studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fb91fcd2840880519badc139db58d4a75dff0bef
sbbb/base/lasuite/drive-values.yaml
Sienna Meridian Satterwhite ccfe8b877a feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates 
- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS
  proxy, worker, DKIM config, and theme customization
- Add Collabora deployment for document collaboration
- Add Drive frontend nginx config and values
- Add buildkitd namespace for in-cluster container builds
- Add SeaweedFS remote sync and additional S3 buckets
- Update vault secrets across namespaces (devtools, lasuite, media,
  monitoring, ory, storage) with expanded credential management
- Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus
  remote write and additional scrape configs
- Update local/production overlays with resource patches
- Remove stale login-ui resource patch from production overlay
2026-03-10 19:00:57 +00:00

201 lines
8.0 KiB
YAML
Raw Blame History

# La Suite Numérique — Drive (drive chart).
# Env vars use the chart's dict-based envVars schema:
# string value → rendered as env.value
# map value → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
# oidc-drive — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
# drive-db-credentials — password (VaultDynamicSecret, DB engine)
# drive-django-secret — DJANGO_SECRET_KEY (VaultStaticSecret)
# seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)
fullnameOverride: drive
backend:
createsuperuser:
# No superuser — users authenticate via OIDC.
# The chart always renders this Job; override command so it exits 0.
command: ["true"]
envVars: &backendEnvVars
# ── Database ──────────────────────────────────────────────────────────────
DB_NAME: drive_db
DB_USER: drive
DB_HOST:
configMapKeyRef:
name: lasuite-postgres
key: DB_HOST
DB_PORT:
configMapKeyRef:
name: lasuite-postgres
key: DB_PORT
# Drive uses psycopg3 backend (no _psycopg2 suffix).
DB_ENGINE: django.db.backends.postgresql
DB_PASSWORD:
secretKeyRef:
name: drive-db-credentials
key: password
# ── Redis / Celery ────────────────────────────────────────────────────────
REDIS_URL:
configMapKeyRef:
name: lasuite-valkey
key: REDIS_URL
# Drive uses DJANGO_CELERY_BROKER_URL (not CELERY_BROKER_URL).
DJANGO_CELERY_BROKER_URL:
configMapKeyRef:
name: lasuite-valkey
key: CELERY_BROKER_URL
# ── S3 (file storage) ─────────────────────────────────────────────────────
AWS_STORAGE_BUCKET_NAME: sunbeam-drive
AWS_S3_ENDPOINT_URL:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_ENDPOINT_URL
AWS_S3_REGION_NAME:
configMapKeyRef:
name: lasuite-s3
key: AWS_S3_REGION_NAME
AWS_DEFAULT_ACL:
configMapKeyRef:
name: lasuite-s3
key: AWS_DEFAULT_ACL
# Drive uses AWS_S3_ACCESS_KEY_ID / AWS_S3_SECRET_ACCESS_KEY (with _S3_ prefix).
AWS_S3_ACCESS_KEY_ID:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_ACCESS_KEY
AWS_S3_SECRET_ACCESS_KEY:
secretKeyRef:
name: seaweedfs-s3-credentials
key: S3_SECRET_KEY
# Base URL for media file references so nginx auth proxy receives full paths.
MEDIA_BASE_URL: https://drive.DOMAIN_SUFFIX
# ── OIDC (Hydra) ──────────────────────────────────────────────────────────
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: oidc-drive
key: CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: oidc-drive
key: CLIENT_SECRET
OIDC_RP_SIGN_ALGO:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SIGN_ALGO
OIDC_RP_SCOPES:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_RP_SCOPES
OIDC_OP_JWKS_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_JWKS_ENDPOINT
OIDC_OP_AUTHORIZATION_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_AUTHORIZATION_ENDPOINT
OIDC_OP_TOKEN_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_TOKEN_ENDPOINT
OIDC_OP_USER_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_USER_ENDPOINT
OIDC_OP_LOGOUT_ENDPOINT:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_OP_LOGOUT_ENDPOINT
OIDC_VERIFY_SSL:
configMapKeyRef:
name: lasuite-oidc-provider
key: OIDC_VERIFY_SSL
# ── Resource Server (Drive as OAuth2 RS for Messages integration) ─────────
OIDC_RESOURCE_SERVER_ENABLED: "True"
