Update versions to latest and improve kratos configuration

Bdegraaf1234 · Bdegraaf1234 · commit 6827138e2077 · 2024-04-03T10:59:18.000+02:00
diff --git a/etc/base.yaml b/etc/base.yaml
@@ -140,8 +140,7 @@ kratos:
             - radar-k3s-test.thehyve.net
 
   kratos:
-    development: true
-    # -- Enable the initialization job. Required to work with a DB
+    development: false
 
     # -- Enables database migration
     automigration:
@@ -202,6 +201,44 @@ kratos:
           },
           "additionalProperties": false
         }
+      "identity.default.schema.json": |
+        {
+          "$schema": "http://json-schema.org/draft-07/schema#",
+          "$id": "default",
+          "title": "user",
+          "type": "object",
+          "properties": {
+            "traits": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string",
+                  "format": "email",
+                  "title": "E-Mail",
+                  "minLength": 5,
+                  "ory.sh/kratos": {
+                    "credentials": {
+                      "password": {
+                        "identifier": true
+                      },
+                      "totp": {
+                        "account_name": true
+                      }
+                    },
+                    "verification": {
+                      "via": "email"
+                    },
+                    "recovery": {
+                      "via": "email"
+                    }
+                  }
+                }
+              },
+              "required": [ "email" ]
+            }
+          },
+          "additionalProperties": false
+        }
 
     # -- You can customize the emails Kratos is sending (also uncomment config.courier.template_override_path below)
     emailTemplates: { }
@@ -235,6 +272,15 @@ kratos:
     #       plainBody:
 
     config:
+
+      session:
+        # Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.
+        lifespan: 24h
+
+        cookie:
+          ##-- If false, cookie is removed when the browser is closed --##
+          persistent: false
+
       courier:
         smtp:
           from_address: radar@thehyve.nl
@@ -273,10 +319,16 @@ kratos:
 
         methods:
           password:
+            config:
+              haveibeenpwned_enabled: true
+              max_breaches: 0
+              ignore_network_errors: false
+              min_password_length: 12
+              identifier_similarity_check_enabled: true
             enabled: true
           totp:
             config:
-              issuer: Kratos
+              issuer: Radar
             enabled: true
           link:
             enabled: true
@@ -287,6 +339,7 @@ kratos:
 
           settings:
             ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/settings
+            required_aal: highest_available
 
           recovery:
             enabled: true
@@ -297,7 +350,7 @@ kratos:
             # our current flow necessitates that users reset their password after they activate an account in managementportal,
             # this works as verification
             ui_url: https://radar-k3s-test.thehyve.net/kratos-ui/verification
-            enabled: true
+            enabled: false
             use: link
             after:
               default_browser_return_url: https://radar-k3s-test.thehyve.net/kratos-ui
@@ -410,14 +463,16 @@ cp_schema_registry:
 
 catalog_server:
   _install: true
-  _chart_version: 0.4.3
+  _chart_version: 0.5.2
   _extra_timeout: 90
+  image:
+    tag: 0.8.7
   replicaCount: 1
   schema_registry: http://cp-schema-registry:8081
 
 radar_home:
   _install: true
-  _chart_version: 0.1.1
+  _chart_version: 0.2.2
   _extra_timeout: 0
 
 # --------------------------------------------------------- 10-managementportal.yaml ---------------------------------------------------------
@@ -458,15 +513,15 @@ management_portal:
 
 app_config:
   _install: true
-  _chart_version: 0.2.4
+  _chart_version: 1.1.1
   _extra_timeout: 0
   replicaCount: 1
   jdbc:
     url: jdbc:postgresql://postgresql:5432/appconfig
 
 app_config_frontend:
   _install: true
-  _chart_version: 0.2.3
+  _chart_version: 1.1.1
   _extra_timeout: 0
   replicaCount: 1
 
@@ -498,7 +553,7 @@ radar_appserver:
 # The charts in 20-fitbit.yaml only need to be installed if you will use a Fitbit or Garmin API integration.
 radar_fitbit_connector:
   _install: false
-  _chart_version: 0.2.1
+  _chart_version: 0.3.1
   _extra_timeout: 0
   replicaCount: 1
   oauthClientId: radar_fitbit_connector
@@ -558,7 +613,7 @@ radar_grafana:
 
 radar_jdbc_connector:
   _install: true
-  _chart_version: 0.4.0
+  _chart_version: 0.5.1
   _extra_timeout: 0
   replicaCount: 1
   sink:
@@ -569,9 +624,14 @@ radar_jdbc_connector:
 
 radar_gateway:
   _install: true
-  _chart_version: 0.2.6
+  _chart_version: 1.1.2
   _extra_timeout: 0
   replicaCount: 1
+  ingress:
+    annotations:
+      # rewrite the uri to the original request, which is encoded to prevent XSS attacks. This would likely be good practice everywhere but is REQUIRED for grizzly servers
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        rewrite ^ $request_uri; 
 
 # --------------------------------------------------------- 20-kafka-analysis.yaml ---------------------------------------------------------
 
@@ -637,7 +697,7 @@ minio:
 radar_s3_connector:
   # set to true if radar-s3-connector should be installed
   _install: true
-  _chart_version: 0.2.4
+  _chart_version: 0.3.1
   _extra_timeout: 90
   replicaCount: 1
   # The bucket name where intermediate data for cold storage should be written to.
