# Logto OIDC Provider for Cameleer # Provides external identity management with OAuth2/OIDC. # # Logto is proxy-aware: ENDPOINT and ADMIN_ENDPOINT (from logto-credentials secret) # set the public-facing URLs that Logto advertises in OIDC discovery, redirects, etc. # When behind a reverse proxy (e.g., Traefik), set these to the external URLs. # # After deployment: # 1. Access Logto admin console at the ADMIN_ENDPOINT URL # 2. Complete initial setup (create admin account) # 3. Create an Application for Cameleer (see HOWTO.md) # 4. Create an API Resource with scopes (admin, operator, viewer) # 5. Create an M2M Application for the SaaS platform # --- PostgreSQL for Logto --- apiVersion: apps/v1 kind: StatefulSet metadata: name: logto-postgresql namespace: cameleer spec: serviceName: logto-postgresql replicas: 1 selector: matchLabels: app: logto-postgresql template: metadata: labels: app: logto-postgresql spec: containers: - name: postgresql image: postgres:16-alpine ports: - containerPort: 5432 env: - name: POSTGRES_DB value: logto - name: POSTGRES_USER valueFrom: secretKeyRef: name: logto-credentials key: PG_USER - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: logto-credentials key: PG_PASSWORD volumeMounts: - name: data mountPath: /var/lib/postgresql/data subPath: pgdata resources: requests: memory: "128Mi" cpu: "50m" limits: memory: "512Mi" cpu: "500m" livenessProbe: exec: command: ["pg_isready"] initialDelaySeconds: 15 periodSeconds: 10 readinessProbe: exec: command: ["pg_isready"] initialDelaySeconds: 5 periodSeconds: 5 volumeClaimTemplates: - metadata: name: data spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi --- apiVersion: v1 kind: Service metadata: name: logto-postgresql namespace: cameleer spec: clusterIP: None selector: app: logto-postgresql ports: - port: 5432 targetPort: 5432 # --- Logto Server --- --- apiVersion: apps/v1 kind: Deployment metadata: name: logto namespace: cameleer spec: replicas: 1 selector: matchLabels: app: logto template: metadata: labels: app: logto spec: containers: - name: logto image: ghcr.io/logto-io/logto:latest command: ["sh", "-c", "npm run cli db seed -- --swe && npm start"] ports: - containerPort: 3001 name: api - containerPort: 3002 name: admin env: - name: TRUST_PROXY_HEADER value: "1" - name: PG_USER valueFrom: secretKeyRef: name: logto-credentials key: PG_USER - name: PG_PASSWORD valueFrom: secretKeyRef: name: logto-credentials key: PG_PASSWORD - name: DB_URL value: "postgresql://$(PG_USER):$(PG_PASSWORD)@logto-postgresql:5432/logto" - name: ENDPOINT valueFrom: secretKeyRef: name: logto-credentials key: ENDPOINT - name: ADMIN_ENDPOINT valueFrom: secretKeyRef: name: logto-credentials key: ADMIN_ENDPOINT resources: requests: memory: "256Mi" cpu: "100m" limits: memory: "512Mi" cpu: "500m" livenessProbe: httpGet: path: /api/status port: 3001 initialDelaySeconds: 60 periodSeconds: 15 timeoutSeconds: 5 failureThreshold: 5 readinessProbe: httpGet: path: /api/status port: 3001 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 3 failureThreshold: 3 --- apiVersion: v1 kind: Service metadata: name: logto namespace: cameleer spec: type: NodePort selector: app: logto ports: - port: 3001 targetPort: 3001 nodePort: 30951 name: api - port: 3002 targetPort: 3002 nodePort: 30952 name: admin