# Hydra issuer URL — must match the `iss` claim in introspection responses.
OIDC_OP_URL: https://auth.DOMAIN_SUFFIX/
# Hydra token introspection endpoint (admin port — no client auth required).
OIDC_OP_INTROSPECTION_ENDPOINT: http://hydra-admin.ory.svc.cluster.local:4445/admin/oauth2/introspect
# Drive authenticates to Hydra introspection using its own OIDC client creds.
OIDC_RS_CLIENT_ID:
secretKeyRef:
name: oidc-drive
key: CLIENT_ID
OIDC_RS_CLIENT_SECRET:
secretKeyRef:
name: oidc-drive
key: CLIENT_SECRET
# Only accept tokens issued to the messages OAuth2 client (ListValue, comma-separated).
OIDC_RS_ALLOWED_AUDIENCES:
secretKeyRef:
name: oidc-messages
key: CLIENT_ID
# ── Django ────────────────────────────────────────────────────────────────
DJANGO_SECRET_KEY:
secretKeyRef:
name: drive-django-secret
key: DJANGO_SECRET_KEY
DJANGO_CONFIGURATION: Production
ALLOWED_HOSTS: drive.DOMAIN_SUFFIX
DJANGO_ALLOWED_HOSTS: drive.DOMAIN_SUFFIX
DJANGO_CSRF_TRUSTED_ORIGINS: https://drive.DOMAIN_SUFFIX
LOGIN_REDIRECT_URL: /
LOGOUT_REDIRECT_URL: /
SESSION_COOKIE_AGE: "3600"
# Session cache TTL must match SESSION_COOKIE_AGE; default is 30s which
# causes sessions to expire in Valkey while the cookie remains valid.
CACHES_SESSION_TIMEOUT: "3600"
# Silent login disabled: the callback redirects back to the returnTo URL
# (not LOGIN_REDIRECT_URL) on login_required, causing an infinite reload loop
# when the user has no Hydra session. UserProfile shows a Login button instead.
FRONTEND_SILENT_LOGIN_ENABLED: "false"
# Redirect unauthenticated visitors at / straight to OIDC login instead of
# showing the La Suite marketing landing page. returnTo brings them to
# their files after successful auth.
FRONTEND_EXTERNAL_HOME_URL: "https://drive.DOMAIN_SUFFIX/api/v1.0/authenticate/?returnTo=https%3A%2F%2Fdrive.DOMAIN_SUFFIX%2Fexplorer%2Fitems%2Fmy-files"
# Allow Messages to call Drive SDK relay cross-origin.
SDK_CORS_ALLOWED_ORIGINS: "https://mail.DOMAIN_SUFFIX"
CORS_ALLOWED_ORIGINS: "https://mail.DOMAIN_SUFFIX"
# Allow all file types — self-hosted instance, no need to restrict uploads.
RESTRICT_UPLOAD_FILE_TYPE: "False"
# ── WOPI / Collabora ──────────────────────────────────────────────────────
# Comma-separated list of enabled WOPI client names.
# Inject Sunbeam theme CSS from the integration service.
FRONTEND_CSS_URL: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"
WOPI_CLIENTS: collabora
# Discovery XML endpoint — Collabora registers supported MIME types here.
WOPI_COLLABORA_DISCOVERY_URL: http://collabora.lasuite.svc.cluster.local:9980/hosting/discovery
# Base URL Drive uses when building wopi_src callback URLs for Collabora.
WOPI_SRC_BASE_URL: https://drive.DOMAIN_SUFFIX
themeCustomization:
enabled: true
file_content:
css_url: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"
waffle:
apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
label: "O Estúdio"
closeLabel: "Fechar"
newWindowLabelSuffix: " · nova janela"
ingress:
enabled: false
ingressAdmin:
enabled: false
ingressMedia:
enabled: false
Reference in New Issue View Git Blame Copy Permalink