Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 83b7219dc678a0e40751caf594f652f73a888266 / . / core / installer / values-tmpl / core-auth.cue
blob: 0d99ffda8a975a5826a5dd40dd6c5d57e5cf79d5 [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
2 subdomain: string
3}
4
Giorgi Lekveishvili03d6f4b2024-03-08 13:05:21 +0400[diff] [blame]5name: "core-auth"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]6namespace: "core-auth"
7
8_userSchema: ###"""
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]9{
10 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
11 "$schema": "http://json-schema.org/draft-07/schema#",
12 "title": "User",
13 "type": "object",
14 "properties": {
15 "traits": {
16 "type": "object",
17 "properties": {
18 "username": {
19 "type": "string",
20 "format": "username",
21 "title": "Username",
22 "minLength": 3,
23 "ory.sh/kratos": {
24 "credentials": {
25 "password": {
26 "identifier": true
27 }
28 }
29 }
30 }
31 },
32 "additionalProperties": false
33 }
34 }
35}
36"""###
37
38images: {
39 kratos: {
40 repository: "oryd"
41 name: "kratos"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]42 tag: "v1.1.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]43 pullPolicy: "IfNotPresent"
44 }
45 hydra: {
46 repository: "oryd"
47 name: "hydra"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]48 tag: "v2.2.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]49 pullPolicy: "IfNotPresent"
50 }
51 "hydra-maester": {
52 repository: "giolekva"
53 name: "ory-hydra-maester"
54 tag: "latest"
55 pullPolicy: "Always"
56 }
57 ui: {
58 repository: "giolekva"
59 name: "auth-ui"
60 tag: "latest"
61 pullPolicy: "Always"
62 }
63 postgres: {
64 repository: "library"
65 name: "postgres"
66 tag: "15.3"
67 pullPolicy: "IfNotPresent"
68 }
69}
70
71charts: {
72 auth: {
73 chart: "charts/auth"
74 sourceRef: {
75 kind: "GitRepository"
76 name: "pcloud"
77 namespace: global.id
78 }
79 }
80 postgres: {
81 chart: "charts/postgresql"
82 sourceRef: {
83 kind: "GitRepository"
84 name: "pcloud"
85 namespace: global.id
86 }
87 }
88}
89
90helm: {
91 postgres: {
92 chart: charts.postgres
93 values: {
94 fullnameOverride: "postgres"
95 image: {
96 registry: images.postgres.registry
97 repository: images.postgres.imageName
98 tag: images.postgres.tag
99 pullPolicy: images.postgres.pullPolicy
100 }
101 service: {
102 type: "ClusterIP"
103 port: 5432
104 }
105 primary: {
106 initdb: {
107 scripts: {
108 "init.sql": """
109 CREATE USER kratos WITH PASSWORD 'kratos';
110 CREATE USER hydra WITH PASSWORD 'hydra';
111 CREATE DATABASE kratos WITH OWNER = kratos;
112 CREATE DATABASE hydra WITH OWNER = hydra;
113 """
114 }
115 }
116 persistence: {
117 size: "1Gi"
118 }
119 securityContext: {
120 enabled: true
121 fsGroup: 0
122 }
123 containerSecurityContext: {
124 enabled: true
125 runAsUser: 0
126 }
127 }
128 volumePermissions: {
129 securityContext: {
130 runAsUser: 0
131 }
132 }
133 }
134 }
135 auth: {
136 chart: charts.auth
137 dependsOn: [postgres]
138 dependsOnExternal: [{
139 name: "ingress-nginx"
140 namespace: "\(global.namespacePrefix)ingress-private"
141 }]
142 values: {
143 kratos: {
144 fullnameOverride: "kratos"
145 image: {
146 repository: images.kratos.fullName
147 tag: images.kratos.tag
148 pullPolicy: images.kratos.pullPolicy
149 }
150 service: {
151 admin: {
152 enabled: true
153 type: "ClusterIP"
154 port: 80
155 name: "http"
156 }
157 public: {
158 enabled: true
159 type: "ClusterIP"
160 port: 80
161 name: "http"
162 }
163 }
164 ingress: {
165 admin: {
166 enabled: true
167 className: _ingressPrivate
168 hosts: [{
169 host: "kratos.\(global.privateDomain)"
170 paths: [{
171 path: "/"
172 pathType: "Prefix"
173 }]
174 }]
175 tls: [{
176 hosts: [
177 "kratos.\(global.privateDomain)"
178 ]
179 }]
180 }
181 public: {
182 enabled: true
183 className: _ingressPublic
184 annotations: {
185 "acme.cert-manager.io/http01-edit-in-place": "true"
186 "cert-manager.io/cluster-issuer": _issuerPublic
187 }
188 hosts: [{
189 host: "accounts.\(global.domain)"
190 paths: [{
191 path: "/"
192 pathType: "Prefix"
193 }]
194 }]
195 tls: [{
196 hosts: ["accounts.\(global.domain)"]
197 secretName: "cert-accounts.\(global.domain)"
198 }]
