diff --git a/etc/base.yaml b/etc/base.yaml
index 7b780fc4..c0c00dfe 100644
--- a/etc/base.yaml
+++ b/etc/base.yaml
@@ -105,6 +105,18 @@ kafka_manager:
_chart_version: 2.1.6
_extra_timeout: 0
+# --------------------------------------------------------- 05-ory.yaml ---------------------------------------------------------
+
+kratos:
+ _install: false
+ _chart_version: 2.1.6
+ _extra_timeout: 0
+
+kratos_ui:
+ _install: false
+ _chart_version: 2.1.6
+ _extra_timeout: 0
+
# --------------------------------------------------------- 10-base.yaml ---------------------------------------------------------
# Use letsencrypt to retrieve SSL certificates.
cert_manager_letsencrypt:
@@ -179,7 +191,7 @@ postgresql:
management_portal:
_install: true
- _chart_version: 1.1.2
+ _chart_version: 1.1.3
_extra_timeout: 210
replicaCount: 1 # should be 1
postgres:
@@ -250,7 +262,7 @@ radar_oura_connector:
radar_rest_sources_authorizer:
_install: false
- _chart_version: 1.1.2
+ _chart_version: 1.1.3
_extra_timeout: 0
replicaCount: 1
diff --git a/etc/base.yaml.gotmpl b/etc/base.yaml.gotmpl
index ec1d6aa5..0bee5a73 100644
--- a/etc/base.yaml.gotmpl
+++ b/etc/base.yaml.gotmpl
@@ -32,4 +32,25 @@ radar_grafana:
#ksql_server:
# ksql:
# queries: |
-# {{/*- readFile "cp-ksql-server/queries.sql" | nindent 8 */}}
\ No newline at end of file
+# {{/*- readFile "cp-ksql-server/queries.sql" | nindent 8 */}}
+
+# If ory kratos is used, please remove the Go template comments and yaml comments.
+# These templates generate the connection strings based on multiple secrets.
+#{{/*
+#kratos:
+# kratos:
+# {{- $secrets := exec "sops" (list "-d" "production.yaml") | fromYaml }}
+# config:
+# {{- $postgres_user := $secrets.management_portal.postgres.user | default "postgres" }}
+# {{- $postgres_password := $secrets.management_portal.postgres.password }}
+# {{- $postgres_host := $secrets.management_portal.postgres.host | default "postgresql" }}
+# {{- $postgres_port := $secrets.management_portal.postgres.port | default "5432" }}
+# {{- $postgres_database := "kratos" }}
+# dsn: {{ printf "postgres://%s:%s@%s:%d/%s" $postgres_user $postgres_password $postgres_host $postgres_port $postgres_database | quote }}
+# courier:
+# smtp:
+# {{- $smtp_user := $secrets.management_portal.smtp.username }}
+# {{- $smtp_password := $secrets.management_portal.smtp.password }}
+# {{- $smtp_host := $secrets.management_portal.smtp.host }}
+# connection_uri: {{ printf "%s:%s@%s" $smtp_user $smtp_password $smtp_host | quote }}
+#*/}}
\ No newline at end of file
diff --git a/etc/kratos/values.yaml b/etc/kratos/values.yaml
new file mode 100644
index 00000000..a83235ad
--- /dev/null
+++ b/etc/kratos/values.yaml
@@ -0,0 +1,275 @@
+ingress:
+ admin:
+ enabled: true
+ className: "nginx"
+ annotations:
+ cert-manager.io/cluster-issuer: letsencrypt-prod
+ hosts:
+ - host: radar-k3s-test.thehyve.net
+ paths:
+ - path: "/admin/kratos/?(.*)"
+ pathType: ImplementationSpecific
+ tls:
+ - secretName: kratos-admin-tls
+ host:
+ - radar-k3s-test.thehyve.net
+ public:
+ enabled: true
+ className: "nginx"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /$1
+ cert-manager.io/cluster-issuer: letsencrypt-prod
+ hosts:
+ - host: radar-k3s-test.thehyve.net
+ paths:
+ - path: "/kratos/?(.*)"
+ pathType: ImplementationSpecific
+ tls:
+ - secretName: kratos-public-tls
+ hosts:
+ - radar-k3s-test.thehyve.net
+
+kratos:
+ development: false
+
+ # -- Enables database migration
+ automigration:
+ enabled: true
+ # -- Configure the way to execute database migration. Possible values: job, initContainer
+ # When set to job, the migration will be executed as a job on release or upgrade.
