Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 525933992ab86d6902969647e44ca663cff1dca1 / . / core / installer / values-tmpl / core-auth.cue
blob: 9bb43e523bc3e29ce2414a0afe7879db82b5ea8f [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
2 subdomain: string
3}
4
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]5namespace: "core-auth"
6
7_userSchema: ###"""
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]8{
9 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
10 "$schema": "http://json-schema.org/draft-07/schema#",
11 "title": "User",
12 "type": "object",
13 "properties": {
14 "traits": {
15 "type": "object",
16 "properties": {
17 "username": {
18 "type": "string",
19 "format": "username",
20 "title": "Username",
21 "minLength": 3,
22 "ory.sh/kratos": {
23 "credentials": {
24 "password": {
25 "identifier": true
26 }
27 }
28 }
29 }
30 },
31 "additionalProperties": false
32 }
33 }
34}
35"""###
36
37images: {
38 kratos: {
39 repository: "oryd"
40 name: "kratos"
41 tag: "v0.13.0"
42 pullPolicy: "IfNotPresent"
43 }
44 hydra: {
45 repository: "oryd"
46 name: "hydra"
47 tag: "v2.1.2"
48 pullPolicy: "IfNotPresent"
49 }
50 "hydra-maester": {
51 repository: "giolekva"
52 name: "ory-hydra-maester"
53 tag: "latest"
54 pullPolicy: "Always"
55 }
56 ui: {
57 repository: "giolekva"
58 name: "auth-ui"
59 tag: "latest"
60 pullPolicy: "Always"
61 }
62 postgres: {
63 repository: "library"
64 name: "postgres"
65 tag: "15.3"
66 pullPolicy: "IfNotPresent"
67 }
68}
69
70charts: {
71 auth: {
72 chart: "charts/auth"
73 sourceRef: {
74 kind: "GitRepository"
75 name: "pcloud"
76 namespace: global.id
77 }
78 }
79 postgres: {
80 chart: "charts/postgresql"
81 sourceRef: {
82 kind: "GitRepository"
83 name: "pcloud"
84 namespace: global.id
85 }
86 }
87}
88
89helm: {
90 postgres: {
91 chart: charts.postgres
92 values: {
93 fullnameOverride: "postgres"
94 image: {
95 registry: images.postgres.registry
96 repository: images.postgres.imageName
97 tag: images.postgres.tag
98 pullPolicy: images.postgres.pullPolicy
99 }
100 service: {
101 type: "ClusterIP"
102 port: 5432
103 }
104 primary: {
105 initdb: {
106 scripts: {
107 "init.sql": """
108 CREATE USER kratos WITH PASSWORD 'kratos';
109 CREATE USER hydra WITH PASSWORD 'hydra';
110 CREATE DATABASE kratos WITH OWNER = kratos;
111 CREATE DATABASE hydra WITH OWNER = hydra;
112 """
113 }
114 }
115 persistence: {
116 size: "1Gi"
117 }
118 securityContext: {
119 enabled: true
120 fsGroup: 0
121 }
122 containerSecurityContext: {
123 enabled: true
124 runAsUser: 0
125 }
126 }
127 volumePermissions: {
128 securityContext: {
129 runAsUser: 0
130 }
131 }
132 }
133 }
134 auth: {
135 chart: charts.auth
136 dependsOn: [postgres]
137 dependsOnExternal: [{
138 name: "ingress-nginx"
139 namespace: "\(global.namespacePrefix)ingress-private"
140 }]
141 values: {
142 kratos: {
143 fullnameOverride: "kratos"
144 image: {
145 repository: images.kratos.fullName
146 tag: images.kratos.tag
147 pullPolicy: images.kratos.pullPolicy
148 }
149 service: {
150 admin: {
151 enabled: true
152 type: "ClusterIP"
153 port: 80
154 name: "http"
155 }
156 public: {
157 enabled: true
158 type: "ClusterIP"
159 port: 80
160 name: "http"
161 }
162 }
163 ingress: {
164 admin: {
165 enabled: true
166 className: _ingressPrivate
167 hosts: [{
168 host: "kratos.\(global.privateDomain)"
169 paths: [{
170 path: "/"
171 pathType: "Prefix"
172 }]
173 }]
174 tls: [{
175 hosts: [
176 "kratos.\(global.privateDomain)"
177 ]
178 }]
179 }
180 public: {
181 enabled: true
182 className: _ingressPublic
183 annotations: {
184 "acme.cert-manager.io/http01-edit-in-place": "true"
185 "cert-manager.io/cluster-issuer": _issuerPublic
186 }
187 hosts: [{
188 host: "accounts.\(global.domain)"
189 paths: [{
190 path: "/"
191 pathType: "Prefix"
192 }]
193 }]
194 tls: [{
195 hosts: ["accounts.\(global.domain)"]
196 secretName: "cert-accounts.\(global.domain)"
197 }]
198 }
199 }
200 secret: {
201 enabled: true
202 }
203 kratos: {
204 automigration: {
205 enabled: true
206 }
207 development: false
208 courier: {
209 enabled: false
210 }
211 config: {
212 version: "v0.7.1-alpha.1"
213 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
214 serve: {
215 public: {
216 base_url: "https://accounts.\(global.domain)"
217 cors: {
218 enabled: true
219 debug: false
220 allow_credentials: true
221 allowed_origins: [
222 "https://\(global.domain)",
223 "https://*.\(global.domain)",
224 ]
225 }
226 }
227 admin: {
228 base_url: "https://kratos.\(global.privateDomain)/"
229 }
230 }
231 selfservice: {
232 default_browser_return_url: "https://accounts-ui.\(global.domain)"
233 methods: {
234 password: {
235 enabled: true
236 }
237 }
238 flows: {
239 error: {
240 ui_url: "https://accounts-ui.\(global.domain)/error"
241 }
