commit 7032d3c7941ba15908f9f9dd784743a7c51a7b96
author giolekva <giolekva@gmail.com> Fri Oct 22 14:46:31 2021 +0400
committer giolekva <giolekva@gmail.com> Fri Oct 22 14:46:31 2021 +0400
tree fab512f2629f1093fae47d7fe04e54d822b40435
parent 4c2413b474a4222f49e443d55fa0412c894dcb9b

Auth: ory/kratos deployment

core/auth/kratos/Dockerfile

diff --git a/core/auth/kratos/Dockerfile b/core/auth/kratos/Dockerfile
new file mode 100644
index 0000000..9dea8e3
--- /dev/null
+++ b/core/auth/kratos/Dockerfile
@@ -0,0 +1,21 @@
+FROM alpine:3.14.2
+
+RUN addgroup -S ory; \
+    adduser -S ory -G ory -D -u 10000 -h /home/ory -s /bin/nologin; \
+    chown -R ory:ory /home/ory
+
+RUN apk add -U --no-cache ca-certificates
+
+RUN wget https://github.com/ory/kratos/releases/download/v0.7.6-alpha.1/kratos_0.7.6-alpha.1_linux_arm64.tar.gz -O kratos.tar.gz
+RUN tar -xvf kratos.tar.gz
+RUN mv kratos /usr/bin
+
+VOLUME /home/ory
+
+# Declare the standard ports used by Kratos (4433 for public service endpoint, 4434 for admin service endpoint)
+EXPOSE 4433 4434
+
+USER 10000
+
+ENTRYPOINT ["kratos"]
+CMD ["serve"]

core/auth/kratos/Makefile

diff --git a/core/auth/kratos/Makefile b/core/auth/kratos/Makefile
new file mode 100644
index 0000000..d33966c
--- /dev/null
+++ b/core/auth/kratos/Makefile
@@ -0,0 +1,12 @@
+image:
+	docker build --tag=giolekva/ory-kratos:latest .
+
+push: image
+	docker push giolekva/ory-kratos:latest
+
+
+push_arm64: export GOOS=linux
+push_arm64: export GOARCH=arm64
+push_arm64: export CGO_ENABLED=0
+push_arm64: export GO111MODULE=on
+push_arm64: push

core/auth/kratos/identity.schema.json

diff --git a/core/auth/kratos/identity.schema.json b/core/auth/kratos/identity.schema.json
new file mode 100644
index 0000000..f37a3df
--- /dev/null
+++ b/core/auth/kratos/identity.schema.json
@@ -0,0 +1,27 @@
+{
+  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "User",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "username": {
+          "type": "string",
+          "format": "username",
+          "title": "Username",
+          "minLength": 3,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            }
+          }
+        }
+      },
+      "additionalProperties": false
+    }
+  }
+}

core/auth/kratos/install.yaml

diff --git a/core/auth/kratos/install.yaml b/core/auth/kratos/install.yaml
new file mode 100644
index 0000000..c802dab
--- /dev/null
+++ b/core/auth/kratos/install.yaml
@@ -0,0 +1,124 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: core-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kratos
+  namespace: core-auth
+spec:
+  type: ClusterIP
+  selector:
+    app: kratos
+  ports:
+  - name: public
+    port: 80
+    targetPort: public
+    protocol: TCP
+  - name: admin
+    port: 81
+    targetPort: admin
+    protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-kratos-public
+  namespace: core-auth
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - accounts.lekva.me
+    secretName: cert-accounts.lekva.me
+  rules:
+  - host: accounts.lekva.me
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: kratos
+            port:
+              name: public
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-kratos-private
+  namespace: core-auth
+  annotations:
+    cert-manager.io/cluster-issuer: "selfsigned-ca"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  ingressClassName: nginx-private
+  tls:
+  - hosts:
+    - kratos.pcloud
+    secretName: cert-kratos.pcloud
+  rules:
+  - host: kratos.pcloud
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: kratos
+            port:
+              name: admin
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kratos
+  namespace: core-auth
+spec:
+  selector:
+    matchLabels:
+      app: kratos
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: kratos
+    spec:
+      volumes:
+      - name: config
+        configMap:
+          name: kratos
+      - name: identity
+        configMap:
+          name: identity
+      containers:
+      - name: kratos
+        image: giolekva/ory-kratos:latest
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: public
+          containerPort: 4433
+          protocol: TCP
+        - name: admin
+          containerPort: 4434
+          protocol: TCP
+        command: ["kratos", "--config=/etc/kratos/config/kratos.yaml", "serve"]
+        #command: ["kratos", "serve"]
+        # resources:
+        #   requests:
+        #     memory: "10Mi"
+        #     cpu: "10m"
+        #   limits:
+        #     memory: "20Mi"
+        #     cpu: "100m"
+        volumeMounts:
+        - name: config
+          mountPath: /etc/kratos/config
+        - name: identity
+          mountPath: /etc/kratos/identity

