Skip to content

Commit

Permalink
Add Ory Kratos
Browse files Browse the repository at this point in the history
  • Loading branch information
@blootsvoets @pvannierop
blootsvoets authored and pvannierop committed Apr 11, 2024
1 parent 3fdd34b commit 39cedd0
Show file tree
Hide file tree
Showing 5 changed files with 368 additions and 3 deletions.
16 changes: 14 additions & 2 deletions etc/base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,18 @@ kafka_manager:
_chart_version: 2.1.6
_extra_timeout: 0

# --------------------------------------------------------- 05-ory.yaml ---------------------------------------------------------

kratos:
_install: false
_chart_version: 2.1.6
_extra_timeout: 0

kratos_ui:
_install: false
_chart_version: 2.1.6
_extra_timeout: 0

# --------------------------------------------------------- 10-base.yaml ---------------------------------------------------------
# Use letsencrypt to retrieve SSL certificates.
cert_manager_letsencrypt:
Expand Down Expand Up @@ -179,7 +191,7 @@ postgresql:

management_portal:
_install: true
_chart_version: 1.1.2
_chart_version: 1.1.3
_extra_timeout: 210
replicaCount: 1 # should be 1
postgres:
Expand Down Expand Up @@ -250,7 +262,7 @@ radar_oura_connector:

radar_rest_sources_authorizer:
_install: false
_chart_version: 1.1.2
_chart_version: 1.1.3
_extra_timeout: 0
replicaCount: 1

Expand Down
23 changes: 22 additions & 1 deletion etc/base.yaml.gotmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,25 @@ radar_grafana:
#ksql_server:
# ksql:
# queries: |
# {{/*- readFile "cp-ksql-server/queries.sql" | nindent 8 */}}
# {{/*- readFile "cp-ksql-server/queries.sql" | nindent 8 */}}

# If ory kratos is used, please remove the Go template comments and yaml comments.
# These templates generate the connection strings based on multiple secrets.
#{{/*
#kratos:
# kratos:
# {{- $secrets := exec "sops" (list "-d" "production.yaml") | fromYaml }}
# config:
# {{- $postgres_user := $secrets.management_portal.postgres.user | default "postgres" }}
# {{- $postgres_password := $secrets.management_portal.postgres.password }}
# {{- $postgres_host := $secrets.management_portal.postgres.host | default "postgresql" }}
# {{- $postgres_port := $secrets.management_portal.postgres.port | default "5432" }}
# {{- $postgres_database := "kratos" }}
# dsn: {{ printf "postgres://%s:%s@%s:%d/%s" $postgres_user $postgres_password $postgres_host $postgres_port $postgres_database | quote }}
# courier:
# smtp:
# {{- $smtp_user := $secrets.management_portal.smtp.username }}
# {{- $smtp_password := $secrets.management_portal.smtp.password }}
# {{- $smtp_host := $secrets.management_portal.smtp.host }}
# connection_uri: {{ printf "%s:%s@%s" $smtp_user $smtp_password $smtp_host | quote }}
#*/}}
275 changes: 275 additions & 0 deletions etc/kratos/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,275 @@
ingress:
admin:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: radar-k3s-test.thehyve.net
paths:
- path: "/admin/kratos/?(.*)"
pathType: ImplementationSpecific
tls:
- secretName: kratos-admin-tls
host:
- radar-k3s-test.thehyve.net
public:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: radar-k3s-test.thehyve.net
paths:
- path: "/kratos/?(.*)"
pathType: ImplementationSpecific
tls:
- secretName: kratos-public-tls
hosts:
- radar-k3s-test.thehyve.net

kratos:
development: false

# -- Enables database migration
automigration:
enabled: true
# -- Configure the way to execute database migration. Possible values: job, initContainer
# When set to job, the migration will be executed as a job on release or upgrade.
# When set to initContainer, the migration will be executed when Kratos pod is created
# Defaults to job
type: job
# -- Ability to override the entrypoint of the automigration container
# (e.g. to source dynamic secrets or export environment dynamic variables)
customCommand: [ ]
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
# eg:
# - sleep 5;
# - kratos
customArgs: [ ]
# -- resource requests and limits for the automigration initcontainer
resources: { }

