIN_SUFFIX
- src.DOMAIN_SUFFIX
- auth.DOMAIN_SUFFIX
- s3.DOMAIN_SUFFIX
- grafana.DOMAIN_SUFFIX
- admin.DOMAIN_SUFFIX
- integration.DOMAIN_SUFFIX
- livekit.DOMAIN_SUFFIX
Reference in New Issue View Git Blame Copy Permalink