core-auth
diff --git a/charts/auth/Chart.lock b/charts/auth/Chart.lock
index 4e721e9..c8a1eed 100644
--- a/charts/auth/Chart.lock
+++ b/charts/auth/Chart.lock
@@ -1,9 +1,9 @@
dependencies:
- name: kratos
repository: https://k8s.ory.sh/helm/charts
- version: 0.20.1
+ version: 0.33.1
- name: hydra
repository: https://k8s.ory.sh/helm/charts
- version: 0.20.1
-digest: sha256:2467fbd505772fa37ee80fdbc7a20cc1fec923702a69176cda04b99311b13e0b
-generated: "2021-11-06T21:20:46.694331+04:00"
+ version: 0.33.1
+digest: sha256:10ebc5a0091aa612b31d13ad09ab3ae9593e876b8dc27edcaf8e2fd553aab832
+generated: "2023-05-30T14:29:25.471201+04:00"
diff --git a/charts/auth/Chart.yaml b/charts/auth/Chart.yaml
index e707e31..f261203 100644
--- a/charts/auth/Chart.yaml
+++ b/charts/auth/Chart.yaml
@@ -6,8 +6,8 @@
appVersion: "0.0.1"
dependencies:
- name: kratos
- version: v0.20.1
+ version: v0.33.1
repository: https://k8s.ory.sh/helm/charts
- name: hydra
- version: v0.20.1
+ version: v0.33.1
repository: https://k8s.ory.sh/helm/charts
diff --git a/charts/auth/charts/hydra-0.20.1.tgz b/charts/auth/charts/hydra-0.20.1.tgz
deleted file mode 100644
index 11e35f1..0000000
--- a/charts/auth/charts/hydra-0.20.1.tgz
+++ /dev/null
Binary files differ
diff --git a/charts/auth/charts/hydra-0.33.1.tgz b/charts/auth/charts/hydra-0.33.1.tgz
new file mode 100644
index 0000000..80d1080
--- /dev/null
+++ b/charts/auth/charts/hydra-0.33.1.tgz
Binary files differ
diff --git a/charts/auth/charts/kratos-0.20.1.tgz b/charts/auth/charts/kratos-0.20.1.tgz
deleted file mode 100644
index e3d7302..0000000
--- a/charts/auth/charts/kratos-0.20.1.tgz
+++ /dev/null
Binary files differ
diff --git a/charts/auth/charts/kratos-0.33.1.tgz b/charts/auth/charts/kratos-0.33.1.tgz
new file mode 100644
index 0000000..17bdd12
--- /dev/null
+++ b/charts/auth/charts/kratos-0.33.1.tgz
Binary files differ
diff --git a/charts/auth/templates/certificates.yaml b/charts/auth/templates/certificates.yaml
index b6b54b7..8db0ddd 100644
--- a/charts/auth/templates/certificates.yaml
+++ b/charts/auth/templates/certificates.yaml
@@ -7,7 +7,7 @@
helm.sh/resource-policy: keep
spec:
dnsNames:
- - 'accounts-ui.{{ .Values.ui.domain }}'
+ - "accounts-ui.{{ .Values.ui.domain }}"
issuerRef:
name: {{ .Values.ui.certificateIssuer }}
kind: ClusterIssuer
@@ -22,7 +22,7 @@
helm.sh/resource-policy: keep
spec:
dnsNames:
- - 'accounts.{{ .Values.ui.domain }}'
+ - "accounts.{{ .Values.ui.domain }}"
issuerRef:
name: {{ .Values.ui.certificateIssuer }}
kind: ClusterIssuer
@@ -37,7 +37,7 @@
helm.sh/resource-policy: keep
spec:
dnsNames:
- - 'hydra.{{ .Values.ui.domain }}'
+ - "hydra.{{ .Values.ui.domain }}"
issuerRef:
name: {{ .Values.ui.certificateIssuer }}
kind: ClusterIssuer
diff --git a/charts/auth/templates/lighthouse-config.yaml b/charts/auth/templates/lighthouse-config.yaml
deleted file mode 100644
index 1318c1a..0000000
--- a/charts/auth/templates/lighthouse-config.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ .Values.ui.nebula.lighthouse.name }}
- namespace: {{ .Release.Namespace }}
-data:
- lighthouse.yaml: |
- pki:
- ca: /etc/nebula/lighthouse/ca.crt
- cert: /etc/nebula/lighthouse/host.crt
- key: /etc/nebula/lighthouse/host.key
