Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 4bfed00a3f4078c8d85eab8fe9d956cef6a58503 / . / core / installer / values-tmpl / core-auth.cue
blob: 77656224df8ddb329dcb900dac4e22dc049bc00c [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]2 network: #Network
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]3 subdomain: string
4}
5
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]6name: "core-auth"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]7namespace: "core-auth"
8
9_userSchema: ###"""
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]10 {
11 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
12 "$schema": "http://json-schema.org/draft-07/schema#",
13 "title": "User",
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]14 "type": "object",
15 "properties": {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]16 "traits": {
17 "type": "object",
18 "properties": {
19 "username": {
20 "type": "string",
21 "format": "username",
22 "title": "Username",
23 "minLength": 3,
24 "ory.sh/kratos": {
25 "credentials": {
26 "password": {
27 "identifier": true
28 }
29 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]30 }
31 }
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]32 },
33 "additionalProperties": false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]34 }
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]35 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]36 }
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]37 """###
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]38
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]39out: {
40 images: {
41 kratos: {
42 repository: "oryd"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]43 name: "kratos"
44 tag: "v1.1.0-distroless"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]45 pullPolicy: "IfNotPresent"
46 }
47 hydra: {
48 repository: "oryd"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]49 name: "hydra"
50 tag: "v2.2.0-distroless"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]51 pullPolicy: "IfNotPresent"
52 }
53 ui: {
54 repository: "giolekva"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]55 name: "auth-ui"
56 tag: "latest"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]57 pullPolicy: "Always"
58 }
59 postgres: {
60 repository: "library"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]61 name: "postgres"
62 tag: "15.3"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]63 pullPolicy: "IfNotPresent"
64 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]65 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]66
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]67 charts: {
68 auth: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]69 kind: "GitRepository"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]70 address: "https://code.v1.dodo.cloud/helm-charts"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]71 branch: "main"
72 path: "charts/auth"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]73 }
74 postgres: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]75 kind: "GitRepository"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]76 address: "https://code.v1.dodo.cloud/helm-charts"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]77 branch: "main"
78 path: "charts/postgresql"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]79 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]80 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]81
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]82 helm: {
83 postgres: {
84 chart: charts.postgres
85 values: {
86 fullnameOverride: "postgres"
87 image: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]88 registry: images.postgres.registry
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]89 repository: images.postgres.imageName
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]90 tag: images.postgres.tag
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]91 pullPolicy: images.postgres.pullPolicy
92 }
93 service: {
94 type: "ClusterIP"
95 port: 5432
96 }
97 primary: {
98 initdb: {
99 scripts: {
100 "init.sql": """
101 CREATE USER kratos WITH PASSWORD 'kratos';
102 CREATE USER hydra WITH PASSWORD 'hydra';
103 CREATE DATABASE kratos WITH OWNER = kratos;
104 CREATE DATABASE hydra WITH OWNER = hydra;
105 """
106 }
107 }
108 persistence: {
109 size: "1Gi"
110 }
111 securityContext: {
112 enabled: true
113 fsGroup: 0
114 }
115 containerSecurityContext: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]116 enabled: true
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]117 runAsUser: 0
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]118 }
119 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]120 volumePermissions: {
121 securityContext: {
122 runAsUser: 0
123 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]124 }
125 }
126 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]127 auth: {
128 chart: charts.auth
129 dependsOn: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]130 name: "postgres"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]131 namespace: release.namespace
132 }]
133 values: {
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]134 kratos: {
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]135 fullnameOverride: "kratos"
136 image: {
137 repository: images.kratos.fullName
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]138 tag: images.kratos.tag
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]139 pullPolicy: images.kratos.pullPolicy
140 }
141 service: {
142 admin: {
143 enabled: true
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]144 type: "ClusterIP"
145 port: 80
146 name: "http"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]147 }
148 public: {
149 enabled: true
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]150 type: "ClusterIP"
151 port: 80
152 name: "http"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]153 }
154 }
155 ingress: {
156 admin: enabled: false
157 public: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]158 enabled: true
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]159 className: input.network.ingressClass
160 annotations: {
161 "acme.cert-manager.io/http01-edit-in-place": "true"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]162 "cert-manager.io/cluster-issuer": input.network.certificateIssuer
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]163 }
164 hosts: [{
165 host: "accounts.\(input.network.domain)"
166 paths: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]167 path: "/"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]168 pathType: "Prefix"
169 }]
170 }]
171 tls: [{
172 hosts: ["accounts.\(input.network.domain)"]
173 secretName: "cert-accounts.\(input.network.domain)"
174 }]
175 }
176 }
177 secret: {
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]178 enabled: true
179 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]180 kratos: {
181 automigration: {
182 enabled: true
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]183 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]184 development: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]185 courier: {
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]186 enabled: false
187 }
188 config: {
189 version: "v0.7.1-alpha.1"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]190 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]191 serve: {
192 public: {
193 base_url: "https://accounts.\(input.network.domain)"
194 cors: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]195 enabled: true
196 debug: false
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]197 allow_credentials: true
198 allowed_origins: [
199 "https://\(input.network.domain)",
200 "https://*.\(input.network.domain)",
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]201 ]
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]202 }
203 }
204 admin: {
205 base_url: "https://kratos-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
206 }
207 }
208 selfservice: {
209 default_browser_return_url: "https://accounts-ui.\(input.network.domain)"
210 allowed_return_urls: [
211 "https://*.\(input.network.domain)/",
212 // TODO(gio): replace with input.network.privateSubdomain
213 "https://*.\(global.privateDomain)",
214 ]
215 methods: {
216 password: {
