Ronni Baslund
c60937c5cb
ci / build (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / build (map[dir:apps/operator name:operator]) (push) Has been cancelled
ci / build (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / build (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / deploy (push) Has been cancelled
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / typecheck (map[dir:apps/operator name:operator]) (push) Has been cancelled
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
Push to main = release: after build, a deploy job pins each app image to the commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits for the rollouts. The runner already runs in-cluster, so it reaches the API server on the in-cluster service IP with a kubeconfig for the new ci-deployer ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret). The drafted Flux sync/image-automation layer is removed — a GitOps controller plus bot tag-bump commits is more machinery than a single-node cluster needs. Sortable image tags and $imagepolicy markers go with it. Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses, platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers exist) and the secrets template/README updated to match.
42 lines
2.0 KiB
YAML
42 lines
2.0 KiB
YAML
# Non-secret runtime config for platform-api. Cluster-internal service
|
|
# addresses and integration toggles. Secrets (Mongo URI, credential key,
|
|
# Stalwart password, webhook secret) live in the platform-api-secrets Secret.
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: platform-api-config
|
|
namespace: dezky-apps
|
|
labels:
|
|
app.kubernetes.io/name: platform-api
|
|
data:
|
|
# Stalwart runs on the HOST (not k3s). Pods reach it via the cni0 gateway IP
|
|
# on the JMAP management port; the firewall lets the pod CIDR through.
|
|
STALWART_API_URL: "http://10.42.0.1:8080"
|
|
STALWART_ADMIN_USER: "admin"
|
|
STALWART_PROVISIONING_ENABLED: "true"
|
|
# JWT validation for portal/operator-issued access tokens. Public Authentik
|
|
# URLs on purpose: the token `iss` claim is the public URL, and the pod can
|
|
# hairpin to it through the node's public IP.
|
|
AUTHENTIK_ISSUER: "https://auth.dezky.eu/application/o/dezky-portal/,https://auth.dezky.eu/application/o/dezky-operator/"
|
|
AUTHENTIK_AUDIENCE: "dezky-portal,dezky-operator"
|
|
AUTHENTIK_JWKS_URI: "https://auth.dezky.eu/application/o/dezky-portal/jwks/"
|
|
AUTHENTIK_API_URL: "https://auth.dezky.eu/api/v3"
|
|
# OCIS is not deployed in production yet. The client is instantiated at boot
|
|
# (so the URL must exist) but only fails when a files feature is actually
|
|
# used. Swap to the real URL when the files tier lands.
|
|
OCIS_API_URL: "https://files.dezky.eu"
|
|
OCIS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
|
|
OCIS_OIDC_CLIENT_ID: "ocis-web"
|
|
OCIS_SVC_USERNAME: "svc-platform-api"
|
|
# Audit cold storage (Hetzner Object Storage) is not provisioned yet —
|
|
# archive stays off; the S3 client boots against the placeholder endpoint.
|
|
AUDIT_COLD_ENDPOINT: "https://fsn1.your-objectstorage.com"
|
|
AUDIT_COLD_REGION: "fsn1"
|
|
AUDIT_COLD_BUCKET: "dezky-audit"
|
|
AUDIT_HOT_RETENTION_DAYS: "90"
|
|
ARCHIVE_ENABLED: "false"
|
|
# Stripe billing dark-launched off in prod until live keys are wired.
|
|
BILLING_STRIPE_ENABLED: "false"
|
|
BOOKING_PUBLIC_URL: "https://booking.dezky.eu"
|
|
MEET_PUBLIC_URL: "https://meet.dezky.eu"
|