Installer: core auth services
diff --git a/charts/auth/.helmignore b/charts/auth/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/auth/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/auth/Chart.lock b/charts/auth/Chart.lock
new file mode 100644
index 0000000..4e721e9
--- /dev/null
+++ b/charts/auth/Chart.lock
@@ -0,0 +1,9 @@
+dependencies:
+- name: kratos
+ repository: https://k8s.ory.sh/helm/charts
+ version: 0.20.1
+- name: hydra
+ repository: https://k8s.ory.sh/helm/charts
+ version: 0.20.1
+digest: sha256:2467fbd505772fa37ee80fdbc7a20cc1fec923702a69176cda04b99311b13e0b
+generated: "2021-11-06T21:20:46.694331+04:00"
diff --git a/charts/auth/Chart.yaml b/charts/auth/Chart.yaml
new file mode 100644
index 0000000..e707e31
--- /dev/null
+++ b/charts/auth/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v2
+name: auth
+description: A Helm chart for PCloud core authentication & authorization services
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
+dependencies:
+- name: kratos
+ version: v0.20.1
+ repository: https://k8s.ory.sh/helm/charts
+- name: hydra
+ version: v0.20.1
+ repository: https://k8s.ory.sh/helm/charts
diff --git a/charts/auth/charts/hydra-0.20.1.tgz b/charts/auth/charts/hydra-0.20.1.tgz
new file mode 100644
index 0000000..11e35f1
--- /dev/null
+++ b/charts/auth/charts/hydra-0.20.1.tgz
Binary files differ
diff --git a/charts/auth/charts/kratos-0.20.1.tgz b/charts/auth/charts/kratos-0.20.1.tgz
new file mode 100644
index 0000000..e3d7302
--- /dev/null
+++ b/charts/auth/charts/kratos-0.20.1.tgz
Binary files differ
diff --git a/charts/auth/lighthouse.yaml b/charts/auth/lighthouse.yaml
new file mode 100644
index 0000000..66d3534
--- /dev/null
+++ b/charts/auth/lighthouse.yaml
@@ -0,0 +1,246 @@
+# This is the nebula example configuration file. You must edit, at a minimum, the static_host_map, lighthouse, and firewall sections
+# Some options in this file are HUPable, including the pki section. (A HUP will reload credentials from disk without affecting existing tunnels)
+
+# PKI defines the location of credentials for this node. Each of these can also be inlined by using the yaml ": |" syntax.
+pki:
+ # The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'
+ ##ca: /etc/nebula/ca/ca.crt
+ ca: /etc/nebula/lighthouse/ca.crt
+ cert: /etc/nebula/lighthouse/host.crt
+ key: /etc/nebula/lighthouse/host.key
+ #blocklist is a list of certificate fingerprints that we will refuse to talk to
+ #blocklist:
+ # - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72
+
+# The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).
+# A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.
+# The syntax is:
+# "{nebula ip}": ["{routable ip/dns name}:{routable port}"]
+# Example, if your lighthouse has the nebula IP of 192.168.100.1 and has the real ip address of 100.64.22.11 and runs on port 4243:
+static_host_map:
+ "<INTERNAL_IP>": ["<EXTERNAL_IP>:<PORT>"]
+
+
+lighthouse:
+ # am_lighthouse is used to enable lighthouse functionality for a node. This should ONLY be true on nodes
+ # you have configured to be lighthouses in your network
+ am_lighthouse: false
+ # serve_dns optionally starts a dns listener that responds to various queries and can even be
+ # delegated to for resolution
+ #serve_dns: false
+ #dns:
+ # The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP.
+ #host: 0.0.0.0
+ #port: 53
+ # interval is the number of seconds between updates from this node to a lighthouse.
+ # during updates, a node sends information about its current IP addresses to each node.
+ interval: 60
+ # hosts is a list of lighthouse hosts this node should report to and query from
+ # IMPORTANT: THIS SHOULD BE EMPTY ON LIGHTHOUSE NODES
+ # IMPORTANT2: THIS SHOULD BE LIGHTHOUSES' NEBULA IPs, NOT LIGHTHOUSES' REAL ROUTABLE IPs
+ hosts:
+ - <INTERNAL_IP>
+
+ # remote_allow_list allows you to control ip ranges that this node will
+ # consider when handshaking to another node. By default, any remote IPs are
+ # allowed. You can provide CIDRs here with `true` to allow and `false` to
+ # deny. The most specific CIDR rule applies to each remote. If all rules are
+ # "allow", the default will be "deny", and vice-versa. If both "allow" and
+ # "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the
+ # default.