217 enabled: true
218 }
219 }
220 flows: {
221 error: {
222 ui_url: "https://accounts-ui.\(input.network.domain)/error"
223 }
224 settings: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]225 ui_url: "https://accounts-ui.\(input.network.domain)/settings"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]226 privileged_session_max_age: "15m"
227 }
228 recovery: {
229 enabled: false
230 }
231 verification: {
232 enabled: false
233 }
234 logout: {
235 after: {
236 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/login"
237 }
238 }
239 login: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]240 ui_url: "https://accounts-ui.\(input.network.domain)/login"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]241 lifespan: "10m"
242 after: {
243 password: {
244 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/"
245 }
246 }
247 }
248 registration: {
249 lifespan: "10m"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]250 ui_url: "https://accounts-ui.\(input.network.domain)/register"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]251 after: {
252 password: {
253 hooks: [{
254 hook: "session"
255 }]
256 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/"
257 }
258 }
259 }
260 }
261 }
262 log: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]263 level: "debug"
264 format: "text"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]265 leak_sensitive_values: true
266 }
267 cookies: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]268 path: "/"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]269 same_site: "None"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]270 domain: input.network.domain
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]271 }
272 secrets: {
273 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
274 }
275 hashers: {
276 argon2: {
277 parallelism: 1
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]278 memory: "128MB"
279 iterations: 2
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]280 salt_length: 16
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]281 key_length: 16
282 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]283 }
284 identity: {
285 schemas: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]286 id: "user"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]287 url: "file:///etc/config/identity.schema.json"
288 }]
289 default_schema_id: "user"
290 }
291 courier: {
292 smtp: {
293 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(input.network.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(input.network.domain)"
294 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]295 }
296 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]297 identitySchemas: {
298 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]299 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]300 }
301 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]302 hydra: {
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]303 fullnameOverride: "hydra"
304 image: {
305 repository: images.hydra.fullName
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]306 tag: images.hydra.tag
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]307 pullPolicy: images.hydra.pullPolicy
308 }
309 service: {
310 admin: {
311 enabled: true
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]312 type: "ClusterIP"
313 port: 80
314 name: "http"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]315 }
316 public: {
317 enabled: true
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]318 type: "ClusterIP"
319 port: 80
320 name: "http"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]321 }
322 }
323 ingress: {
324 admin: enabled: false
325 public: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]326 enabled: true
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]327 className: input.network.ingressClass
328 annotations: {
329 "acme.cert-manager.io/http01-edit-in-place": "true"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]330 "cert-manager.io/cluster-issuer": input.network.certificateIssuer
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]331 }
332 hosts: [{
333 host: "hydra.\(input.network.domain)"
334 paths: [{
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]335 path: "/"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]336 pathType: "Prefix"
337 }]
338 }]
339 tls: [{
340 hosts: ["hydra.\(input.network.domain)"]
341 secretName: "cert-hydra.\(input.network.domain)"
342 }]
343 }
344 }
345 secret: {
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]346 enabled: true
347 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]348 maester: {
349 enabled: false
350 }
351 hydra: {
352 automigration: {
353 enabled: true
354 }
355 config: {
356 version: "v1.10.6"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]357 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]358 serve: {
359 cookies: {
360 same_site_mode: "None"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]361 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]362 public: {
363 cors: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]364 enabled: true
365 debug: false
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]366 allow_credentials: true
367 allowed_origins: [
368 "https://\(input.network.domain)",
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]369 "https://*.\(input.network.domain)",
370 ]
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]371 }
372 }
373 admin: {
374 cors: {
375 allowed_origins: [
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]376 "https://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local",
377 ]
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]378 }
379 tls: {
380 allow_termination_from: [
381 "0.0.0.0/0",
382 "10.42.0.0/16",
383 "10.43.0.0/16",
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]384 ]
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]385 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]386 }
387 tls: {
388 allow_termination_from: [
389 "0.0.0.0/0",
390 "10.42.0.0/16",
391 "10.43.0.0/16",
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]392 ]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]393 }
394 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]395 urls: {
396 self: {
397 public: "https://hydra.\(input.network.domain)"
398 issuer: "https://hydra.\(input.network.domain)"
399 }
400 consent: "https://accounts-ui.\(input.network.domain)/consent"
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]401 login: "https://accounts-ui.\(input.network.domain)/login"
402 logout: "https://accounts-ui.\(input.network.domain)/logout"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]403 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]404 secrets: {
405 system: ["youReallyNeedToChangeThis"]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]406 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]407 oidc: {
408 subject_identifiers: {
409 supported_types: [
410 "pairwise",
411 "public",
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]412 ]
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]413 pairwise: {
414 salt: "youReallyNeedToChangeThis"
415 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]416 }
417 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]418 log: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]419 level: "trace"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]420 leak_sensitive_values: false
421 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]422 }
423 }
424 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]425 ui: {
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]426 certificateIssuer: input.network.certificateIssuer
427 ingressClassName: input.network.ingressClass
428 domain: input.network.domain
429 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]430 enableRegistration: false
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]431 defaultReturnTo: "https://launcher.\(global.domain)"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]432 image: {
433 repository: images.ui.fullName
gio9bd87ca2025-04-20 08:05:34 +0400[diff] [blame]434 tag: images.ui.tag
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]435 pullPolicy: images.ui.pullPolicy
436 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]437 }
438 }
439 }
440 }
441}