Blame - core/installer/values-tmpl/core-auth.cue - pcloud

blob: 192f8064ec5835899e6da053479a4ab3c7632bfd [file] [log] [blame]

Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	1	input: {
				2	subdomain: string
				3	}
				4
Giorgi Lekveishvili	03d6f4b	2024-03-08 13:05:21 +0400	[diff] [blame]	5	name: "core-auth"
Giorgi Lekveishvili	08af67a	2024-01-18 08:53:05 +0400	[diff] [blame]	6	namespace: "core-auth"
				7
				8	_userSchema: ###"""
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	9	{
				10	"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
				11	"$schema": "http://json-schema.org/draft-07/schema#",
				12	"title": "User",
				13	"type": "object",
				14	"properties": {
				15	"traits": {
				16	"type": "object",
				17	"properties": {
				18	"username": {
				19	"type": "string",
				20	"format": "username",
				21	"title": "Username",
				22	"minLength": 3,
				23	"ory.sh/kratos": {
				24	"credentials": {
				25	"password": {
				26	"identifier": true
				27	}
				28	}
				29	}
				30	}
				31	},
				32	"additionalProperties": false
				33	}
				34	}
				35	}
				36	"""###
				37
				38	images: {
				39	kratos: {
				40	repository: "oryd"
				41	name: "kratos"
Giorgi Lekveishvili	3183056	2024-03-11 14:40:55 +0400	[diff] [blame]	42	tag: "v1.1.0-distroless"
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	43	pullPolicy: "IfNotPresent"
				44	}
				45	hydra: {
				46	repository: "oryd"
				47	name: "hydra"
Giorgi Lekveishvili	3183056	2024-03-11 14:40:55 +0400	[diff] [blame]	48	tag: "v2.2.0-distroless"
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	49	pullPolicy: "IfNotPresent"
				50	}
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	51	ui: {
				52	repository: "giolekva"
				53	name: "auth-ui"
				54	tag: "latest"
				55	pullPolicy: "Always"
				56	}
				57	postgres: {
				58	repository: "library"
				59	name: "postgres"
				60	tag: "15.3"
				61	pullPolicy: "IfNotPresent"
				62	}
				63	}
				64
				65	charts: {
				66	auth: {
				67	chart: "charts/auth"
				68	sourceRef: {
				69	kind: "GitRepository"
				70	name: "pcloud"
				71	namespace: global.id
				72	}
				73	}
				74	postgres: {
				75	chart: "charts/postgresql"
				76	sourceRef: {
				77	kind: "GitRepository"
				78	name: "pcloud"
				79	namespace: global.id
				80	}
				81	}
				82	}
				83
				84	helm: {
				85	postgres: {
				86	chart: charts.postgres
				87	values: {
				88	fullnameOverride: "postgres"
				89	image: {
				90	registry: images.postgres.registry
				91	repository: images.postgres.imageName
				92	tag: images.postgres.tag
				93	pullPolicy: images.postgres.pullPolicy
				94	}
				95	service: {
				96	type: "ClusterIP"
				97	port: 5432
				98	}
				99	primary: {
				100	initdb: {
				101	scripts: {
				102	"init.sql": """
				103	CREATE USER kratos WITH PASSWORD 'kratos';
				104	CREATE USER hydra WITH PASSWORD 'hydra';
				105	CREATE DATABASE kratos WITH OWNER = kratos;
				106	CREATE DATABASE hydra WITH OWNER = hydra;
				107	"""
				108	}
				109	}
				110	persistence: {
				111	size: "1Gi"
				112	}
				113	securityContext: {
				114	enabled: true
				115	fsGroup: 0
				116	}
				117	containerSecurityContext: {
				118	enabled: true
				119	runAsUser: 0
				120	}
				121	}
				122	volumePermissions: {
				123	securityContext: {
				124	runAsUser: 0
				125	}
				126	}
				127	}
				128	}
				129	auth: {
				130	chart: charts.auth
				131	dependsOn: [postgres]
				132	dependsOnExternal: [{
				133	name: "ingress-nginx"
				134	namespace: "\(global.namespacePrefix)ingress-private"
				135	}]
				136	values: {
				137	kratos: {
				138	fullnameOverride: "kratos"
				139	image: {
				140	repository: images.kratos.fullName
				141	tag: images.kratos.tag
				142	pullPolicy: images.kratos.pullPolicy
				143	}
				144	service: {
				145	admin: {
				146	enabled: true
				147	type: "ClusterIP"
				148	port: 80
				149	name: "http"
				150	}