+ #remote_allow_list:
+ # Example to block IPs from this subnet from being used for remote IPs.
+ #"172.16.0.0/12": false
+
+ # A more complicated example, allow public IPs but only private IPs from a specific subnet
+ #"0.0.0.0/0": true
+ #"10.0.0.0/8": false
+ #"10.42.42.0/24": true
+
+ # local_allow_list allows you to filter which local IP addresses we advertise
+ # to the lighthouses. This uses the same logic as `remote_allow_list`, but
+ # additionally, you can specify an `interfaces` map of regular expressions
+ # to match against interface names. The regexp must match the entire name.
+ # All interface rules must be either true or false (and the default will be
+ # the inverse). CIDR rules are matched after interface name rules.
+ # Default is all local IP addresses.
+ #local_allow_list:
+ # Example to block tun0 and all docker interfaces.
+ #interfaces:
+ #tun0: false
+ #'docker.*': false
+ # Example to only advertise this subnet to the lighthouse.
+ #"10.0.0.0/8": true
+
+# Port Nebula will be listening on. The default here is 4243. For a lighthouse node, the port should be defined,
+# however using port 0 will dynamically assign a port and is recommended for roaming nodes.
+listen:
+ # To listen on both any ipv4 and ipv6 use "[::]"
+ host: "[::]"
+ port: 4243
+ # Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg)
+ # default is 64, does not support reload
+ #batch: 64
+ # Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel
+ # Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default)
+ # Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide
+ # max, net.core.rmem_max and net.core.wmem_max
+ #read_buffer: 10485760
+ #write_buffer: 10485760
+
+# EXPERIMENTAL: This option is currently only supported on linux and may
+# change in future minor releases.
+#
+# Routines is the number of thread pairs to run that consume from the tun and UDP queues.
+# Currently, this defaults to 1 which means we have 1 tun queue reader and 1
+# UDP queue reader. Setting this above one will set IFF_MULTI_QUEUE on the tun
+# device and SO_REUSEPORT on the UDP socket to allow multiple queues.
+#routines: 1
+
+punchy:
+ # Continues to punch inbound/outbound at a regular interval to avoid expiration of firewall nat mappings
+ punch: true
+
+ # respond means that a node you are trying to reach will connect back out to you if your hole punching fails
+ # this is extremely useful if one node is behind a difficult nat, such as a symmetric NAT
+ # Default is false
+ #respond: true
+
+ # delays a punch response for misbehaving NATs, default is 1 second, respond must be true to take effect
+ #delay: 1s
+
+# Cipher allows you to choose between the available ciphers for your network. Options are chachapoly or aes
+# IMPORTANT: this value must be identical on ALL NODES/LIGHTHOUSES. We do not/will not support use of different ciphers simultaneously!
+cipher: chachapoly
+
+# Local range is used to define a hint about the local network range, which speeds up discovering the fastest
+# path to a network adjacent nebula node.
+#local_range: "172.16.0.0/24"
+
+# sshd can expose informational and administrative functions via ssh this is a
+#sshd:
+ # Toggles the feature
+ #enabled: true
+ # Host and port to listen on, port 22 is not allowed for your safety
+ #listen: 127.0.0.1:2222
+ # A file containing the ssh host private key to use
+ # A decent way to generate one: ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
+ #host_key: ./ssh_host_ed25519_key
+ # A file containing a list of authorized public keys
+ #authorized_users:
+ #- user: steeeeve
+ # keys can be an array of strings or single string
+ #keys:
+ #- "ssh public key string"
+
+# Configure the private interface. Note: addr is baked into the nebula certificate
+tun:
+ # When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root)
+ disabled: false
