sbbb/base/lasuite/shared-config.yaml

# Shared ConfigMaps for La Suite Numérique application pods.
# App Helm values reference these via configMapKeyRef so no value is duplicated.
# DOMAIN_SUFFIX is substituted by sed at deploy time.

# ── PostgreSQL connection (non-secret values) ────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: lasuite-postgres
  namespace: lasuite
data:
  DB_HOST:   postgres-rw.data.svc.cluster.local
  DB_PORT:   "5432"
  DB_ENGINE: django.db.backends.postgresql_psycopg2
---
# ── Valkey (Redis-compatible) ────────────────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: lasuite-valkey
  namespace: lasuite
data:
  REDIS_URL:         redis://valkey.data.svc.cluster.local:6379/1
  CELERY_BROKER_URL: redis://valkey.data.svc.cluster.local:6379/0
---
# ── SeaweedFS S3 API (non-secret values) ────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: lasuite-s3
  namespace: lasuite
data:
  AWS_S3_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333
  AWS_S3_REGION_NAME:  us-east-1
  AWS_DEFAULT_ACL:     private
---
# ── Hydra OIDC provider endpoints ───────────────────────────────────────────
# All La Suite apps use mozilla-django-oidc.
#
# Browser-facing endpoints (authorization, logout) use the public DOMAIN_SUFFIX
# URL so the browser can navigate to the Hydra login page.
#
# Backend-to-backend endpoints (token, userinfo, jwks) use the internal cluster
# service URL so Django never makes TLS connections to the proxy — it bypasses
# the sslip.io certificate entirely.  No OIDC_VERIFY_SSL workaround required.
#
# DOMAIN_SUFFIX is substituted at deploy time (browser URLs only).
apiVersion: v1
kind: ConfigMap
metadata:
  name: lasuite-oidc-provider
  namespace: lasuite
data:
  # Browser navigates to these — must be public HTTPS URLs.
  OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/auth
  OIDC_OP_LOGOUT_ENDPOINT:        https://auth.DOMAIN_SUFFIX/oauth2/sessions/logout
  # Django calls these server-side — use internal cluster URL (no TLS required).
  OIDC_OP_TOKEN_ENDPOINT:         http://hydra-public.ory.svc.cluster.local:4444/oauth2/token
  OIDC_OP_USER_ENDPOINT:          http://hydra-public.ory.svc.cluster.local:4444/userinfo
  OIDC_OP_JWKS_ENDPOINT:          http://hydra-public.ory.svc.cluster.local:4444/.well-known/jwks.json
  OIDC_RP_SIGN_ALGO:              RS256
  OIDC_RP_SCOPES:                 openid email profile
  OIDC_VERIFY_SSL:                "true"