Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 13da8ff2f198880745bf185dabc430b67063ea35 / . / core / installer / values-tmpl / core-auth.cue
blob: 0e9f26fecf18585e7ade9c9b63f15470a7e5c91f [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
2 subdomain: string
3}
4
Giorgi Lekveishvili03d6f4b2024-03-08 13:05:21 +0400[diff] [blame]5name: "core-auth"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]6namespace: "core-auth"
7
8_userSchema: ###"""
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]9{
10 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
11 "$schema": "http://json-schema.org/draft-07/schema#",
12 "title": "User",
13 "type": "object",
14 "properties": {
15 "traits": {
16 "type": "object",
17 "properties": {
18 "username": {
19 "type": "string",
20 "format": "username",
21 "title": "Username",
22 "minLength": 3,
23 "ory.sh/kratos": {
24 "credentials": {
25 "password": {
26 "identifier": true
27 }
28 }
29 }
30 }
31 },
32 "additionalProperties": false
33 }
34 }
35}
36"""###
37
38images: {
39 kratos: {
40 repository: "oryd"
41 name: "kratos"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]42 tag: "v1.1.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]43 pullPolicy: "IfNotPresent"
44 }
45 hydra: {
46 repository: "oryd"
47 name: "hydra"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]48 tag: "v2.2.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]49 pullPolicy: "IfNotPresent"
50 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]51 ui: {
52 repository: "giolekva"
53 name: "auth-ui"
54 tag: "latest"
55 pullPolicy: "Always"
56 }
57 postgres: {
58 repository: "library"
59 name: "postgres"
60 tag: "15.3"
61 pullPolicy: "IfNotPresent"
62 }
63}
64
65charts: {
66 auth: {
67 chart: "charts/auth"
68 sourceRef: {
69 kind: "GitRepository"
70 name: "pcloud"
71 namespace: global.id
72 }
73 }
74 postgres: {
75 chart: "charts/postgresql"
76 sourceRef: {
77 kind: "GitRepository"
78 name: "pcloud"
79 namespace: global.id
80 }
81 }
82}
83
84helm: {
85 postgres: {
86 chart: charts.postgres
87 values: {
88 fullnameOverride: "postgres"
89 image: {
90 registry: images.postgres.registry
91 repository: images.postgres.imageName
92 tag: images.postgres.tag
93 pullPolicy: images.postgres.pullPolicy
94 }
95 service: {
96 type: "ClusterIP"
97 port: 5432
98 }
99 primary: {
100 initdb: {
101 scripts: {
102 "init.sql": """
103 CREATE USER kratos WITH PASSWORD 'kratos';
104 CREATE USER hydra WITH PASSWORD 'hydra';
105 CREATE DATABASE kratos WITH OWNER = kratos;
106 CREATE DATABASE hydra WITH OWNER = hydra;
107 """
108 }
109 }
110 persistence: {
111 size: "1Gi"
112 }
113 securityContext: {
114 enabled: true
115 fsGroup: 0
116 }
117 containerSecurityContext: {
118 enabled: true
119 runAsUser: 0
120 }
121 }
122 volumePermissions: {
123 securityContext: {
124 runAsUser: 0
125 }
126 }
127 }
128 }
129 auth: {
130 chart: charts.auth
Giorgi Lekveishvilia09fad72024-03-21 15:24:35 +0400[diff] [blame]131 dependsOn: [{
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]132 name: "ingress-nginx"
133 namespace: "\(global.namespacePrefix)ingress-private"
Giorgi Lekveishvilia09fad72024-03-21 15:24:35 +0400[diff] [blame]134 }, {
135 name: "postgres"
136 namespace: release.namespace
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]137 }]
138 values: {
139 kratos: {
140 fullnameOverride: "kratos"