core/auth/kratos/kratos.yaml

diff --git a/core/auth/kratos/kratos.yaml b/core/auth/kratos/kratos.yaml
new file mode 100644
index 0000000..b362dee
--- /dev/null
+++ b/core/auth/kratos/kratos.yaml
@@ -0,0 +1,95 @@
+version: v0.7.1-alpha.1
+
+dsn: postgres://postgres:psswd@postgres:5432/kr?sslmode=disable&max_conns=20&max_idle_conns=4
+
+serve:
+  public:
+    base_url: https://accounts.lekva.me/
+    cors:
+      enabled: true
+      debug: true
+      allow_credentials: true
+      allowed_origins:
+        - https://lekva.me
+        - https://*.lekva.me
+  admin:
+    base_url: https://kratos.pcloud/
+
+selfservice:
+  default_browser_return_url: https://accounts-ui.lekva.me/
+  whitelisted_return_urls:
+    - https://accounts-ui.lekva.me
+
+  methods:
+    password:
+      enabled: true
+
+  flows:
+    error:
+      ui_url: https://accounts-ui.lekva.me/error
+
+    settings:
+      ui_url: https://accounts-ui.lekva.me/settings
+      privileged_session_max_age: 15m
+
+    recovery:
+      enabled: false
+
+    verification:
+      enabled: false
+
+    logout:
+      after:
+        default_browser_return_url: https://accounts-ui.lekva.me/login
+
+    login:
+      ui_url: https://accounts-ui.lekva.me/login
+      lifespan: 10m
+      after:
+        password:
+          default_browser_return_url: https://accounts-ui.lekva.me/
+
+    registration:
+      lifespan: 10m
+      ui_url: https://accounts-ui.lekva.me/registration
+      after:
+        password:
+          hooks:
+            -
+              hook: session
+          default_browser_return_url: https://accounts-ui.lekva.me/
+
+log:
+  level: debug
+  format: text
+  leak_sensitive_values: true
+
+cookies:
+  path: /
+  same_site: None
+  domain: lekva.me
+
+secrets:
+  cookie:
+    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+  # cipher:
+  #   - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+
+# ciphers:
+#   algorithm: xchacha20-poly1305
+
+hashers:
+  argon2:
+    parallelism: 1
+    memory: 128MB
+    iterations: 2
+    salt_length: 16
+    key_length: 16
+
+identity:
+  default_schema_url: file:///etc/kratos/identity/identity.schema.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40lekva.me:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.lekva.me
+    # connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS@lekva.me:iW!3Kk^PPLFrZa$!bbpTPN9Wv3b8mvwS6ZJvMLtce#A2*4MotD@mx1.lekva.me

scripts/homelab/installer/auth.sh

diff --git a/scripts/homelab/installer/kratos.sh b/scripts/homelab/installer/auth.sh
similarity index 60%
rename from scripts/homelab/installer/kratos.sh
rename to scripts/homelab/installer/auth.sh
index daeed39..59938ad 100644
--- a/scripts/homelab/installer/kratos.sh
+++ b/scripts/homelab/installer/auth.sh
@@ -17,7 +17,10 @@
 #      --set postgresqlPassword=psswd \
 #      --set postgresqlDatabase=kratos
 
-kubectl create configmap kratos -n core-auth --from-file=../../core/auth/kratos.yaml
-kubectl create configmap identity -n core-auth --from-file=../../core/auth/identity.schema.json
-# kubectl apply -f ../../core/auth/install.yaml
-# kubectl apply -f ../../core/auth/install-selfservice.yaml
+# kubectl create configmap kratos -n core-auth --from-file=../../core/auth/kratos.yaml
+# kubectl create configmap identity -n core-auth --from-file=../../core/auth/identity.schema.json
+# kubectl apply -f ../../core/auth/kratos/install.yaml
+# kubectl apply -f ../../core/auth/ui/install.yaml
+
+kubectl create configmap hydra -n core-auth --from-file=../../core/auth/hydra/hydra.yaml
+kubectl apply -f ../../core/auth/hydra/install.yaml

scripts/homelab/k3s-install.sh

diff --git a/scripts/homelab/k3s-install.sh b/scripts/homelab/k3s-install.sh
index 8e78908..9cc31b4 100755
--- a/scripts/homelab/k3s-install.sh
+++ b/scripts/homelab/k3s-install.sh
@@ -50,7 +50,7 @@
 #source installer/longhorn.sh
 #source installer/pihole.sh
 #source installer/matrix.sh
-source installer/kratos.sh
+source installer/auth.sh
 
 # kubectl apply -f ../../apps/rpuppy/install.yaml