Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 5887caa19c080583a548775d8cf20e476bfba6da / . / core / installer / values-tmpl / core-auth.cue
blob: b3146f811a326cf0ff2f32dbc64cafb99bf1a1b0 [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]2 network: #Network
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]3 subdomain: string
4}
5
Giorgi Lekveishvili03d6f4b2024-03-08 13:05:21 +0400[diff] [blame]6name: "core-auth"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]7namespace: "core-auth"
8
9_userSchema: ###"""
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]10{
11 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
12 "$schema": "http://json-schema.org/draft-07/schema#",
13 "title": "User",
14 "type": "object",
15 "properties": {
16 "traits": {
17 "type": "object",
18 "properties": {
19 "username": {
20 "type": "string",
21 "format": "username",
22 "title": "Username",
23 "minLength": 3,
24 "ory.sh/kratos": {
25 "credentials": {
26 "password": {
27 "identifier": true
28 }
29 }
30 }
31 }
32 },
33 "additionalProperties": false
34 }
35 }
36}
37"""###
38
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]39out: {
40 images: {
41 kratos: {
42 repository: "oryd"
43 name: "kratos"
44 tag: "v1.1.0-distroless"
45 pullPolicy: "IfNotPresent"
46 }
47 hydra: {
48 repository: "oryd"
49 name: "hydra"
50 tag: "v2.2.0-distroless"
51 pullPolicy: "IfNotPresent"
52 }
53 ui: {
54 repository: "giolekva"
55 name: "auth-ui"
56 tag: "latest"
57 pullPolicy: "Always"
58 }
59 postgres: {
60 repository: "library"
61 name: "postgres"
62 tag: "15.3"
63 pullPolicy: "IfNotPresent"
64 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]65 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]66
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]67 charts: {
68 auth: {
69 kind: "GitRepository"
70 address: "https://code.v1.dodo.cloud/helm-charts"
71 branch: "main"
72 path: "charts/auth"
73 }
74 postgres: {
75 kind: "GitRepository"
76 address: "https://code.v1.dodo.cloud/helm-charts"
77 branch: "main"
78 path: "charts/postgresql"
79 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]80 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]81
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]82 helm: {
83 postgres: {
84 chart: charts.postgres
85 values: {
86 fullnameOverride: "postgres"
87 image: {
88 registry: images.postgres.registry
89 repository: images.postgres.imageName
90 tag: images.postgres.tag
91 pullPolicy: images.postgres.pullPolicy
92 }
93 service: {
94 type: "ClusterIP"
95 port: 5432
96 }
97 primary: {
98 initdb: {
99 scripts: {
100 "init.sql": """
101 CREATE USER kratos WITH PASSWORD 'kratos';
102 CREATE USER hydra WITH PASSWORD 'hydra';
103 CREATE DATABASE kratos WITH OWNER = kratos;
104 CREATE DATABASE hydra WITH OWNER = hydra;
105 """
106 }
107 }
108 persistence: {
109 size: "1Gi"
110 }
111 securityContext: {
112 enabled: true
113 fsGroup: 0
114 }
115 containerSecurityContext: {
116 enabled: true
117 runAsUser: 0
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]118 }
119 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]120 volumePermissions: {
121 securityContext: {
122 runAsUser: 0
123 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]124 }
125 }
126 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]127 auth: {
128 chart: charts.auth
129 dependsOn: [{
130 name: "postgres"
131 namespace: release.namespace
132 }]
133 values: {
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]134 kratos: {
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]135 fullnameOverride: "kratos"
136 image: {
137 repository: images.kratos.fullName
138 tag: images.kratos.tag
139 pullPolicy: images.kratos.pullPolicy
140 }
141 service: {
142 admin: {
143 enabled: true
144 type: "ClusterIP"
145 port: 80
146 name: "http"
147 }
148 public: {
149 enabled: true
150 type: "ClusterIP"
151 port: 80
152 name: "http"
153 }
154 }
155 ingress: {
156 admin: enabled: false
157 public: {
158 enabled: true
159 className: input.network.ingressClass
160 annotations: {
161 "acme.cert-manager.io/http01-edit-in-place": "true"
162 "cert-manager.io/cluster-issuer": input.network.certificateIssuer
163 }
164 hosts: [{
165 host: "accounts.\(input.network.domain)"
166 paths: [{
167 path: "/"
168 pathType: "Prefix"
169 }]
170 }]
171 tls: [{
172 hosts: ["accounts.\(input.network.domain)"]
173 secretName: "cert-accounts.\(input.network.domain)"
174 }]
175 }
176 }
177 secret: {
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]178 enabled: true
179 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]180 kratos: {
181 automigration: {
182 enabled: true
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]183 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]184 development: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]185 courier: {
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]186 enabled: false
187 }
188 config: {
189 version: "v0.7.1-alpha.1"
190 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
191 serve: {
192 public: {
193 base_url: "https://accounts.\(input.network.domain)"
194 cors: {
195 enabled: true
196 debug: false
197 allow_credentials: true
198 allowed_origins: [
199 "https://\(input.network.domain)",
200 "https://*.\(input.network.domain)",
201 ]
202 }
203 }
204 admin: {
205 base_url: "https://kratos-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
206 }
207 }
208 selfservice: {
209 default_browser_return_url: "https://accounts-ui.\(input.network.domain)"
210 allowed_return_urls: [
211 "https://*.\(input.network.domain)/",
212 // TODO(gio): replace with input.network.privateSubdomain
213 "https://*.\(global.privateDomain)",
214 ]
215 methods: {
216 password: {
217 enabled: true