+ # Name of the device
+ dev: nebula1
+ # Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert
+ drop_local_broadcast: false
+ # Toggles forwarding of multicast packets
+ drop_multicast: false
+ # Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500
+ tx_queue: 500
+ # Default MTU for every packet, safe setting is (and the default) 1300 for internet based traffic
+ mtu: 1300
+ # Route based MTU overrides, you have known vpn ip paths that can support larger MTUs you can increase/decrease them here
+ routes:
+ #- mtu: 8800
+ # route: 10.0.0.0/16
+ # Unsafe routes allows you to route traffic over nebula to non-nebula nodes
+ # Unsafe routes should be avoided unless you have hosts/services that cannot run nebula
+ # NOTE: The nebula certificate of the "via" node *MUST* have the "route" defined as a subnet in its certificate
+ unsafe_routes:
+ #- route: 172.16.1.0/24
+ # via: 192.168.100.99
+ # mtu: 1300 #mtu will default to tun mtu if this option is not sepcified
+
+
+# TODO
+# Configure logging level
+logging:
+ # panic, fatal, error, warning, info, or debug. Default is info
+ level: info
+ # json or text formats currently available. Default is text
+ format: text
+ # Disable timestamp logging. useful when output is redirected to logging system that already adds timestamps. Default is false
+ #disable_timestamp: true
+ # timestamp format is specified in Go time format, see:
+ # https://golang.org/pkg/time/#pkg-constants
+ # default when `format: json`: "2006-01-02T15:04:05Z07:00" (RFC3339)
+ # default when `format: text`:
+ # when TTY attached: seconds since beginning of execution
+ # otherwise: "2006-01-02T15:04:05Z07:00" (RFC3339)
+ # As an example, to log as RFC3339 with millisecond precision, set to:
+ #timestamp_format: "2006-01-02T15:04:05.000Z07:00"
+
+#stats:
+ #type: graphite
+ #prefix: nebula
+ #protocol: tcp
+ #host: 127.0.0.1:9999
+ #interval: 10s
+
+ #type: prometheus
+ #listen: 127.0.0.1:8080
+ #path: /metrics
+ #namespace: prometheusns
+ #subsystem: nebula
+ #interval: 10s
+
+ # enables counter metrics for meta packets
+ # e.g.: `messages.tx.handshake`
+ # NOTE: `message.{tx,rx}.recv_error` is always emitted
+ #message_metrics: false
+
+ # enables detailed counter metrics for lighthouse packets
+ # e.g.: `lighthouse.rx.HostQuery`
+ #lighthouse_metrics: false
+
+# Handshake Manager Settings
+#handshakes:
+ # Handshakes are sent to all known addresses at each interval with a linear backoff,
+ # Wait try_interval after the 1st attempt, 2 * try_interval after the 2nd, etc, until the handshake is older than timeout
+ # A 100ms interval with the default 10 retries will give a handshake 5.5 seconds to resolve before timing out
+ #try_interval: 100ms
+ #retries: 20
+ # trigger_buffer is the size of the buffer channel for quickly sending handshakes
+ # after receiving the response for lighthouse queries
+ #trigger_buffer: 64
+
+
+# Nebula security group configuration
+firewall:
+ conntrack:
+ tcp_timeout: 12m
+ udp_timeout: 3m
+ default_timeout: 10m
+ max_connections: 100000
+
+ # The firewall is default deny. There is no way to write a deny rule.
+ # Rules are comprised of a protocol, port, and one or more of host, group, or CIDR
+ # Logical evaluation is roughly: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr)
+ # - port: Takes `0` or `any` as any, a single number `80`, a range `200-901`, or `fragment` to match second and further fragments of fragmented packets (since there is no port available).
+ # code: same as port but makes more sense when talking about ICMP, TODO: this is not currently implemented in a way that works, use `any`
+ # proto: `any`, `tcp`, `udp`, or `icmp`
+ # host: `any` or a literal hostname, ie `test-host`
+ # group: `any` or a literal group name, ie `default-group`
+ # groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
+ # cidr: a CIDR, `0.0.0.0/0` is any.