- static_host_map:
- "{{ .Values.ui.nebula.lighthouse.internalIP }}": ["{{ .Values.ui.nebula.lighthouse.externalIP }}:{{ .Values.ui.nebula.lighthouse.port }}"]
- lighthouse:
- am_lighthouse: false
- interval: 60
- hosts:
- - {{ .Values.ui.nebula.lighthouse.internalIP }}
- listen:
- host: "[::]"
- port: 4242
- punchy:
- punch: true
- cipher: chachapoly
- tun:
- disabled: false
- dev: nebula1
- drop_local_broadcast: false
- drop_multicast: false
- tx_queue: 500
- mtu: 1300
- logging:
- level: info
- format: text
- firewall:
- conntrack:
- tcp_timeout: 12m
- udp_timeout: 3m
- default_timeout: 10m
- max_connections: 100000
- outbound:
- - port: any
- proto: any
- host: any
- inbound:
- - port: any
- proto: any
- host: any
diff --git a/charts/auth/templates/ui.yaml b/charts/auth/templates/ui.yaml
index ad31ccb..b9054fe 100644
--- a/charts/auth/templates/ui.yaml
+++ b/charts/auth/templates/ui.yaml
@@ -50,16 +50,16 @@
metadata:
labels:
app: ui
- annotations:
- checksum/config: {{ include (print $.Template.BasePath "/lighthouse-config.yaml") . | sha256sum }}
+ # annotations:
+ # checksum/config: {{ include (print $.Template.BasePath "/lighthouse-config.yaml") . | sha256sum }}
spec:
volumes:
- - name: cert
- secret:
- secretName: {{ .Values.ui.nebula.node.secretName }}
- - name: config
- configMap:
- name: {{ .Values.ui.nebula.lighthouse.name }}
+ # - name: cert
+ # secret:
+ # secretName: {{ .Values.ui.nebula.node.secretName }}
+ # - name: config
+ # configMap:
+ # name: {{ .Values.ui.nebula.lighthouse.name }}
containers:
- name: server
image: giolekva/auth-ui:latest
@@ -84,36 +84,36 @@
# limits:
# memory: "20Mi"
# cpu: "100m"
- - name: lighthouse
- image: giolekva/nebula:latest
- imagePullPolicy: Always
- securityContext:
- capabilities:
- add:
- - NET_ADMIN
- privileged: true
- ports:
- - name: lighthouse
- containerPort: 4247
- protocol: UDP
- command:
- - nebula
- - --config=/etc/nebula/config/lighthouse.yaml
- volumeMounts:
- - name: cert
- mountPath: /etc/nebula/lighthouse
- readOnly: true
- - name: config
- mountPath: /etc/nebula/config
- readOnly: true
----
-apiVersion: lekva.me/v1
-kind: NebulaNode
-metadata:
- name: {{ .Values.ui.nebula.node.name }}
- namespace: {{ .Release.Namespace }}
-spec:
- caName: {{ .Values.ui.nebula.certificateAuthority.name }}
- caNamespace: {{ .Values.ui.nebula.certificateAuthority.namespace }}
- ipCidr: {{ .Values.ui.nebula.node.ipCidr }}
- secretName: {{ .Values.ui.nebula.node.secretName }}
+ # - name: lighthouse
+ # image: giolekva/nebula:latest
+ # imagePullPolicy: Always
+ # securityContext:
+ # capabilities:
+ # add:
+ # - NET_ADMIN
+ # privileged: true
+ # ports:
+ # - name: lighthouse
+ # containerPort: 4247
+ # protocol: UDP
+ # command:
+ # - nebula
+ # - --config=/etc/nebula/config/lighthouse.yaml
+ # volumeMounts:
+ # - name: cert
+ # mountPath: /etc/nebula/lighthouse
+ # readOnly: true
+ # - name: config
+ # mountPath: /etc/nebula/config
+ # readOnly: true
+# ---
+# apiVersion: lekva.me/v1
+# kind: NebulaNode
+# metadata:
+# name: {{ .Values.ui.nebula.node.name }}
+# namespace: {{ .Release.Namespace }}
+# spec:
+# caName: {{ .Values.ui.nebula.certificateAuthority.name }}