				151	public: {
				152	enabled: true
				153	type: "ClusterIP"
				154	port: 80
				155	name: "http"
				156	}
				157	}
				158	ingress: {
				159	admin: {
				160	enabled: true
				161	className: _ingressPrivate
				162	hosts: [{
				163	host: "kratos.\(global.privateDomain)"
				164	paths: [{
				165	path: "/"
				166	pathType: "Prefix"
				167	}]
				168	}]
				169	tls: [{
				170	hosts: [
				171	"kratos.\(global.privateDomain)"
				172	]
				173	}]
				174	}
				175	public: {
				176	enabled: true
				177	className: _ingressPublic
				178	annotations: {
				179	"acme.cert-manager.io/http01-edit-in-place": "true"
				180	"cert-manager.io/cluster-issuer": _issuerPublic
				181	}
				182	hosts: [{
				183	host: "accounts.\(global.domain)"
				184	paths: [{
				185	path: "/"
				186	pathType: "Prefix"
				187	}]
				188	}]
				189	tls: [{
				190	hosts: ["accounts.\(global.domain)"]
				191	secretName: "cert-accounts.\(global.domain)"
				192	}]
				193	}
				194	}
				195	secret: {
				196	enabled: true
				197	}
				198	kratos: {
				199	automigration: {
				200	enabled: true
				201	}
				202	development: false
				203	courier: {
				204	enabled: false
				205	}
				206	config: {
				207	version: "v0.7.1-alpha.1"
				208	dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
				209	serve: {
				210	public: {
				211	base_url: "https://accounts.\(global.domain)"
				212	cors: {
				213	enabled: true
				214	debug: false
				215	allow_credentials: true
				216	allowed_origins: [
				217	"https://\(global.domain)",
				218	"https://*.\(global.domain)",
				219	]
				220	}
				221	}
				222	admin: {
				223	base_url: "https://kratos.\(global.privateDomain)/"
				224	}
				225	}
				226	selfservice: {
				227	default_browser_return_url: "https://accounts-ui.\(global.domain)"
Giorgi Lekveishvili	0ba5e40	2024-03-20 15:56:30 +0400	[diff] [blame^]	228	allowed_return_urls: [
				229	"https://*.\(global.domain)/",
				230	"https://*.\(global.privateDomain)",
				231	]
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	232	methods: {
				233	password: {
				234	enabled: true
				235	}
				236	}
				237	flows: {
				238	error: {
				239	ui_url: "https://accounts-ui.\(global.domain)/error"
				240	}
				241	settings: {
				242	ui_url: "https://accounts-ui.\(global.domain)/settings"
				243	privileged_session_max_age: "15m"
				244	}
				245	recovery: {
				246	enabled: false
				247	}
				248	verification: {
				249	enabled: false
				250	}
				251	logout: {
				252	after: {
				253	default_browser_return_url: "https://accounts-ui.\(global.domain)/login"
				254	}
				255	}
				256	login: {
				257	ui_url: "https://accounts-ui.\(global.domain)/login"
				258	lifespan: "10m"
				259	after: {
				260	password: {
				261	default_browser_return_url: "https://accounts-ui.\(global.domain)/"
				262	}
				263	}
				264	}
				265	registration: {
				266	lifespan: "10m"
				267	ui_url: "https://accounts-ui.\(global.domain)/register"
				268	after: {
				269	password: {
				270	hooks: [{
				271	hook: "session"
				272	}]
				273	default_browser_return_url: "https://accounts-ui.\(global.domain)/"
				274	}
				275	}
				276	}
				277	}
				278	}
				279	log: {
				280	level: "debug"
				281	format: "text"
				282	leak_sensitive_values: true
				283	}
				284	cookies: {
				285	path: "/"
				286	same_site: "None"
				287	domain: global.domain
				288	}
				289	secrets: {
				290	cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
				291	}
				292	hashers: {
				293	argon2: {
				294	parallelism: 1
				295	memory: "128MB"
				296	iterations: 2
				297	salt_length: 16
				298	key_length: 16
				299	}
				300	}
				301	identity: {
				302	schemas: [{
				303	id: "user"
				304	url: "file:///etc/config/identity.schema.json"
				305	}]
				306	default_schema_id: "user"
				307	}
				308	courier: {
				309	smtp: {