141 image: {
142 repository: images.kratos.fullName
143 tag: images.kratos.tag
144 pullPolicy: images.kratos.pullPolicy
145 }
146 service: {
147 admin: {
148 enabled: true
149 type: "ClusterIP"
150 port: 80
151 name: "http"
152 }
153 public: {
154 enabled: true
155 type: "ClusterIP"
156 port: 80
157 name: "http"
158 }
159 }
160 ingress: {
161 admin: {
162 enabled: true
163 className: _ingressPrivate
164 hosts: [{
165 host: "kratos.\(global.privateDomain)"
166 paths: [{
167 path: "/"
168 pathType: "Prefix"
169 }]
170 }]
171 tls: [{
172 hosts: [
173 "kratos.\(global.privateDomain)"
174 ]
175 }]
176 }
177 public: {
178 enabled: true
179 className: _ingressPublic
180 annotations: {
181 "acme.cert-manager.io/http01-edit-in-place": "true"
182 "cert-manager.io/cluster-issuer": _issuerPublic
183 }
184 hosts: [{
185 host: "accounts.\(global.domain)"
186 paths: [{
187 path: "/"
188 pathType: "Prefix"
189 }]
190 }]
191 tls: [{
192 hosts: ["accounts.\(global.domain)"]
193 secretName: "cert-accounts.\(global.domain)"
194 }]
195 }
196 }
197 secret: {
198 enabled: true
199 }
200 kratos: {
201 automigration: {
202 enabled: true
203 }
204 development: false
205 courier: {
206 enabled: false
207 }
208 config: {
209 version: "v0.7.1-alpha.1"
210 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
211 serve: {
212 public: {
213 base_url: "https://accounts.\(global.domain)"
214 cors: {
215 enabled: true
216 debug: false
217 allow_credentials: true
218 allowed_origins: [
219 "https://\(global.domain)",
220 "https://*.\(global.domain)",
221 ]
222 }
223 }
224 admin: {
225 base_url: "https://kratos.\(global.privateDomain)/"
226 }
227 }
228 selfservice: {
229 default_browser_return_url: "https://accounts-ui.\(global.domain)"
Giorgi Lekveishvili0ba5e402024-03-20 15:56:30 +0400[diff] [blame]230 allowed_return_urls: [
231 "https://*.\(global.domain)/",
232 "https://*.\(global.privateDomain)",
233 ]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]234 methods: {
235 password: {
236 enabled: true
237 }
238 }
239 flows: {
240 error: {
241 ui_url: "https://accounts-ui.\(global.domain)/error"
242 }
243 settings: {
244 ui_url: "https://accounts-ui.\(global.domain)/settings"
245 privileged_session_max_age: "15m"
246 }
247 recovery: {
248 enabled: false
249 }
250 verification: {
251 enabled: false
252 }
253 logout: {
254 after: {
255 default_browser_return_url: "https://accounts-ui.\(global.domain)/login"
256 }
257 }
258 login: {
259 ui_url: "https://accounts-ui.\(global.domain)/login"
260 lifespan: "10m"
261 after: {
262 password: {
263 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
264 }
265 }
266 }
267 registration: {
268 lifespan: "10m"
269 ui_url: "https://accounts-ui.\(global.domain)/register"
270 after: {
271 password: {
272 hooks: [{
273 hook: "session"
274 }]
275 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
276 }
277 }
278 }
279 }
280 }
281 log: {
282 level: "debug"
283 format: "text"
284 leak_sensitive_values: true
285 }
286 cookies: {
287 path: "/"
288 same_site: "None"
289 domain: global.domain
290 }
291 secrets: {
292 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
293 }
294 hashers: {
295 argon2: {
296 parallelism: 1
297 memory: "128MB"
298 iterations: 2
299 salt_length: 16
300 key_length: 16
301 }
302 }
303 identity: {
304 schemas: [{
305 id: "user"
306 url: "file:///etc/config/identity.schema.json"