+# caNamespace: {{ .Values.ui.nebula.certificateAuthority.namespace }}
+# ipCidr: {{ .Values.ui.nebula.node.ipCidr }}
+# secretName: {{ .Values.ui.nebula.node.secretName }}
diff --git a/core/installer/app.go b/core/installer/app.go
index 7d60aa3..2b4f08e 100644
--- a/core/installer/app.go
+++ b/core/installer/app.go
@@ -109,7 +109,7 @@
tmpls.Lookup("core-auth.yaml"),
},
string(schema),
- nil,
+ tmpls.Lookup("core-auth.md"),
}
}
diff --git a/core/installer/values-tmpl/core-auth-storage.yaml b/core/installer/values-tmpl/core-auth-storage.yaml
index f24ad4b..9f7da7c 100644
--- a/core/installer/values-tmpl/core-auth-storage.yaml
+++ b/core/installer/values-tmpl/core-auth-storage.yaml
@@ -2,7 +2,7 @@
kind: HelmRelease
metadata:
name: core-auth-storage
- namespace: {{ .Values.NamespacePrefix }}core-auth
+ namespace: {{ .Global.NamespacePrefix }}core-auth
spec:
chart:
spec:
@@ -11,10 +11,10 @@
sourceRef:
kind: HelmRepository
name: bitnami
- namespace: {{ .Values.Id }}
+ namespace: {{ .Global.Id }}
dependsOn:
- name: namespaces
- namespace: {{ .Values.Id }}
+ namespace: {{ .Global.Id }}
interval: 1m0s
values:
fullnameOverride: postgres
diff --git a/core/installer/values-tmpl/core-auth.jsonschema b/core/installer/values-tmpl/core-auth.jsonschema
index ec6a2c5..f42d895 100644
--- a/core/installer/values-tmpl/core-auth.jsonschema
+++ b/core/installer/values-tmpl/core-auth.jsonschema
@@ -1,15 +1,6 @@
{
"type": "object",
"properties": {
- "Values": {
- "type": "object",
- "properties": {
- "NamespacePrefix": { "type": "string" },
- "Id": { "type": "string" },
- "Domain": { "type": "string" }
- },
- "additionalProperties": false
- }
},
"additionalProperties": false
}
diff --git a/core/installer/values-tmpl/core-auth.md b/core/installer/values-tmpl/core-auth.md
new file mode 100644
index 0000000..ed24bca
--- /dev/null
+++ b/core/installer/values-tmpl/core-auth.md
@@ -0,0 +1 @@
+OpenID Connect base Single Sign On solution
diff --git a/core/installer/values-tmpl/core-auth.yaml b/core/installer/values-tmpl/core-auth.yaml
index eb80745..5686659 100644
--- a/core/installer/values-tmpl/core-auth.yaml
+++ b/core/installer/values-tmpl/core-auth.yaml
@@ -2,7 +2,7 @@
kind: HelmRelease
metadata:
name: core-auth
- namespace: {{ .Values.NamespacePrefix }}core-auth
+ namespace: {{ .Global.NamespacePrefix }}core-auth
spec:
chart:
spec:
@@ -10,18 +10,21 @@
sourceRef:
kind: GitRepository
name: pcloud
- namespace: {{ .Values.Id }}
+ namespace: {{ .Global.Id }}
dependsOn:
- name: core-auth-storage
- namespace: {{ .Values.NamespacePrefix }}core-auth
+ namespace: {{ .Global.NamespacePrefix }}core-auth
interval: 1m0s
values:
kratos:
fullnameOverride: kratos
image:
- repository: giolekva/ory-kratos
- tag: latest
- pullPolicy: Always
+ repository: oryd/kratos
+ tag: v0.13.0
+ pullPolicy: IfNotPresent
+ # repository: giolekva/ory-kratos
+ # tag: latest
+ # pullPolicy: Always
service:
admin:
enabled: true
@@ -36,27 +39,27 @@
ingress:
admin:
enabled: true
- className: {{ .Values.Id }}-ingress-private
+ className: {{ .Global.Id }}-ingress-private
hosts:
- - host: kratos.p.{{ .Values.Domain }}
+ - host: kratos.p.{{ .Global.Domain }}