+ # ca_name: An issuing CA name
+ # ca_sha: An issuing CA shasum
+
+ outbound:
+ # Allow all outbound traffic from this node
+ - port: any
+ proto: any
+ host: any
+
+ inbound:
+ - port: any
+ proto: any
+ host: any
diff --git a/charts/auth/templates/lighthouse-config.yaml b/charts/auth/templates/lighthouse-config.yaml
new file mode 100644
index 0000000..1b33be2
--- /dev/null
+++ b/charts/auth/templates/lighthouse-config.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Values.ui.nebula.lighthouse.name }}
+ namespace: {{ .Release.Namespace }}
+data:
+{{ (.Files.Glob "lighthouse.yaml").AsConfig | replace "<INTERNAL_IP>" .Values.ui.nebula.lighthouse.internalIP | replace "<EXTERNAL_IP>" .Values.ui.nebula.lighthouse.externalIP | replace "<PORT>" .Values.ui.nebula.lighthouse.port | indent 2 }}
diff --git a/charts/auth/templates/ui.yaml b/charts/auth/templates/ui.yaml
new file mode 100644
index 0000000..50296f7
--- /dev/null
+++ b/charts/auth/templates/ui.yaml
@@ -0,0 +1,124 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: ui
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: ui
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ui
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ cert-manager.io/cluster-issuer: {{ .Values.ui.certificateIssuer }}
+ acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+ ingressClassName: {{ .Values.ui.ingressClassName }}
+ tls:
+ - hosts:
+ - accounts-ui.{{ .Values.ui.domain }}
+ secretName: cert-accounts-ui.{{ .Values.ui.domain }}
+ rules:
+ - host: accounts-ui.{{ .Values.ui.domain }}
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: ui
+ port:
+ name: http
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: ui
+ namespace: {{ .Release.Namespace }}
+spec:
+ selector:
+ matchLabels:
+ app: ui
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: ui
+ spec:
+ volumes:
+ - name: cert
+ secret:
+ secretName: {{ .Values.ui.nebula.node.secretName }}
+ - name: config
+ configMap:
+ name: {{ .Values.ui.nebula.lighthouse.name }}
+ hostAliases:
+ - ip: "111.0.0.1"
+ hostnames:
+ - "hydra.{{ .Values.ui.internalDomain }}"
+ containers:
+ - name: server
+ image: giolekva/auth-ui:latest
+ imagePullPolicy: Always
+ env:
+ - name: KRATOS_PUBLIC_URL
+ value: "https://accounts.{{ .Values.ui.domain }}"
+ ports:
+ - name: http
+ containerPort: 8080
+ protocol: TCP
+ command:
+ - server
+ - --port=8080
+ - --kratos=https://accounts.{{ .Values.ui.domain }}
+ - --hydra=hydra{{ .Values.ui.internalDomain }}
+ - --email-domain={{ .Values.ui.domain }}
+ # resources:
+ # requests:
+ # memory: "10Mi"
+ # cpu: "10m"
+ # limits:
+ # memory: "20Mi"
+ # cpu: "100m"
+ - name: lighthouse
+ image: giolekva/nebula:latest
+ imagePullPolicy: Always
+ securityContext:
+ capabilities:
+ add:
+ - NET_ADMIN
+ privileged: true
+ ports:
+ - name: lighthouse
+ containerPort: 4247
+ protocol: UDP
+ command:
+ - nebula
+ - --config=/etc/nebula/config/lighthouse.yaml
+ volumeMounts:
+ - name: cert
+ mountPath: /etc/nebula/lighthouse
+ readOnly: true
+ - name: config
+ mountPath: /etc/nebula/config
+ readOnly: true
+---
+apiVersion: lekva.me/v1
+kind: NebulaNode
+metadata:
+ name: {{ .Values.ui.nebula.node.name }}
+ namespace: {{ .Release.Namespace }}
+spec:
+ caName: {{ .Values.ui.nebula.certificateAuthority.name }}
+ caNamespace: {{ .Values.ui.nebula.certificateAuthority.namespace }}
+ ipCidr: {{ .Values.ui.nebula.node.ipCidr }}
+ secretName: {{ .Values.ui.nebula.node.secretName }}
diff --git a/charts/auth/values.yaml b/charts/auth/values.yaml
new file mode 100644
index 0000000..ff9e10d
--- /dev/null
+++ b/charts/auth/values.yaml
@@ -0,0 +1,3 @@
+kratos: {}
+hydra: {}
+ui: {}
diff --git a/charts/certificate-issuer/templates/public-staging.yaml b/charts/certificate-issuer/templates/public-staging.yaml
new file mode 100644
index 0000000..888b350
--- /dev/null
+++ b/charts/certificate-issuer/templates/public-staging.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: {{ .Values.public.name }}-staging
+ namespace: {{ .Release.Namespace }}
+spec:
+ acme:
+ server: {{ .Values.public.stagingServer }}
+ email: {{ .Values.public.contactEmail }}
+ privateKeySecretRef:
+ name: cluster-issuer-{{ .Values.public.name }}-account-key
+ solvers:
+ - selector: {}
+ http01:
+ ingress:
+ class: {{ .Values.public.ingressClass }}
diff --git a/charts/vpn-mesh-config/lighthouse.yaml b/charts/vpn-mesh-config/lighthouse.yaml
index d2891e6..cf106b5 100644
--- a/charts/vpn-mesh-config/lighthouse.yaml
+++ b/charts/vpn-mesh-config/lighthouse.yaml
@@ -77,7 +77,7 @@
listen:
# To listen on both any ipv4 and ipv6 use "[::]"
host: "[::]"
- port: 4243
+ port: <PORT>
# Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg)
# default is 64, does not support reload
#batch: 64
diff --git a/charts/vpn-mesh-config/templates/lighthouse-service.yaml b/charts/vpn-mesh-config/templates/lighthouse-service.yaml
new file mode 100644
index 0000000..267d0f5
--- /dev/null
+++ b/charts/vpn-mesh-config/templates/lighthouse-service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: lighthouse
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: LoadBalancer
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-private
+ app.kubernetes.io/component: controller
+ ports:
+ - name: lighthouse
+ port: {{ .Values.lighthouse.port }}
+ targetPort: nebula
+ protocol: UDP
diff --git a/core/auth/hydra/Makefile b/core/auth/hydra/Makefile
index 232a7d7..6a91678 100644
--- a/core/auth/hydra/Makefile
+++ b/core/auth/hydra/Makefile
@@ -1,5 +1,5 @@
image_arm64:
- docker build --tag=giolekva/ory-hydra:latest .
