cameleer-server/deploy/cameleer-logto.yaml

# Logto OIDC Provider for Cameleer
# Provides external identity management with OAuth2/OIDC.
#
# Logto is proxy-aware: ENDPOINT and ADMIN_ENDPOINT (from cameleer-logto-credentials secret)
# set the public-facing URLs that Logto advertises in OIDC discovery, redirects, etc.
# When behind a reverse proxy (e.g., Traefik), set these to the external URLs.
#
# After deployment:
#   1. Access Logto admin console at the ADMIN_ENDPOINT URL
#   2. Complete initial setup (create admin account)
#   3. Create an Application for Cameleer (see HOWTO.md)
#   4. Create an API Resource with scopes (admin, operator, viewer)
#   5. Create an M2M Application for the SaaS platform

# --- PostgreSQL for Logto ---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: cameleer-logto-postgresql
  namespace: cameleer
spec:
  serviceName: cameleer-logto-postgresql
  replicas: 1
  selector:
    matchLabels:
      app: cameleer-logto-postgresql
  template:
    metadata:
      labels:
        app: cameleer-logto-postgresql
    spec:
      containers:
        - name: cameleer-logto-postgresql
          image: postgres:16-alpine
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_DB
              value: logto
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: cameleer-logto-credentials
                  key: PG_USER
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: cameleer-logto-credentials
                  key: PG_PASSWORD
          volumeMounts:
            - name: data
              mountPath: /var/lib/postgresql/data
              subPath: pgdata
          resources:
            requests:
              memory: "128Mi"
              cpu: "50m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          livenessProbe:
            tcpSocket:
              port: 5432
            initialDelaySeconds: 15
            periodSeconds: 10
          readinessProbe:
            tcpSocket:
              port: 5432
            initialDelaySeconds: 5
            periodSeconds: 5
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: cameleer-logto-postgresql
  namespace: cameleer
spec:
  clusterIP: None
  selector:
    app: cameleer-logto-postgresql
  ports:
    - port: 5432
      targetPort: 5432

# --- Logto Server ---
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cameleer-logto
  namespace: cameleer
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cameleer-logto
  template:
    metadata:
      labels:
        app: cameleer-logto
    spec:
      containers:
        - name: cameleer-logto
          image: ghcr.io/logto-io/logto:latest
          command: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
          ports:
            - containerPort: 3001
              name: api
            - containerPort: 3002
              name: admin
          env:
            - name: TRUST_PROXY_HEADER
              value: "1"
            - name: PG_USER
              valueFrom:
                secretKeyRef:
                  name: cameleer-logto-credentials
                  key: PG_USER
            - name: PG_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: cameleer-logto-credentials
                  key: PG_PASSWORD
            - name: DB_URL
              value: "postgresql://$(PG_USER):$(PG_PASSWORD)@cameleer-logto-postgresql:5432/logto"
            - name: ENDPOINT
              valueFrom:
                secretKeyRef:
                  name: cameleer-logto-credentials
                  key: ENDPOINT
            - name: ADMIN_ENDPOINT
              valueFrom:
                secretKeyRef:
                  name: cameleer-logto-credentials
                  key: ADMIN_ENDPOINT
          resources:
            requests:
              memory: "256Mi"
              cpu: "100m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          livenessProbe:
            httpGet:
              path: /api/status
              port: 3001
            initialDelaySeconds: 60
            periodSeconds: 15
            timeoutSeconds: 5
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /api/status
              port: 3001
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 3
---
apiVersion: v1
kind: Service
metadata:
  name: cameleer-logto
  namespace: cameleer
spec:
  type: NodePort
  selector:
    app: cameleer-logto
  ports:
    - port: 3001
      targetPort: 3001
      nodePort: 30951
      name: api
    - port: 3002
      targetPort: 3002
      nodePort: 30952
      name: admin