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- - kratos.p.{{ .Values.Domain }}
+ - kratos.p.{{ .Global.Domain }}
public:
enabled: true
- className: {{ .Values.PCloudEnvName }}-ingress-public
+ className: {{ .Global.PCloudEnvName }}-ingress-public
hosts:
- - host: accounts.{{ .Values.Domain }}
+ - host: accounts.{{ .Global.Domain }}
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- - accounts.{{ .Values.Domain }}
- secretName: cert-accounts.{{ .Values.Domain }}
+ - accounts.{{ .Global.Domain }}
+ secretName: cert-accounts.{{ .Global.Domain }}
secret:
enabled: true
kratos:
@@ -67,28 +70,28 @@
dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
serve:
public:
- base_url: https://accounts.{{ .Values.Domain }}
+ base_url: https://accounts.{{ .Global.Domain }}
cors:
enabled: true
debug: false
allow_credentials: true
allowed_origins:
- - https://{{ .Values.Domain }}
- - https://*.{{ .Values.Domain }}
+ - https://{{ .Global.Domain }}
+ - https://*.{{ .Global.Domain }}
admin:
- base_url: https://kratos.p.{{ .Values.Domain }}/
+ base_url: https://kratos.p.{{ .Global.Domain }}/
selfservice:
- default_browser_return_url: https://accounts-ui.{{ .Values.Domain }}
+ default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}
whitelisted_return_urls:
- - https://accounts-ui.{{ .Values.Domain }}
+ - https://accounts-ui.{{ .Global.Domain }}
methods:
password:
enabled: true
flows:
error:
- ui_url: https://accounts-ui.{{ .Values.Domain }}/error
+ ui_url: https://accounts-ui.{{ .Global.Domain }}/error
settings:
- ui_url: https://accounts-ui.{{ .Values.Domain }}/settings
+ ui_url: https://accounts-ui.{{ .Global.Domain }}/settings
privileged_session_max_age: 15m
recovery:
enabled: false
@@ -96,22 +99,22 @@
enabled: false
logout:
after:
- default_browser_return_url: https://accounts-ui.{{ .Values.Domain }}/login
+ default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/login
login:
- ui_url: https://accounts-ui.{{ .Values.Domain }}/login
+ ui_url: https://accounts-ui.{{ .Global.Domain }}/login
lifespan: 10m
after:
password:
- default_browser_return_url: https://accounts-ui.{{ .Values.Domain }}/
+ default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/
registration:
lifespan: 10m
- ui_url: https://accounts-ui.{{ .Values.Domain }}/registration
+ ui_url: https://accounts-ui.{{ .Global.Domain }}/registration
after:
password:
hooks:
-
hook: session
- default_browser_return_url: https://accounts-ui.{{ .Values.Domain }}/
+ default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/
log:
level: debug
format: text
@@ -119,7 +122,7 @@
cookies:
path: /
same_site: None
- domain: {{ .Values.Domain }}
+ domain: {{ .Global.Domain }}
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
@@ -138,7 +141,7 @@
default_schema_url: file:///etc/config/identity.schema.json
courier:
smtp:
- connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.Domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.Domain }}
+ connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Global.Domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Global.Domain }}
identitySchemas:
"identity.schema.json": |
{
@@ -171,9 +174,12 @@
hydra:
fullnameOverride: hydra
image:
- repository: giolekva/ory-hydra