# -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument.
identitySchemas:
"identity.user.schema.json": |
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "user",
"title": "user",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 5,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
},
"totp": {
"account_name": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": [ "email" ]
}
},
"additionalProperties": false
}
"identity.default.schema.json": |
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "default",
"title": "user",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 5,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
},
"totp": {
"account_name": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": [ "email" ]
}
},
"additionalProperties": false
}
# -- You can customize the emails Kratos is sending (also uncomment config.courier.template_override_path below)
emailTemplates: { }
# emailTemplates:
# recovery:
# valid:
# subject: Recover access to your account
# body: |-
# Hi, please recover access to your account by clicking the following link:
# <a href="{{ .RecoveryURL }}">{{ .RecoveryURL }}</a>
# plainBody: |-
# Hi, please recover access to your account by clicking the following link: {{ .RecoveryURL }}
# invalid:
# subject: Account access attempted
# body: |-
# Hi, you (or someone else) entered this email address when trying to recover access to an account.
# However, this email address is not on our database of registered users and therefore the attempt has failed. If this was you, check if you signed up using a different address. If this was not you, please ignore this email.
# plainBody: |-
# Hi, you (or someone else) entered this email address when trying to recover access to an account.
# verification:
# valid:
# subject: Please verify your email address
# body: |-
# Hi, please verify your account by clicking the following link:
# <a href="{{ .VerificationURL }}">{{ .VerificationURL }}</a>
# plainBody: |-
# Hi, please verify your account by clicking the following link: {{ .VerificationURL }}
# invalid:
# subject:
# body:
# plainBody:

config:

session:
# Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.
lifespan: 24h

cookie:
##-- If false, cookie is removed when the browser is closed --##
persistent: false

courier:
smtp:
from_address: radar@thehyve.nl

serve:
public:
base_url: https://radar-k3s-test.thehyve.net/kratos/
cors:
enabled: true
allowed_origins:
- https://radar-k3s-test.thehyve.net/kratos-ui/
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Cookie
- Content-Type
- Accept
exposed_headers:
- Content-Type
- Set-Cookie
- Accept
allow_credentials: true
admin:
base_url: https://radar-k3s-test.thehyve.net/admin/kratos/

selfservice:
default_browser_return_url: https://radar-k3s-test.thehyve.net/managementportal
allowed_return_urls:
- "https://radar-k3s-test.thehyve.net/"
- "http://radar-k3s-test.thehyve.net/"

methods:
password:
config:
haveibeenpwned_enabled: true
max_breaches: 0
ignore_network_errors: false
min_password_length: 12
identifier_similarity_check_enabled: true
enabled: true
totp:
config:
issuer: Radar
enabled: true
link:
enabled: true

flows:
error:
ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/error

settings:
ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/settings
required_aal: highest_available

recovery:
enabled: true
ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/recovery
use: link

verification:
# our current flow necessitates that users reset their password after they activate an account in managementportal,
# this works as verification
ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/verification
enabled: false
use: link
after:
default_browser_return_url: https://radar-k3s-test.thehyve.net/kratos-ui

logout:
after:
default_browser_return_url: https://radar-k3s-test.thehyve.net/kratos-ui/login

login:
ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/login

registration:
ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/registration
after:
password:
hooks:
- hook: session
oidc:
hooks:
- hook: session

identity:
default_schema_id: user
schemas:
# identitySchemas:
- id: user
url: file:///etc/config/identity.user.schema.json

log:
level: debug
format: text
leak_sensitive_values: true
34 changes: 34 additions & 0 deletions etc/kratos_ui/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
config:
csrfCookieName: "radar_csrf"

ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: radar-k3s-test.thehyve.net
paths:
- path: "/kratos-ui/?(.*)"
pathType: ImplementationSpecific
tls:
- secretName: radar-kratos-tls
hosts:
- radar-k3s-test.thehyve.net
# -- Set this to ORY Kratos's Admin URL
kratosAdminUrl: "kratos-admin"

# -- Set this to ORY Kratos's public URL
kratosPublicUrl: "https://radar-k3s-test.thehyve.net/kratos"

# -- Set this to ORY Kratos's public URL accessible from the outside world.
kratosBrowserUrl: "https://radar-k3s-test.thehyve.net/kratos"

# -- The basePath
basePath: ""

# -- The jwksUrl
jwksUrl: ""

projectName: "SecureApp"
Loading

0 comments on commit 39cedd0

Please sign in to comment.