+ # When set to initContainer, the migration will be executed when Kratos pod is created
+ # Defaults to job
+ type: job
+ # -- Ability to override the entrypoint of the automigration container
+ # (e.g. to source dynamic secrets or export environment dynamic variables)
+ customCommand: [ ]
+ # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
+ # eg:
+ # - sleep 5;
+ # - kratos
+ customArgs: [ ]
+ # -- resource requests and limits for the automigration initcontainer
+ resources: { }
+
+ # -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument.
+ identitySchemas:
+ "identity.user.schema.json": |
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "user",
+ "title": "user",
+ "type": "object",
+ "properties": {
+ "traits": {
+ "type": "object",
+ "properties": {
+ "email": {
+ "type": "string",
+ "format": "email",
+ "title": "E-Mail",
+ "minLength": 5,
+ "ory.sh/kratos": {
+ "credentials": {
+ "password": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ }
+ },
+ "verification": {
+ "via": "email"
+ },
+ "recovery": {
+ "via": "email"
+ }
+ }
+ }
+ },
+ "required": [ "email" ]
+ }
+ },
+ "additionalProperties": false
+ }
+ "identity.default.schema.json": |
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "default",
+ "title": "user",
+ "type": "object",
+ "properties": {
+ "traits": {
+ "type": "object",
+ "properties": {
+ "email": {
+ "type": "string",
+ "format": "email",
+ "title": "E-Mail",
+ "minLength": 5,
+ "ory.sh/kratos": {
+ "credentials": {
+ "password": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ }
+ },
+ "verification": {
+ "via": "email"
+ },
+ "recovery": {
+ "via": "email"
+ }
+ }
+ }
+ },
+ "required": [ "email" ]
+ }
+ },
+ "additionalProperties": false
+ }
+
+ # -- You can customize the emails Kratos is sending (also uncomment config.courier.template_override_path below)
+ emailTemplates: { }
+ # emailTemplates:
+ # recovery:
+ # valid:
+ # subject: Recover access to your account
+ # body: |-
+ # Hi, please recover access to your account by clicking the following link:
+ # {{ .RecoveryURL }}
+ # plainBody: |-
+ # Hi, please recover access to your account by clicking the following link: {{ .RecoveryURL }}
+ # invalid:
+ # subject: Account access attempted
+ # body: |-
+ # Hi, you (or someone else) entered this email address when trying to recover access to an account.
+ # However, this email address is not on our database of registered users and therefore the attempt has failed. If this was you, check if you signed up using a different address. If this was not you, please ignore this email.
+ # plainBody: |-
+ # Hi, you (or someone else) entered this email address when trying to recover access to an account.
+ # verification:
+ # valid:
+ # subject: Please verify your email address
+ # body: |-
+ # Hi, please verify your account by clicking the following link:
+ # {{ .VerificationURL }}
+ # plainBody: |-
+ # Hi, please verify your account by clicking the following link: {{ .VerificationURL }}
+ # invalid:
+ # subject:
+ # body:
+ # plainBody:
+
+ config:
+
+ session:
+ # Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.