307 }]
308 default_schema_id: "user"
309 }
310 courier: {
311 smtp: {
312 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(global.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(global.domain)"
313 }
314 }
315 }
316 identitySchemas: {
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]317 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]318 }
319 }
320 }
321 hydra: {
322 fullnameOverride: "hydra"
323 image: {
324 repository: images.hydra.fullName
325 tag: images.hydra.tag
326 pullPolicy: images.hydra.pullPolicy
327 }
328 service: {
329 admin: {
330 enabled: true
331 type: "ClusterIP"
332 port: 80
333 name: "http"
334 }
335 public: {
336 enabled: true
337 type: "ClusterIP"
338 port: 80
339 name: "http"
340 }
341 }
342 ingress: {
343 admin: {
344 enabled: true
345 className: _ingressPrivate
346 hosts: [{
347 host: "hydra.\(global.privateDomain)"
348 paths: [{
349 path: "/"
350 pathType: "Prefix"
351 }]
352 }]
353 tls: [{
354 hosts: ["hydra.\(global.privateDomain)"]
355 }]
356 }
357 public: {
358 enabled: true
359 className: _ingressPublic
360 annotations: {
361 "acme.cert-manager.io/http01-edit-in-place": "true"
362 "cert-manager.io/cluster-issuer": _issuerPublic
363 }
364 hosts: [{
365 host: "hydra.\(global.domain)"
366 paths: [{
367 path: "/"
368 pathType: "Prefix"
369 }]
370 }]
371 tls: [{
372 hosts: ["hydra.\(global.domain)"]
373 secretName: "cert-hydra.\(global.domain)"
374 }]
375 }
376 }
377 secret: {
378 enabled: true
379 }
380 maester: {
Giorgi Lekveishvili925f0de2024-03-14 18:51:56 +0400[diff] [blame]381 enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]382 }
383 hydra: {
384 automigration: {
385 enabled: true
386 }
387 config: {
388 version: "v1.10.6"
389 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
390 serve: {
391 cookies: {
392 same_site_mode: "None"
393 }
394 public: {
395 cors: {
396 enabled: true
397 debug: false
398 allow_credentials: true
399 allowed_origins: [
400 "https://\(global.domain)",
401 "https://*.\(global.domain)"
402 ]
403 }
404 }
405 admin: {
406 cors: {
407 allowed_origins: [
408 "https://hydra.\(global.privateDomain)"
409 ]
410 }
411 tls: {
412 allow_termination_from: [
413 "0.0.0.0/0",
414 "10.42.0.0/16",
415 "10.43.0.0/16",
416 ]
417 }
418 }
419 tls: {
420 allow_termination_from: [
421 "0.0.0.0/0",
422 "10.42.0.0/16",
423 "10.43.0.0/16",
424 ]
425 }
426 }
427 urls: {
428 self: {
429 public: "https://hydra.\(global.domain)"
430 issuer: "https://hydra.\(global.domain)"
431 }
432 consent: "https://accounts-ui.\(global.domain)/consent"
433 login: "https://accounts-ui.\(global.domain)/login"
434 logout: "https://accounts-ui.\(global.domain)/logout"
435 }
436 secrets: {
437 system: ["youReallyNeedToChangeThis"]
438 }
439 oidc: {
440 subject_identifiers: {
441 supported_types: [
442 "pairwise",
443 "public",
444 ]
445 pairwise: {
446 salt: "youReallyNeedToChangeThis"
447 }
448 }
449 }
450 log: {
451 level: "trace"
452 leak_sensitive_values: false
453 }
454 }
455 }
456 }
457 ui: {
458 certificateIssuer: _issuerPublic
459 ingressClassName: _ingressPublic
460 domain: global.domain
461 internalDomain: global.privateDomain
462 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
463 enableRegistration: false
464 image: {
465 repository: images.ui.fullName
466 tag: images.ui.tag
467 pullPolicy: images.ui.pullPolicy
468 }
469 }
470 }
471 }
472}