| apiVersion: helm.toolkit.fluxcd.io/v2beta1 |
| kind: HelmRelease |
| metadata: |
| name: core-auth |
| namespace: {{ .Release.Namespace }} |
| spec: |
| dependsOn: |
| - name: core-auth-storage |
| namespace: {{ .Release.Namespace }} |
| - name: ingress-private # TODO(giolekva): is this needed? |
| namespace: {{ .Global.Id }}-ingress-private |
| chart: |
| spec: |
| chart: charts/auth |
| sourceRef: |
| kind: GitRepository |
| name: pcloud |
| namespace: {{ .Global.Id }} |
| interval: 1m0s |
| values: |
| kratos: |
| fullnameOverride: kratos |
| image: |
| repository: oryd/kratos |
| tag: v0.13.0 |
| pullPolicy: IfNotPresent |
| # repository: giolekva/ory-kratos |
| # tag: latest |
| # pullPolicy: Always |
| service: |
| admin: |
| enabled: true |
| type: ClusterIP |
| port: 80 |
| name: http |
| public: |
| enabled: true |
| type: ClusterIP |
| port: 80 |
| name: http |
| ingress: |
| admin: |
| enabled: true |
| className: {{ .Global.Id }}-ingress-private |
| hosts: |
| - host: kratos.p.{{ .Global.Domain }} |
| paths: |
| - path: / |
| pathType: Prefix |
| tls: |
| - hosts: |
| - kratos.p.{{ .Global.Domain }} |
| public: |
| enabled: true |
| className: {{ .Global.PCloudEnvName }}-ingress-public |
| annotations: |
| acme.cert-manager.io/http01-edit-in-place: "true" |
| cert-manager.io/cluster-issuer: {{ .Global.Id }}-public |
| hosts: |
| - host: accounts.{{ .Global.Domain }} |
| paths: |
| - path: / |
| pathType: Prefix |
| tls: |
| - hosts: |
| - accounts.{{ .Global.Domain }} |
| secretName: cert-accounts.{{ .Global.Domain }} |
| secret: |
| enabled: true |
| kratos: |
| automigration: |
| enabled: true |
| development: false |
| courier: |
| enabled: false |
| config: |
| version: v0.7.1-alpha.1 |
| dsn: postgres://kratos:kratos@postgres.{{ .Global.Id }}-core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 |
| serve: |
| public: |
| base_url: https://accounts.{{ .Global.Domain }} |
| cors: |
| enabled: true |
| debug: false |
| allow_credentials: true |
| allowed_origins: |
| - https://{{ .Global.Domain }} |
| - https://*.{{ .Global.Domain }} |
| admin: |
| base_url: https://kratos.p.{{ .Global.Domain }}/ |
| selfservice: |
| default_browser_return_url: https://accounts-ui.{{ .Global.Domain }} |
| # whitelisted_return_urls: |
| # - https://accounts-ui.{{ .Global.Domain }} |
| methods: |
| password: |
| enabled: true |
| flows: |
| error: |
| ui_url: https://accounts-ui.{{ .Global.Domain }}/error |
| settings: |
| ui_url: https://accounts-ui.{{ .Global.Domain }}/settings |
| privileged_session_max_age: 15m |
| recovery: |
| enabled: false |
| verification: |
| enabled: false |
| logout: |
| after: |
| default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/login |
| login: |
| ui_url: https://accounts-ui.{{ .Global.Domain }}/login |
| lifespan: 10m |
| after: |
| password: |
| default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/ |
| registration: |
| lifespan: 10m |
| ui_url: https://accounts-ui.{{ .Global.Domain }}/registration |
| after: |
| password: |
| hooks: |
| - |
| hook: session |
| default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/ |
| log: |
| level: debug |
| format: text |
| leak_sensitive_values: true |
| cookies: |
| path: / |
| same_site: None |
| domain: {{ .Global.Domain }} |
| secrets: |
| cookie: |
| - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE |
| # cipher: |
| # - 32-LONG-SECRET-NOT-SECURE-AT-ALL |
| # ciphers: |
| # algorithm: xchacha20-poly1305 |
| hashers: |
| argon2: |
| parallelism: 1 |
| memory: 128MB |
| iterations: 2 |
| salt_length: 16 |
| key_length: 16 |
| identity: |
| schemas: |
