Installer: core auth services
diff --git a/core/auth/hydra/Makefile b/core/auth/hydra/Makefile
index 232a7d7..6a91678 100644
--- a/core/auth/hydra/Makefile
+++ b/core/auth/hydra/Makefile
@@ -1,5 +1,5 @@
image_arm64:
- docker build --tag=giolekva/ory-hydra:latest .
+ docker build --tag=giolekva/ory-hydra:latest . --platform=linux/arm64
push_arm64: image_arm64
docker push giolekva/ory-hydra:latest
diff --git a/core/auth/kratos/Makefile b/core/auth/kratos/Makefile
index d33966c..ab5043a 100644
--- a/core/auth/kratos/Makefile
+++ b/core/auth/kratos/Makefile
@@ -1,5 +1,5 @@
image:
- docker build --tag=giolekva/ory-kratos:latest .
+ docker build --tag=giolekva/ory-kratos:latest . --platform=linux/arm64
push: image
docker push giolekva/ory-kratos:latest
diff --git "a/core/auth/ui/\043install.yaml\043" "b/core/auth/ui/\043install.yaml\043"
new file mode 100644
index 0000000..35ee23a
--- /dev/null
+++ "b/core/auth/ui/\043install.yaml\043"
@@ -0,0 +1,122 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: core-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kratos-selfservice-ui
+ namespace: core-auth
+spec:
+ type: ClusterIP
+ selector:
+ app: kratos-selfservice-ui
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-kratos-selfservice-ui-public
+ namespace: core-auth
+ annotations:
+ cert-manager.io/cluster-issuer: "letsencrypt-prod"
+ acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - accounts-ui.lekva.me
+ secretName: cert-accounts-ui.lekva.me
+ rules:
+ - host: accounts-ui.lekva.me
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: kratos-selfservice-ui
+ port:
+ name: http
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: kratos-selfservice-ui
+ namespace: core-auth
+spec:
+ selector:
+ matchLabels:
+ app: kratos-selfservice-ui
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: kratos-selfservice-ui
+ spec:
+ volumes:
+ - name: cert
+ secret:
+ secretName: node-auth-ui-cert
+ - name: config
+ configMap:
+ name: auth-ui-lighthouse-config
+ hostAliases:
+ - ip: "111.0.0.1"
+ hostnames:
+ - "hydra.pcloud"
+ containers:
+ - name: server
+ image: giolekva/auth-ui:latest
+ imagePullPolicy: Always
+ env:
+ - name: KRATOS_PUBLIC_URL
+ value: "https://accounts.lekva.me"
+ ports:
+ - name: http
+ containerPort: 8080
+ protocol: TCP
+ command: ["server", "--port=8080"]
+ # resources:
+ # requests:
+ # memory: "10Mi"
+ # cpu: "10m"
+ # limits:
+ # memory: "20Mi"
+ # cpu: "100m"
+ - name: lighthouse
+ image: giolekva/nebula:latest
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ capabilities:
+ add: ["NET_ADMIN"]
+ privileged: true
+ ports:
+ - name: lighthouse
+ containerPort: 4247
+ protocol: UDP
+ command: ["nebula", "--config=/etc/nebula/config/lighthouse.yaml"]
+ volumeMounts:
+ - name: cert
+ mountPath: /etc/nebula/lighthouse
+ readOnly: true
+ - name: config
+ mountPath: /etc/nebula/config
+ readOnly: true
+---
+apiVersion: lekva.me/v1
+kind: NebulaNode
+metadata:
+ name: auth-ui
+ namespace: core-auth
+spec:
+ caName: pcloud
+ caNamespace: ingress-nginx-private
+ ipCidr: "111.0.0.10/24"
+ secretName: node-auth-ui-cert
diff --git a/core/auth/ui/main.go b/core/auth/ui/main.go
index a9b349d..c3add02 100644
--- a/core/auth/ui/main.go
+++ b/core/auth/ui/main.go
@@ -2,6 +2,7 @@
import (
"bytes"
+ "crypto/tls"
"embed"
"encoding/json"
"errors"
@@ -22,6 +23,7 @@
var port = flag.Int("port", 8080, "Port to listen on")
var kratos = flag.String("kratos", "https://accounts.lekva.me", "Kratos URL")
var hydra = flag.String("hydra", "hydra.pcloud", "Hydra admin server address")
+var emailDomain = flag.String("email-domain", "lekva.me", "Email domain")
var ErrNotLoggedIn = errors.New("Not logged in")
@@ -83,13 +85,16 @@
}
client := &http.Client{
Jar: jar,
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
}
- b, err := url.Parse("https://accounts.lekva.me/self-service/" + flowType + "/browser")
+ b, err := url.Parse(*kratos + "/self-service/" + flowType + "/browser")
if err != nil {
return "", err
}
client.Jar.SetCookies(b, cookies)
- resp, err := client.Get(fmt.Sprintf("https://accounts.lekva.me/self-service/"+flowType+"/flows?id=%s", flow))
+ resp, err := client.Get(fmt.Sprintf(*kratos+"/self-service/"+flowType+"/flows?id=%s", flow))
if err != nil {
return "", err
}
@@ -224,13 +229,16 @@
}
client := &http.Client{
Jar: jar,
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
}
- b, err := url.Parse("https://accounts.lekva.me/self-service/" + flowType + "/browser")
+ b, err := url.Parse(*kratos + "/self-service/" + flowType + "/browser")
if err != nil {
return nil, err
}
client.Jar.SetCookies(b, cookies)
- resp, err := client.Post(fmt.Sprintf("https://accounts.lekva.me/self-service/"+flowType+"?flow=%s", flow), "application/json", req)
+ resp, err := client.Post(fmt.Sprintf(*kratos+"/self-service/"+flowType+"?flow=%s", flow), "application/json", req)
if err != nil {
return nil, err
}
@@ -248,13 +256,16 @@
}
client := &http.Client{
Jar: jar,
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
}
- b, err := url.Parse("https://accounts.lekva.me/self-service/logout/browser")
+ b, err := url.Parse(*kratos + "/self-service/logout/browser")
if err != nil {
return "", err
}
client.Jar.SetCookies(b, cookies)
- resp, err := client.Get("https://accounts.lekva.me/self-service/logout/browser")
+ resp, err := client.Get(*kratos + "/self-service/logout/browser")
if err != nil {
return "", err
}
@@ -272,13 +283,16 @@
}
client := &http.Client{
Jar: jar,
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
}
- b, err := url.Parse("https://accounts.lekva.me/sessions/whoami")
+ b, err := url.Parse(*kratos + "/sessions/whoami")
if err != nil {
return "", err
}
client.Jar.SetCookies(b, cookies)
- resp, err := client.Get("https://accounts.lekva.me/sessions/whoami")
+ resp, err := client.Get(*kratos + "/sessions/whoami")
if err != nil {
return "", err
}
@@ -434,7 +448,7 @@
acceptedScopes, _ := r.Form["scope"]
idToken := map[string]string{
"username": username,
- "email": username + "@lekva.me",
+ "email": username + "@" + *emailDomain,
}
if redirectTo, err := s.hydra.ConsentAccept(r.FormValue("consent_challenge"), acceptedScopes, idToken); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)