+ lifespan: 24h
+
+ cookie:
+ ##-- If false, cookie is removed when the browser is closed --##
+ persistent: false
+
+ courier:
+ smtp:
+ from_address: radar@thehyve.nl
+
+ serve:
+ public:
+ base_url: https://radar-k3s-test.thehyve.net/kratos/
+ cors:
+ enabled: true
+ allowed_origins:
+ - https://radar-k3s-test.thehyve.net/kratos-ui/
+ allowed_methods:
+ - POST
+ - GET
+ - PUT
+ - PATCH
+ - DELETE
+ allowed_headers:
+ - Authorization
+ - Cookie
+ - Content-Type
+ - Accept
+ exposed_headers:
+ - Content-Type
+ - Set-Cookie
+ - Accept
+ allow_credentials: true
+ admin:
+ base_url: https://radar-k3s-test.thehyve.net/admin/kratos/
+
+ selfservice:
+ default_browser_return_url: https://radar-k3s-test.thehyve.net/managementportal
+ allowed_return_urls:
+ - "https://radar-k3s-test.thehyve.net/"
+ - "http://radar-k3s-test.thehyve.net/"
+
+ methods:
+ password:
+ config:
+ haveibeenpwned_enabled: true
+ max_breaches: 0
+ ignore_network_errors: false
+ min_password_length: 12
+ identifier_similarity_check_enabled: true
+ enabled: true
+ totp:
+ config:
+ issuer: Radar
+ enabled: true
+ link:
+ enabled: true
+
+ flows:
+ error:
+ ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/error
+
+ settings:
+ ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/settings
+ required_aal: highest_available
+
+ recovery:
+ enabled: true
+ ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/recovery
+ use: link
+
+ verification:
+ # our current flow necessitates that users reset their password after they activate an account in managementportal,
+ # this works as verification
+ ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/verification
+ enabled: false
+ use: link
+ after:
+ default_browser_return_url: https://radar-k3s-test.thehyve.net/kratos-ui
+
+ logout:
+ after:
+ default_browser_return_url: https://radar-k3s-test.thehyve.net/kratos-ui/login
+
+ login:
+ ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/login
+
+ registration:
+ ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/registration
+ after:
+ password:
+ hooks:
+ - hook: session
+ oidc:
+ hooks:
+ - hook: session
+
+ identity:
+ default_schema_id: user
+ schemas:
+ # identitySchemas:
+ - id: user
+ url: file:///etc/config/identity.user.schema.json
+
+ log:
+ level: debug
+ format: text
+ leak_sensitive_values: true
diff --git a/etc/kratos_ui/values.yaml b/etc/kratos_ui/values.yaml
new file mode 100644
index 00000000..35b4fc3c
--- /dev/null
+++ b/etc/kratos_ui/values.yaml
@@ -0,0 +1,34 @@
+config:
+ csrfCookieName: "radar_csrf"
+
+ingress:
+ enabled: true
+ className: "nginx"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /$1
+ cert-manager.io/cluster-issuer: letsencrypt-prod
+ hosts:
+ - host: radar-k3s-test.thehyve.net
+ paths:
+ - path: "/kratos-ui/?(.*)"
+ pathType: ImplementationSpecific
+ tls:
+ - secretName: radar-kratos-tls
+ hosts:
+ - radar-k3s-test.thehyve.net
+ # -- Set this to ORY Kratos's Admin URL
+kratosAdminUrl: "kratos-admin"
+
+# -- Set this to ORY Kratos's public URL
+kratosPublicUrl: "https://radar-k3s-test.thehyve.net/kratos"
+
+# -- Set this to ORY Kratos's public URL accessible from the outside world.
+kratosBrowserUrl: "https://radar-k3s-test.thehyve.net/kratos"
+
+# -- The basePath
+basePath: ""
+
+# -- The jwksUrl
+jwksUrl: ""
+
+projectName: "SecureApp"
diff --git a/helmfile.d/05-ory.yaml b/helmfile.d/05-ory.yaml
new file mode 100644
index 00000000..cc490634
--- /dev/null
+++ b/helmfile.d/05-ory.yaml
@@ -0,0 +1,23 @@
+bases:
+- ../environments.yaml
+
+---
+
+releases:
+ - name: kratos
+ chart: ory/kratos
+ version: {{ .Values.kratos._chart_version }}
+ installed: {{ .Values.kratos._install }}
+ timeout: {{ add .Values.base_timeout .Values.kratos._extra_timeout }}
+ values:
+ - "../etc/kratos/values.yaml"
+ - {{ .Values.kratos | toYaml | indent 8 | trim }}
+
+ - name: kratos-selfservice-ui-node
+ chart: ory/kratos-selfservice-ui-node
+ version: {{ .Values.kratos_ui._chart_version }}
+ installed: {{ .Values.kratos_ui._install }}
+ timeout: {{ add .Values.base_timeout .Values.kratos_ui._extra_timeout }}
+ values:
+ - "../etc/kratos_ui/values.yaml"
+ - {{ .Values.kratos_ui | toYaml | indent 8 | trim }}