+ docker build --tag=giolekva/ory-hydra:latest . --platform=linux/arm64
push_arm64: image_arm64
docker push giolekva/ory-hydra:latest
diff --git a/core/auth/kratos/Makefile b/core/auth/kratos/Makefile
index d33966c..ab5043a 100644
--- a/core/auth/kratos/Makefile
+++ b/core/auth/kratos/Makefile
@@ -1,5 +1,5 @@
image:
- docker build --tag=giolekva/ory-kratos:latest .
+ docker build --tag=giolekva/ory-kratos:latest . --platform=linux/arm64
push: image
docker push giolekva/ory-kratos:latest
diff --git "a/core/auth/ui/\043install.yaml\043" "b/core/auth/ui/\043install.yaml\043"
new file mode 100644
index 0000000..35ee23a
--- /dev/null
+++ "b/core/auth/ui/\043install.yaml\043"
@@ -0,0 +1,122 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: core-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kratos-selfservice-ui
+ namespace: core-auth
+spec:
+ type: ClusterIP
+ selector:
+ app: kratos-selfservice-ui
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-kratos-selfservice-ui-public
+ namespace: core-auth
+ annotations:
+ cert-manager.io/cluster-issuer: "letsencrypt-prod"
+ acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - accounts-ui.lekva.me
+ secretName: cert-accounts-ui.lekva.me
+ rules:
+ - host: accounts-ui.lekva.me
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: kratos-selfservice-ui
+ port:
+ name: http
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: kratos-selfservice-ui
+ namespace: core-auth
+spec:
+ selector:
+ matchLabels:
+ app: kratos-selfservice-ui
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: kratos-selfservice-ui
+ spec:
+ volumes:
+ - name: cert
+ secret:
+ secretName: node-auth-ui-cert
+ - name: config
+ configMap:
+ name: auth-ui-lighthouse-config
+ hostAliases:
+ - ip: "111.0.0.1"
+ hostnames:
+ - "hydra.pcloud"
+ containers:
+ - name: server
+ image: giolekva/auth-ui:latest
+ imagePullPolicy: Always
+ env:
+ - name: KRATOS_PUBLIC_URL
+ value: "https://accounts.lekva.me"
+ ports:
+ - name: http
+ containerPort: 8080
+ protocol: TCP
+ command: ["server", "--port=8080"]
+ # resources:
+ # requests:
+ # memory: "10Mi"
+ # cpu: "10m"
+ # limits:
+ # memory: "20Mi"
+ # cpu: "100m"
+ - name: lighthouse
+ image: giolekva/nebula:latest
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ capabilities:
+ add: ["NET_ADMIN"]
+ privileged: true
+ ports:
+ - name: lighthouse
+ containerPort: 4247
+ protocol: UDP
+ command: ["nebula", "--config=/etc/nebula/config/lighthouse.yaml"]
+ volumeMounts:
+ - name: cert
+ mountPath: /etc/nebula/lighthouse
+ readOnly: true
+ - name: config
+ mountPath: /etc/nebula/config
+ readOnly: true
+---
+apiVersion: lekva.me/v1
+kind: NebulaNode
+metadata:
+ name: auth-ui
+ namespace: core-auth
+spec:
+ caName: pcloud
+ caNamespace: ingress-nginx-private
+ ipCidr: "111.0.0.10/24"
+ secretName: node-auth-ui-cert
diff --git a/core/auth/ui/main.go b/core/auth/ui/main.go
index a9b349d..c3add02 100644
--- a/core/auth/ui/main.go
+++ b/core/auth/ui/main.go
@@ -2,6 +2,7 @@
import (
"bytes"
+ "crypto/tls"
"embed"
"encoding/json"
"errors"
@@ -22,6 +23,7 @@
