gh-claude/guildhall
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
guildhall/k8s/50-guildhall-secrets-template.yaml
Tyler J King c0959a5376 feat(guildhall): minimum viable guildhall — OIDC, guilds, schematics, members 
Implements the full founding-guild onboarding stack across four phases:

Phase A — Keycloak OIDC auth pipeline (oidcc) + guild registration with
ceremony-engine approval (SingleApproval, hub operator approves via gRPC).
Phase B — Founding schematic templates (MSP/ISV/NSP TOML), gRPC clients
for ceremony-service and ffc-schematic-server, schematic fork/bind/realize
LiveView with DB audit trail in guild_schematics.
Phase C — RealizationPoller GenServer polling realization status every 5s,
PubSub broadcast, live realization dashboard showing 7 reconciler sections.
Phase D — Self-service member onboarding (join request → guild master
approval via ceremony), member management LiveView, auto-create guild
master on guild approval via Ecto.Multi transaction.

Includes K8s manifests for ceremony-service (port 50053) and
ffc-schematic-server (port 9091) as ClusterIP services, plus updated
guildhall deployment with OIDC and gRPC service URL env vars.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Tyler J King <tking@guildhouse.dev>
2026-05-15 15:03:50 -04:00

77 lines
2.8 KiB
YAML
Raw Blame History

# Application + database secrets — TEMPLATES.
#
# Do NOT apply these files directly. Secret values are created
# imperatively so passwords and session keys never land in git.
# Two Secrets are created at deploy time:
#
# ---------- guildhall-db-credentials ----------
# Consumed by the guildhall-postgres Deployment (for its own env) and
# by guildhall-app-secrets (the password is also needed to construct
# DATABASE_URL).
#
# DB_PASSWORD="$(openssl rand -base64 32 | tr -d '/+=' | head -c 32)"
#
# kubectl create secret generic guildhall-db-credentials \
# --from-literal=POSTGRES_DB=guildhall \
# --from-literal=POSTGRES_USER=guildhall \
# --from-literal=POSTGRES_PASSWORD="$DB_PASSWORD" \
# --namespace=guildhall
#
# Shape:
#
# apiVersion: v1
# kind: Secret
# metadata:
# name: guildhall-db-credentials
# namespace: guildhall
# type: Opaque
# data:
# POSTGRES_DB: <b64 "guildhall">
# POSTGRES_USER: <b64 "guildhall">
# POSTGRES_PASSWORD: <b64 "<generated-strong-password>">
#
# ---------- guildhall-app-secrets ----------
# Consumed by the guildhall Deployment and migration Job. Contains the
# Phoenix session signing key and the DATABASE_URL used by Ecto at
# runtime.
#
# SECRET_KEY_BASE="$(cd /home/tking/projects/substrate-project/guildhall && mix phx.gen.secret)"
#
# OIDC_CLIENT_SECRET="<from Keycloak guildhall-web client credentials>"
#
# kubectl create secret generic guildhall-app-secrets \
# --from-literal=SECRET_KEY_BASE="$SECRET_KEY_BASE" \
# --from-literal=DATABASE_URL="ecto://guildhall:$DB_PASSWORD@guildhall-postgres:5432/guildhall" \
# --from-literal=OIDC_CLIENT_SECRET="$OIDC_CLIENT_SECRET" \
# --namespace=guildhall
#
# Note: `ecto://` scheme, not `postgres://` — `config/runtime.exs`
# invokes Ecto.Repo's built-in URL parser which accepts either, but
# `ecto://` is the canonical form in Phoenix-generated config.
#
# Shape:
#
# apiVersion: v1
# kind: Secret
# metadata:
# name: guildhall-app-secrets
# namespace: guildhall
# type: Opaque
# data:
# SECRET_KEY_BASE: <b64 "<64-byte-base64-session-key>">
# DATABASE_URL: <b64 "ecto://guildhall:<pw>@guildhall-postgres:5432/guildhall">
# OIDC_CLIENT_SECRET: <b64 "<keycloak-client-secret>">
#
# ---------- ceremony-service-secrets ----------
# Consumed by the ceremony-service Deployment.
#
# kubectl create secret generic ceremony-service-secrets \
# --from-literal=DATABASE_URL="postgres://ceremony:$CEREMONY_DB_PW@guildhall-postgres:5432/ceremony" \
# --namespace=guildhall
#
# ---------- schematic-server-secrets ----------
# Consumed by the ffc-schematic-server Deployment.
#
# kubectl create secret generic schematic-server-secrets \
# --from-literal=DATABASE_URL="postgres://schematic:$SCHEMATIC_DB_PW@guildhall-postgres:5432/schematic" \
# --namespace=guildhall
Reference in a new issue View git blame Copy permalink