odoo-tower/admin-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6b7743ecaf07e47972b8466265ee14336764fd73
admin-platform-v3/values.yaml
Claude 6b7743ecaf tower 0.61.23 / tower-ui 0.61.23 — SSE auth via ?token= 
NotificationBell + ActivityTab opened EventSource without auth
(native EventSource API can't set Authorization headers). Phase G's
canSeeOp guard correctly dropped every event for the resulting
anonymous viewer, leaving the bell silent except for the one-shot
backfill on mount.

Backend: claimsFromRequest now falls back to ?token= query param
when the Authorization header is absent. HTTPS-only ingress means
the token stays inside the TLS tunnel; the 15-min access-token TTL
bounds any leakage if it ever surfaces in browser history or proxy
logs.

Frontend: streamOperation + streamAllOperations append the access
token via streamURL(). Plus token-expiry-aware reconnect: on
EventSource error, debounce 5s, close, run authFetch('/me') to let
the 0.61.18 refresh path renew the access token, then re-open with
a fresh streamURL. Without this, the native auto-reconnect would
loop forever with the now-stale token after 15 min.
2026-04-30 18:15:11 +03:00

72 lines
2.0 KiB
YAML
Raw Blame History

# admin-platform-v3 — Tower platform default values.
backend:
enabled: true
image:
# Tower images live alongside the Docker Hub mirror on
# gitlab.odoosky.cloud — separate path, same registry. Pulled with
# the docker-mirror-pull deploy token (read-only registry scope),
# so every cluster that runs Tower needs the same imagePullSecret
# provisioned out-of-band (until cluster-platform-v3 owns it).
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
tag: "0.61.23"
pullPolicy: IfNotPresent
imagePullSecrets:
- name: docker-mirror-pull
replicas: 1
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: "1"
memory: 256Mi
persistence:
enabled: true
size: 1Gi
frontend:
enabled: true
image:
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower-ui
tag: "0.61.23"
pullPolicy: IfNotPresent
imagePullSecrets:
- name: docker-mirror-pull
replicas: 1
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 250m
memory: 64Mi
# Tower needs to talk to:
# - Gitea (create tenant repos, commit values.yaml)
# - ArgoCD (apply Application manifests)
#
# The credentials live in a K8s Secret in the same namespace, populated
# from the ExistingSecret pattern (so they aren't checked into Git).
# In Step 5+ we replace this with External Secrets sourcing from
# OpenBao at vault.odoosky.org.
config:
giteaURL: https://git.odoosky.org
giteaOrg: odoo-tower
chartRepo: instance-template-v3
argoCDURL: https://argocd.odoosky.org
argoCDUsername: admin
argoCDDestination: https://kubernetes.default.svc
argoCDProject: default
argoCDNamespace: argocd
tenantNamespace: tenants
# The Secret name (in the same namespace as Tower) that holds
# GITEA_TOKEN and ARGOCD_PASSWORD keys. Created out-of-band before
# this chart is applied.
existingSecret: tower-credentials
ingress:
domain: tower.odoosky.org
certIssuer: letsencrypt-prod
entryPoint: websecure
Reference in New Issue View Git Blame Copy Permalink