var port = flag.Int("port", 8080, "Port to listen on")
var kratos = flag.String("kratos", "https://accounts.lekva.me", "Kratos URL")
var hydra = flag.String("hydra", "hydra.pcloud", "Hydra admin server address")
+var emailDomain = flag.String("email-domain", "lekva.me", "Email domain")
var ErrNotLoggedIn = errors.New("Not logged in")
@@ -83,13 +85,16 @@
}
client := &http.Client{
Jar: jar,
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
}
- b, err := url.Parse("https://accounts.lekva.me/self-service/" + flowType + "/browser")
+ b, err := url.Parse(*kratos + "/self-service/" + flowType + "/browser")
if err != nil {
return "", err
}
client.Jar.SetCookies(b, cookies)
- resp, err := client.Get(fmt.Sprintf("https://accounts.lekva.me/self-service/"+flowType+"/flows?id=%s", flow))
+ resp, err := client.Get(fmt.Sprintf(*kratos+"/self-service/"+flowType+"/flows?id=%s", flow))
if err != nil {
return "", err
}
@@ -224,13 +229,16 @@
}
client := &http.Client{
Jar: jar,
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
}
- b, err := url.Parse("https://accounts.lekva.me/self-service/" + flowType + "/browser")
+ b, err := url.Parse(*kratos + "/self-service/" + flowType + "/browser")
if err != nil {
return nil, err
}
client.Jar.SetCookies(b, cookies)
- resp, err := client.Post(fmt.Sprintf("https://accounts.lekva.me/self-service/"+flowType+"?flow=%s", flow), "application/json", req)
+ resp, err := client.Post(fmt.Sprintf(*kratos+"/self-service/"+flowType+"?flow=%s", flow), "application/json", req)
if err != nil {
return nil, err
}
@@ -248,13 +256,16 @@
}
client := &http.Client{
Jar: jar,
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
}
- b, err := url.Parse("https://accounts.lekva.me/self-service/logout/browser")
+ b, err := url.Parse(*kratos + "/self-service/logout/browser")
if err != nil {
return "", err
}
client.Jar.SetCookies(b, cookies)
- resp, err := client.Get("https://accounts.lekva.me/self-service/logout/browser")
+ resp, err := client.Get(*kratos + "/self-service/logout/browser")
if err != nil {
return "", err
}
@@ -272,13 +283,16 @@
}
client := &http.Client{
Jar: jar,
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
}
- b, err := url.Parse("https://accounts.lekva.me/sessions/whoami")
+ b, err := url.Parse(*kratos + "/sessions/whoami")
if err != nil {
return "", err
}
client.Jar.SetCookies(b, cookies)
- resp, err := client.Get("https://accounts.lekva.me/sessions/whoami")
+ resp, err := client.Get(*kratos + "/sessions/whoami")
if err != nil {
return "", err
}
@@ -434,7 +448,7 @@
acceptedScopes, _ := r.Form["scope"]
idToken := map[string]string{
"username": username,
- "email": username + "@lekva.me",
+ "email": username + "@" + *emailDomain,
}
if redirectTo, err := s.hydra.ConsentAccept(r.FormValue("consent_challenge"), acceptedScopes, idToken); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
diff --git a/core/nebula/Makefile b/core/nebula/Makefile
index 95279f5..be9f307 100644
--- a/core/nebula/Makefile
+++ b/core/nebula/Makefile
@@ -1,5 +1,5 @@
image_arm64:
- docker build --tag=giolekva/nebula:latest .