242 settings: {
243 ui_url: "https://accounts-ui.\(global.domain)/settings"
244 privileged_session_max_age: "15m"
245 }
246 recovery: {
247 enabled: false
248 }
249 verification: {
250 enabled: false
251 }
252 logout: {
253 after: {
254 default_browser_return_url: "https://accounts-ui.\(global.domain)/login"
255 }
256 }
257 login: {
258 ui_url: "https://accounts-ui.\(global.domain)/login"
259 lifespan: "10m"
260 after: {
261 password: {
262 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
263 }
264 }
265 }
266 registration: {
267 lifespan: "10m"
268 ui_url: "https://accounts-ui.\(global.domain)/register"
269 after: {
270 password: {
271 hooks: [{
272 hook: "session"
273 }]
274 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
275 }
276 }
277 }
278 }
279 }
280 log: {
281 level: "debug"
282 format: "text"
283 leak_sensitive_values: true
284 }
285 cookies: {
286 path: "/"
287 same_site: "None"
288 domain: global.domain
289 }
290 secrets: {
291 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
292 }
293 hashers: {
294 argon2: {
295 parallelism: 1
296 memory: "128MB"
297 iterations: 2
298 salt_length: 16
299 key_length: 16
300 }
301 }
302 identity: {
303 schemas: [{
304 id: "user"
305 url: "file:///etc/config/identity.schema.json"
306 }]
307 default_schema_id: "user"
308 }
309 courier: {
310 smtp: {
311 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(global.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(global.domain)"
312 }
313 }
314 }
315 identitySchemas: {
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]316 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]317 }
318 }
319 }
320 hydra: {
321 fullnameOverride: "hydra"
322 image: {
323 repository: images.hydra.fullName
324 tag: images.hydra.tag
325 pullPolicy: images.hydra.pullPolicy
326 }
327 service: {
328 admin: {
329 enabled: true
330 type: "ClusterIP"
331 port: 80
332 name: "http"
333 }
334 public: {
335 enabled: true
336 type: "ClusterIP"
337 port: 80
338 name: "http"
339 }
340 }
341 ingress: {
342 admin: {
343 enabled: true
344 className: _ingressPrivate
345 hosts: [{
346 host: "hydra.\(global.privateDomain)"
347 paths: [{
348 path: "/"
349 pathType: "Prefix"
350 }]
351 }]
352 tls: [{
353 hosts: ["hydra.\(global.privateDomain)"]
354 }]
355 }
356 public: {
357 enabled: true
358 className: _ingressPublic
359 annotations: {
360 "acme.cert-manager.io/http01-edit-in-place": "true"
361 "cert-manager.io/cluster-issuer": _issuerPublic
362 }
363 hosts: [{
364 host: "hydra.\(global.domain)"
365 paths: [{
366 path: "/"
367 pathType: "Prefix"
368 }]
369 }]
370 tls: [{
371 hosts: ["hydra.\(global.domain)"]
372 secretName: "cert-hydra.\(global.domain)"
373 }]
374 }
375 }
376 secret: {
377 enabled: true
378 }
379 maester: {
380 enabled: true
381 }
382 "hydra-maester": {
383 adminService: {
384 name: "hydra-admin"
385 port: 80
386 }
387 image: {
388 repository: images["hydra-maester"].fullName
389 tag: images["hydra-maester"].tag
390 pullPolicy: images["hydra-maester"].pullPolicy
391 }
392 }
393 hydra: {
394 automigration: {
395 enabled: true
396 }
397 config: {
398 version: "v1.10.6"
399 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
400 serve: {
401 cookies: {
402 same_site_mode: "None"
403 }
404 public: {
405 cors: {
406 enabled: true
407 debug: false
408 allow_credentials: true
409 allowed_origins: [
410 "https://\(global.domain)",
411 "https://*.\(global.domain)"
412 ]
413 }
414 }
415 admin: {
416 cors: {
417 allowed_origins: [
418 "https://hydra.\(global.privateDomain)"
419 ]
420 }
421 tls: {
422 allow_termination_from: [
423 "0.0.0.0/0",
424 "10.42.0.0/16",
425 "10.43.0.0/16",
426 ]
427 }
428 }
429 tls: {
430 allow_termination_from: [
431 "0.0.0.0/0",
432 "10.42.0.0/16",
433 "10.43.0.0/16",
434 ]
435 }
436 }
437 urls: {
438 self: {
439 public: "https://hydra.\(global.domain)"
440 issuer: "https://hydra.\(global.domain)"
441 }
442 consent: "https://accounts-ui.\(global.domain)/consent"
443 login: "https://accounts-ui.\(global.domain)/login"
444 logout: "https://accounts-ui.\(global.domain)/logout"
445 }
446 secrets: {
447 system: ["youReallyNeedToChangeThis"]
448 }
449 oidc: {
450 subject_identifiers: {
451 supported_types: [
452 "pairwise",
453 "public",
454 ]
455 pairwise: {
456 salt: "youReallyNeedToChangeThis"
457 }
458 }
459 }
460 log: {
461 level: "trace"
462 leak_sensitive_values: false
463 }
464 }
465 }
466 }
467 ui: {
468 certificateIssuer: _issuerPublic
469 ingressClassName: _ingressPublic
470 domain: global.domain
471 internalDomain: global.privateDomain
472 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
473 enableRegistration: false
474 image: {
475 repository: images.ui.fullName
476 tag: images.ui.tag
477 pullPolicy: images.ui.pullPolicy
478 }
479 }
480 }
481 }
482}