218 }
219 }
220 flows: {
221 error: {
222 ui_url: "https://accounts-ui.\(input.network.domain)/error"
223 }
224 settings: {
225 ui_url: "https://accounts-ui.\(input.network.domain)/settings"
226 privileged_session_max_age: "15m"
227 }
228 recovery: {
229 enabled: false
230 }
231 verification: {
232 enabled: false
233 }
234 logout: {
235 after: {
236 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/login"
237 }
238 }
239 login: {
240 ui_url: "https://accounts-ui.\(input.network.domain)/login"
241 lifespan: "10m"
242 after: {
243 password: {
244 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/"
245 }
246 }
247 }
248 registration: {
249 lifespan: "10m"
250 ui_url: "https://accounts-ui.\(input.network.domain)/register"
251 after: {
252 password: {
253 hooks: [{
254 hook: "session"
255 }]
256 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/"
257 }
258 }
259 }
260 }
261 }
262 log: {
263 level: "debug"
264 format: "text"
265 leak_sensitive_values: true
266 }
267 cookies: {
268 path: "/"
269 same_site: "None"
270 domain: input.network.domain
271 }
272 secrets: {
273 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
274 }
275 hashers: {
276 argon2: {
277 parallelism: 1
278 memory: "128MB"
279 iterations: 2
280 salt_length: 16
281 key_length: 16
282 }
283 }
284 identity: {
285 schemas: [{
286 id: "user"
287 url: "file:///etc/config/identity.schema.json"
288 }]
289 default_schema_id: "user"
290 }
291 courier: {
292 smtp: {
293 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(input.network.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(input.network.domain)"
294 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]295 }
296 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]297 identitySchemas: {
298 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]299 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]300 }
301 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]302 hydra: {
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]303 fullnameOverride: "hydra"
304 image: {
305 repository: images.hydra.fullName
306 tag: images.hydra.tag
307 pullPolicy: images.hydra.pullPolicy
308 }
309 service: {
310 admin: {
311 enabled: true
312 type: "ClusterIP"
313 port: 80
314 name: "http"
315 }
316 public: {
317 enabled: true
318 type: "ClusterIP"
319 port: 80
320 name: "http"
321 }
322 }
323 ingress: {
324 admin: enabled: false
325 public: {
326 enabled: true
327 className: input.network.ingressClass
328 annotations: {
329 "acme.cert-manager.io/http01-edit-in-place": "true"
330 "cert-manager.io/cluster-issuer": input.network.certificateIssuer
331 }
332 hosts: [{
333 host: "hydra.\(input.network.domain)"
334 paths: [{
335 path: "/"
336 pathType: "Prefix"
337 }]
338 }]
339 tls: [{
340 hosts: ["hydra.\(input.network.domain)"]
341 secretName: "cert-hydra.\(input.network.domain)"
342 }]
343 }
344 }
345 secret: {
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]346 enabled: true
347 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]348 maester: {
349 enabled: false
350 }
351 hydra: {
352 automigration: {
353 enabled: true
354 }
355 config: {
356 version: "v1.10.6"
357 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
358 serve: {
359 cookies: {
360 same_site_mode: "None"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]361 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]362 public: {
363 cors: {
364 enabled: true
365 debug: false
366 allow_credentials: true
367 allowed_origins: [
368 "https://\(input.network.domain)",
369 "https://*.\(input.network.domain)"
370 ]
371 }
372 }
373 admin: {
374 cors: {
375 allowed_origins: [
376 "https://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
377 ]
378 }
379 tls: {
380 allow_termination_from: [
381 "0.0.0.0/0",
382 "10.42.0.0/16",
383 "10.43.0.0/16",
384 ]
385 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]386 }
387 tls: {
388 allow_termination_from: [
389 "0.0.0.0/0",
390 "10.42.0.0/16",
391 "10.43.0.0/16",
392 ]
393 }
394 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]395 urls: {
396 self: {
397 public: "https://hydra.\(input.network.domain)"
398 issuer: "https://hydra.\(input.network.domain)"
399 }
400 consent: "https://accounts-ui.\(input.network.domain)/consent"
401 login: "https://accounts-ui.\(input.network.domain)/login"
402 logout: "https://accounts-ui.\(input.network.domain)/logout"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]403 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]404 secrets: {
405 system: ["youReallyNeedToChangeThis"]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]406 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]407 oidc: {
408 subject_identifiers: {
409 supported_types: [
410 "pairwise",
411 "public",
412 ]
413 pairwise: {
414 salt: "youReallyNeedToChangeThis"
415 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]416 }
417 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]418 log: {
419 level: "trace"
420 leak_sensitive_values: false
421 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]422 }
423 }
424 }
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]425 ui: {
426 certificateIssuer: input.network.certificateIssuer
427 ingressClassName: input.network.ingressClass
428 domain: input.network.domain
429 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
430 enableRegistration: false
giodd213152024-09-27 11:26:59 +0200[diff] [blame]431 defaultReturnTo: "https://launcher.\(global.domain)"
gio7fbd4ad2024-08-27 10:06:39 +0400[diff] [blame]432 image: {
433 repository: images.ui.fullName
434 tag: images.ui.tag
435 pullPolicy: images.ui.pullPolicy
436 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]437 }
438 }
439 }
440 }
441}