+ docker build --tag=giolekva/nebula:latest . --platform=linux/arm64
push_arm64: image_arm64
docker push giolekva/nebula:latest
diff --git a/helmfile/users/helmfile.yaml b/helmfile/users/helmfile.yaml
index d15a67e..7740a6a 100644
--- a/helmfile/users/helmfile.yaml
+++ b/helmfile/users/helmfile.yaml
@@ -1,9 +1,12 @@
repositories:
- name: ingress-nginx
url: https://kubernetes.github.io/ingress-nginx
+- name: bitnami
+ url: https://charts.bitnami.com/bitnami
helmDefaults:
tillerless: true
+ waitForJobs: false
releases:
- name: vpn-mesh-config
@@ -52,7 +55,7 @@
- NET_ADMIN
ports:
- name: nebula
- containerPort: 4242
+ containerPort: 4243
protocol: UDP
command:
- nebula
@@ -77,14 +80,329 @@
- public:
name: {{ .Values.id }}-public
server: https://acme-v02.api.letsencrypt.org/directory
+ stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
contactEmail: {{ .Values.contactEmail }}
- ingressClass: ingress-nginx
+ ingressClass: nginx
- private:
name: {{ .Values.id }}-private
+- name: core-auth-storage # TODO(giolekva): merge with core-auth
+ chart: bitnami/postgresql
+ version: 10.13.5
+ namespace: {{ .Values.id }}-core-auth
+ createNamespace: true
+ values:
+ - fullnameOverride: postgres
+ - image:
+ repository: arm64v8/postgres
+ tag: 13.4
+ - service:
+ type: ClusterIP
+ port: 5432
+ - postgresqlPassword: psswd
+ - postgresqlDatabase: kratos
+ - persistence:
+ size: 1Gi
+ - securityContext:
+ enabled: true
+ fsGroup: 0
+ - containerSecurityContext:
+ enabled: true
+ runAsUser: 0
+ - volumePermissions:
+ securityContext:
+ runAsUser: 0
+- name: core-auth
+ chart: ../../charts/auth
+ namespace: {{ .Values.id }}-core-auth
+ createNamespace: true
+ values:
+ - kratos:
+ fullnameOverride: kratos
+ image:
+ repository: giolekva/ory-kratos
+ tag: latest
+ pullPolicy: Always
+ service:
+ admin:
+ enabled: true
+ type: ClusterIP
+ port: 80
+ name: http
+ public:
+ enabled: true
+ type: ClusterIP
+ port: 80
+ name: http
+ ingress:
+ admin:
+ enabled: true
+ className: {{ .Values.id }}-ingress-private
+ hosts:
+ - host: kratos.{{ .Values.id }}
+ paths:
+ - path: /
+ pathType: Prefix
+ annotations:
+ cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
+ acme.cert-manager.io/http01-edit-in-place: "true"
+ tls:
+ - hosts:
+ - kratos.{{ .Values.id }}
+ secretName: cert-kratos.{{ .Values.id }}
+ public:
+ enabled: true
+ className: nginx
+ hosts:
+ - host: accounts.{{ .Values.domain }}
+ paths:
+ - path: /
+ pathType: Prefix
+ annotations:
+ cert-manager.io/cluster-issuer: "{{ .Values.id }}-public-staging"
+ acme.cert-manager.io/http01-edit-in-place: "true"
+ tls:
+ - hosts:
+ - accounts.{{ .Values.domain }}
+ secretName: cert-accounts.{{ .Values.domain }}
+ secret:
+ enabled: true
+ kratos:
+ autoMigrate: true
+ development: false
+ config:
+ version: v0.7.1-alpha.1
+ dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+ serve:
+ public:
+ base_url: https://accounts.{{ .Values.domain }}
+ cors:
+ enabled: true
+ debug: false
+ allow_credentials: true
+ allowed_origins:
+ - https://{{ .Values.domain }}
+ - https://*.{{ .Values.domain }}
+ admin:
+ base_url: https://kratos.{{ .Values.id }}/
+ selfservice:
+ default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
+ whitelisted_return_urls:
+ - https://accounts-ui.{{ .Values.domain }}
+ methods:
+ password:
+ enabled: true
+ flows:
+ error:
+ ui_url: https://accounts-ui.{{ .Values.domain }}/error
+ settings:
+ ui_url: https://accounts-ui.{{ .Values.domain }}/settings
+ privileged_session_max_age: 15m
+ recovery:
+ enabled: false
+ verification:
+ enabled: false
+ logout:
+ after:
+ default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
+ login:
+ ui_url: https://accounts-ui.{{ .Values.domain }}/login
+ lifespan: 10m
+ after:
+ password:
+ default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
+ registration:
+ lifespan: 10m
+ ui_url: https://accounts-ui.{{ .Values.domain }}/registration
+ after:
+ password:
+ hooks:
+ -
+ hook: session
+ default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
+ log:
+ level: debug
+ format: text
+ leak_sensitive_values: true
+ cookies:
+ path: /
+ same_site: None
+ domain: {{ .Values.domain }}
+ secrets:
+ cookie:
+ - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+ # cipher:
+ # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+ # ciphers:
+ # algorithm: xchacha20-poly1305
+ hashers:
+ argon2:
+ parallelism: 1
+ memory: 128MB
+ iterations: 2
+ salt_length: 16
+ key_length: 16
+ identity:
+ default_schema_url: file:///etc/config/identity.schema.json
+ courier:
+ smtp:
+ connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
+ identitySchemas:
+ "identity.schema.json": |
+ {
+ "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "User",
+ "type": "object",
+ "properties": {
+ "traits": {
+ "type": "object",
+ "properties": {
+ "username": {
+ "type": "string",
+ "format": "username",
+ "title": "Username",
+ "minLength": 3,
+ "ory.sh/kratos": {
+ "credentials": {
+ "password": {
+ "identifier": true
+ }
+ }
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ }
+ - hydra:
+ fullnameOverride: hydra
+ image:
+ repository: giolekva/ory-hydra
+ tag: latest
+ pullPolicy: Always
+ service:
+ admin:
+ enabled: true
+ type: ClusterIP
+ port: 80
+ name: http
+ public:
+ enabled: true
+ type: ClusterIP
+ port: 80
+ name: http
+ ingress:
+ admin:
+ enabled: true
+ className: {{ .Values.id }}-ingress-private
+ hosts:
+ - host: hydra.{{ .Values.id }}
+ paths:
+ - path: /
+ pathType: Prefix
+ annotations:
+ cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
+ acme.cert-manager.io/http01-edit-in-place: "true"
+ tls:
+ - hosts:
+ - hydra.{{ .Values.id }}
+ secretName: cert-hydra.{{ .Values.id }}
+ public:
+ enabled: true
+ className: nginx
+ hosts:
+ - host: hydra.{{ .Values.domain }}
+ paths:
+ - path: /
+ pathType: Prefix
+ annotations:
+ cert-manager.io/cluster-issuer: "{{ .Values.id }}-public-staging"
+ acme.cert-manager.io/http01-edit-in-place: "true"
+ tls:
+ - hosts:
+ - hydra.{{ .Values.domain }}
+ secretName: cert-hydra.{{ .Values.domain }}
+ secret:
+ enabled: true
+ maester:
+ enabled: false
+ hydra:
+ autoMigrate: true
+ config:
+ version: v1.10.6
+ dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+ serve:
+ cookies:
+ same_site_mode: None
+ public:
+ cors:
+ enabled: true
+ debug: false
+ allow_credentials: true
+ allowed_origins:
+ - https://{{ .Values.domain }}
+ - https://*.{{ .Values.domain }}
+ admin:
+ # host: localhost
+ cors:
+ allowed_origins:
+ - https://hydra.{{ .Values.id }}
+ tls:
+ allow_termination_from:
+ - 0.0.0.0/0
+ - 10.42.0.0/16
+ - 10.43.0.0/16
+ - 111.0.0.1/32
+ tls:
+ allow_termination_from:
+ - 0.0.0.0/0
+ - 10.42.0.0/16
+ - 10.43.0.0/16
+ - 111.0.0.1/32
+ urls:
+ self:
+ public: https://hydra.{{ .Values.domain }}
+ issuer: https://hydra.{{ .Values.domain }}
+ consent: https://accounts-ui.{{ .Values.domain }}/consent
+ login: https://accounts-ui.{{ .Values.domain }}/login
+ logout: https://accounts-ui.{{ .Values.domain }}/logout
+ secrets:
+ system:
+ - youReallyNeedToChangeThis
+ oidc:
+ subject_identifiers:
+ supported_types:
+ - pairwise
+ - public
+ pairwise:
+ salt: youReallyNeedToChangeThis
+ log:
+ level: trace
+ leak_sensitive_values: false
+ - ui:
+ certificateIssuer: {{ .Values.id }}-public-staging
+ ingressClassName: nginx
+ domain: {{ .Values.domain }}
+ internalDomain: {{ .Values.id }}
+ nebula:
+ lighthouse:
+ name: ui-lighthouse
+ internalIP: 111.0.0.1
+ externalIP: 46.49.35.44
+ port: "4243"
+ node:
+ name: ui
+ ipCidr: 111.0.0.2/24
+ secretName: node-ui-cert
+ certificateAuthority:
+ name: {{ .Values.id }}
+ namespace: {{ .Values.id }}-ingress-private
environments:
shveli:
values:
- - id: shveli
- - contactEmail: giolekva@gmail.com
- - certManagerNamespace: cert-manager
+ - id: shveli
+ - domain: shve.li
+ - contactEmail: giolekva@gmail.com
+ - certManagerNamespace: cert-manager