				310	connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(global.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(global.domain)"
				311	}
				312	}
				313	}
				314	identitySchemas: {
Giorgi Lekveishvili	08af67a	2024-01-18 08:53:05 +0400	[diff] [blame]	315	"identity.schema.json": _userSchema
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	316	}
				317	}
				318	}
				319	hydra: {
				320	fullnameOverride: "hydra"
				321	image: {
				322	repository: images.hydra.fullName
				323	tag: images.hydra.tag
				324	pullPolicy: images.hydra.pullPolicy
				325	}
				326	service: {
				327	admin: {
				328	enabled: true
				329	type: "ClusterIP"
				330	port: 80
				331	name: "http"
				332	}
				333	public: {
				334	enabled: true
				335	type: "ClusterIP"
				336	port: 80
				337	name: "http"
				338	}
				339	}
				340	ingress: {
				341	admin: {
				342	enabled: true
				343	className: _ingressPrivate
				344	hosts: [{
				345	host: "hydra.\(global.privateDomain)"
				346	paths: [{
				347	path: "/"
				348	pathType: "Prefix"
				349	}]
				350	}]
				351	tls: [{
				352	hosts: ["hydra.\(global.privateDomain)"]
				353	}]
				354	}
				355	public: {
				356	enabled: true
				357	className: _ingressPublic
				358	annotations: {
				359	"acme.cert-manager.io/http01-edit-in-place": "true"
				360	"cert-manager.io/cluster-issuer": _issuerPublic
				361	}
				362	hosts: [{
				363	host: "hydra.\(global.domain)"
				364	paths: [{
				365	path: "/"
				366	pathType: "Prefix"
				367	}]
				368	}]
				369	tls: [{
				370	hosts: ["hydra.\(global.domain)"]
				371	secretName: "cert-hydra.\(global.domain)"
				372	}]
				373	}
				374	}
				375	secret: {
				376	enabled: true
				377	}
				378	maester: {
Giorgi Lekveishvili	925f0de	2024-03-14 18:51:56 +0400	[diff] [blame]	379	enabled: false
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	380	}
				381	hydra: {
				382	automigration: {
				383	enabled: true
				384	}
				385	config: {
				386	version: "v1.10.6"
				387	dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
				388	serve: {
				389	cookies: {
				390	same_site_mode: "None"
				391	}
				392	public: {
				393	cors: {
				394	enabled: true
				395	debug: false
				396	allow_credentials: true
				397	allowed_origins: [
				398	"https://\(global.domain)",
				399	"https://*.\(global.domain)"
				400	]
				401	}
				402	}
				403	admin: {
				404	cors: {
				405	allowed_origins: [
				406	"https://hydra.\(global.privateDomain)"
				407	]
				408	}
				409	tls: {
				410	allow_termination_from: [
				411	"0.0.0.0/0",
				412	"10.42.0.0/16",
				413	"10.43.0.0/16",
				414	]
				415	}
				416	}
				417	tls: {
				418	allow_termination_from: [
				419	"0.0.0.0/0",
				420	"10.42.0.0/16",
				421	"10.43.0.0/16",
				422	]
				423	}
				424	}
				425	urls: {
				426	self: {
				427	public: "https://hydra.\(global.domain)"
				428	issuer: "https://hydra.\(global.domain)"
				429	}
				430	consent: "https://accounts-ui.\(global.domain)/consent"
				431	login: "https://accounts-ui.\(global.domain)/login"
				432	logout: "https://accounts-ui.\(global.domain)/logout"
				433	}
				434	secrets: {
				435	system: ["youReallyNeedToChangeThis"]
				436	}
				437	oidc: {
				438	subject_identifiers: {
				439	supported_types: [
				440	"pairwise",
				441	"public",
				442	]
				443	pairwise: {
				444	salt: "youReallyNeedToChangeThis"
				445	}
				446	}
				447	}
				448	log: {
				449	level: "trace"
				450	leak_sensitive_values: false
				451	}
				452	}
				453	}
				454	}
				455	ui: {
				456	certificateIssuer: _issuerPublic
				457	ingressClassName: _ingressPublic
				458	domain: global.domain
				459	internalDomain: global.privateDomain
				460	hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
				461	enableRegistration: false
				462	image: {
				463	repository: images.ui.fullName
				464	tag: images.ui.tag
				465	pullPolicy: images.ui.pullPolicy
				466	}
				467	}
				468	}
				469	}
				470	}