- tag: latest
- pullPolicy: Always
+ repository: oryd/hydra
+ tag: v2.1.2
+ pullPolicy: IfNotPresent
+ # repository: giolekva/ory-hydra
+ # tag: latest
+ # pullPolicy: Always
service:
admin:
enabled: true
@@ -188,34 +194,34 @@
ingress:
admin:
enabled: true
- className: {{ .Values.Id }}-ingress-private
+ className: {{ .Global.Id }}-ingress-private
hosts:
- - host: hydra.p.{{ .Values.Domain }}
+ - host: hydra.p.{{ .Global.Domain }}
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- - hydra.p.{{ .Values.Domain }}
+ - hydra.p.{{ .Global.Domain }}
public:
enabled: true
- className: {{ .Values.PCloudEnvName }}-ingress-public
+ className: {{ .Global.PCloudEnvName }}-ingress-public
hosts:
- - host: hydra.{{ .Values.Domain }}
+ - host: hydra.{{ .Global.Domain }}
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- - hydra.{{ .Values.Domain }}
- secretName: cert-hydra.{{ .Values.Domain }}
+ - hydra.{{ .Global.Domain }}
+ secretName: cert-hydra.{{ .Global.Domain }}
secret:
enabled: true
maester:
enabled: false
hydraFullnameOverride: hydra
hydra-maester:
- fullnameOverride: {{ .Values.Id }}-hydra-maester
+ fullnameOverride: {{ .Global.Id }}-hydra-maester
image:
repository: giolekva/ory-hydra-maester
tag: latest
@@ -237,32 +243,30 @@
debug: false
allow_credentials: true
allowed_origins:
- - https://{{ .Values.Domain }}
- - https://*.{{ .Values.Domain }}
+ - https://{{ .Global.Domain }}
+ - https://*.{{ .Global.Domain }}
admin:
# host: localhost
cors:
allowed_origins:
- - https://hydra.p.{{ .Values.Domain }}
+ - https://hydra.p.{{ .Global.Domain }}
tls:
allow_termination_from:
- 0.0.0.0/0
- 10.42.0.0/16
- 10.43.0.0/16
- - {{ .Values.LighthouseMainIP }}/32
tls:
allow_termination_from:
- 0.0.0.0/0
- 10.42.0.0/16
- 10.43.0.0/16
- - {{ .Values.LighthouseMainIP }}/32
urls:
self:
- public: https://hydra.{{ .Values.Domain }}
- issuer: https://hydra.{{ .Values.Domain }}
- consent: https://accounts-ui.{{ .Values.Domain }}/consent
- login: https://accounts-ui.{{ .Values.Domain }}/login
- logout: https://accounts-ui.{{ .Values.Domain }}/logout
+ public: https://hydra.{{ .Global.Domain }}
+ issuer: https://hydra.{{ .Global.Domain }}
+ consent: https://accounts-ui.{{ .Global.Domain }}/consent
+ login: https://accounts-ui.{{ .Global.Domain }}/login
+ logout: https://accounts-ui.{{ .Global.Domain }}/logout
secrets:
system:
- youReallyNeedToChangeThis
@@ -277,20 +281,7 @@
level: trace
leak_sensitive_values: false
ui:
- certificateIssuer: {{ .Values.Id }}-public
- ingressClassName: {{ .Values.PCloudEnvName }}-ingress-public
- domain: {{ .Values.Domain }}
- internalDomain: p.{{ .Values.Domain }}
- nebula:
- lighthouse:
- name: ui-lighthouse
- internalIP: {{ .Values.LighthouseMainIP }}
- externalIP: {{ .Values.PublicIP }}
- port: "{{ .Values.LighthouseMainPort }}"
- node:
- name: ui
- ipCidr: {{ .Values.LighthouseAuthUIIP }}/24
- secretName: node-ui-cert
- certificateAuthority:
- name: {{ .Values.Id }}
- namespace: {{ .Values.NamespacePrefix }}ingress-private
+ certificateIssuer: {{ .Global.Id }}-public
+ ingressClassName: {{ .Global.PCloudEnvName }}-ingress-public
+ domain: {{ .Global.Domain }}
+ internalDomain: p.{{ .Global.Domain }}