| - id: user |
| url: file:///etc/config/identity.schema.json |
| default_schema_id: user |
| courier: |
| smtp: |
| connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Global.Domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Global.Domain }} |
| identitySchemas: |
| "identity.schema.json": | |
| { |
| "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", |
| "$schema": "http://json-schema.org/draft-07/schema#", |
| "title": "User", |
| "type": "object", |
| "properties": { |
| "traits": { |
| "type": "object", |
| "properties": { |
| "username": { |
| "type": "string", |
| "format": "username", |
| "title": "Username", |
| "minLength": 3, |
| "ory.sh/kratos": { |
| "credentials": { |
| "password": { |
| "identifier": true |
| } |
| } |
| } |
| } |
| }, |
| "additionalProperties": false |
| } |
| } |
| } |
| hydra: |
| fullnameOverride: hydra |
| image: |
| repository: oryd/hydra |
| tag: v2.1.2 |
| pullPolicy: IfNotPresent |
| # repository: giolekva/ory-hydra |
| # tag: latest |
| # pullPolicy: Always |
| service: |
| admin: |
| enabled: true |
| type: ClusterIP |
| port: 80 |
| name: http |
| public: |
| enabled: true |
| type: ClusterIP |
| port: 80 |
| name: http |
| ingress: |
| admin: |
| enabled: true |
| className: {{ .Global.Id }}-ingress-private |
| hosts: |
| - host: hydra.p.{{ .Global.Domain }} |
| paths: |
| - path: / |
| pathType: Prefix |
| tls: |
| - hosts: |
| - hydra.p.{{ .Global.Domain }} |
| public: |
| enabled: true |
| className: {{ .Global.PCloudEnvName }}-ingress-public |
| annotations: |
| acme.cert-manager.io/http01-edit-in-place: "true" |
| cert-manager.io/cluster-issuer: {{ .Global.Id }}-public |
| hosts: |
| - host: hydra.{{ .Global.Domain }} |
| paths: |
| - path: / |
| pathType: Prefix |
| tls: |
| - hosts: |
| - hydra.{{ .Global.Domain }} |
| secretName: cert-hydra.{{ .Global.Domain }} |
| secret: |
| enabled: true |
| maester: |
| enabled: true |
| hydra-maester: |
| adminService: |
| name: hydra-admin |
| port: 80 |
| image: |
| repository: giolekva/ory-hydra-maester |
| tag: latest |
| pullPolicy: IfNotPresent |
| hydra: |
| automigration: |
| enabled: true |
| config: |
| version: v1.10.6 |
| dsn: postgres://hydra:hydra@postgres.{{ .Global.Id }}-core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4 |
| serve: |
| cookies: |
| same_site_mode: None |
| public: |
| cors: |
| enabled: true |
| debug: false |
| allow_credentials: true |
| allowed_origins: |
| - https://{{ .Global.Domain }} |
| - https://*.{{ .Global.Domain }} |
| admin: |
| # host: localhost |
| cors: |
| allowed_origins: |
| - https://hydra.p.{{ .Global.Domain }} |
| tls: |
| allow_termination_from: |
| - 0.0.0.0/0 |
| - 10.42.0.0/16 |
| - 10.43.0.0/16 |
| tls: |
| allow_termination_from: |
| - 0.0.0.0/0 |
| - 10.42.0.0/16 |
| - 10.43.0.0/16 |
| urls: |
| self: |
| public: https://hydra.{{ .Global.Domain }} |
| issuer: https://hydra.{{ .Global.Domain }} |
| consent: https://accounts-ui.{{ .Global.Domain }}/consent |
| login: https://accounts-ui.{{ .Global.Domain }}/login |
| logout: https://accounts-ui.{{ .Global.Domain }}/logout |
| secrets: |
| system: |
| - youReallyNeedToChangeThis |
| oidc: |
| subject_identifiers: |
| supported_types: |
| - pairwise |
| - public |
| pairwise: |
| salt: youReallyNeedToChangeThis |
| log: |
| level: trace |
| leak_sensitive_values: false |
| ui: |
| certificateIssuer: {{ .Global.Id }}-public |
| ingressClassName: {{ .Global.PCloudEnvName }}-ingress-public |
| domain: {{ .Global.Domain }} |
| internalDomain: p.{{ .Global.Domain }} |
| hydra: hydra-admin.{{ .Global.Id }}-core-auth.svc.cluster.local |