199 }
200 }
201 secret: {
202 enabled: true
203 }
204 kratos: {
205 automigration: {
206 enabled: true
207 }
208 development: false
209 courier: {
210 enabled: false
211 }
212 config: {
213 version: "v0.7.1-alpha.1"
214 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
215 serve: {
216 public: {
217 base_url: "https://accounts.\(global.domain)"
218 cors: {
219 enabled: true
220 debug: false
221 allow_credentials: true
222 allowed_origins: [
223 "https://\(global.domain)",
224 "https://*.\(global.domain)",
225 ]
226 }
227 }
228 admin: {
229 base_url: "https://kratos.\(global.privateDomain)/"
230 }
231 }
232 selfservice: {
233 default_browser_return_url: "https://accounts-ui.\(global.domain)"
234 methods: {
235 password: {
236 enabled: true
237 }
238 }
239 flows: {
240 error: {
241 ui_url: "https://accounts-ui.\(global.domain)/error"
242 }
243 settings: {
244 ui_url: "https://accounts-ui.\(global.domain)/settings"
245 privileged_session_max_age: "15m"
246 }
247 recovery: {
248 enabled: false
249 }
250 verification: {
251 enabled: false
252 }
253 logout: {
254 after: {
255 default_browser_return_url: "https://accounts-ui.\(global.domain)/login"
256 }
257 }
258 login: {
259 ui_url: "https://accounts-ui.\(global.domain)/login"
260 lifespan: "10m"
261 after: {
262 password: {
263 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
264 }
265 }
266 }
267 registration: {
268 lifespan: "10m"
269 ui_url: "https://accounts-ui.\(global.domain)/register"
270 after: {
271 password: {
272 hooks: [{
273 hook: "session"
274 }]
275 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
276 }
277 }
278 }
279 }
280 }
281 log: {
282 level: "debug"
283 format: "text"
284 leak_sensitive_values: true
285 }
286 cookies: {
287 path: "/"
288 same_site: "None"
289 domain: global.domain
290 }
291 secrets: {
292 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
293 }
294 hashers: {
295 argon2: {
296 parallelism: 1
297 memory: "128MB"
298 iterations: 2
299 salt_length: 16
300 key_length: 16
301 }
302 }
303 identity: {
304 schemas: [{
305 id: "user"
306 url: "file:///etc/config/identity.schema.json"
307 }]
308 default_schema_id: "user"
309 }
310 courier: {
311 smtp: {
312 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(global.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(global.domain)"
313 }
314 }
315 }
316 identitySchemas: {
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]317 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]318 }
319 }
320 }
321 hydra: {
322 fullnameOverride: "hydra"
323 image: {
324 repository: images.hydra.fullName
325 tag: images.hydra.tag
326 pullPolicy: images.hydra.pullPolicy
327 }
328 service: {
329 admin: {
330 enabled: true
331 type: "ClusterIP"
332 port: 80
333 name: "http"
334 }
335 public: {
336 enabled: true
337 type: "ClusterIP"
338 port: 80
339 name: "http"
340 }
341 }
342 ingress: {
343 admin: {
344 enabled: true
345 className: _ingressPrivate
346 hosts: [{
347 host: "hydra.\(global.privateDomain)"
348 paths: [{
349 path: "/"
350 pathType: "Prefix"
351 }]
352 }]
353 tls: [{
354 hosts: ["hydra.\(global.privateDomain)"]
355 }]
356 }
357 public: {
358 enabled: true
359 className: _ingressPublic
360 annotations: {
361 "acme.cert-manager.io/http01-edit-in-place": "true"
362 "cert-manager.io/cluster-issuer": _issuerPublic
363 }
364 hosts: [{
365 host: "hydra.\(global.domain)"
366 paths: [{
367 path: "/"
368 pathType: "Prefix"
369 }]
370 }]
371 tls: [{
372 hosts: ["hydra.\(global.domain)"]
373 secretName: "cert-hydra.\(global.domain)"
374 }]
375 }
376 }
377 secret: {
378 enabled: true
379 }
380 maester: {
381 enabled: true
382 }
383 "hydra-maester": {
384 adminService: {
385 name: "hydra-admin"
386 port: 80
387 }
388 image: {
389 repository: images["hydra-maester"].fullName
390 tag: images["hydra-maester"].tag
391 pullPolicy: images["hydra-maester"].pullPolicy
392 }
393 }
394 hydra: {
395 automigration: {
396 enabled: true
397 }
398 config: {
399 version: "v1.10.6"
400 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
401 serve: {
402 cookies: {
403 same_site_mode: "None"
404 }
405 public: {
406 cors: {
407 enabled: true
408 debug: false
409 allow_credentials: true
410 allowed_origins: [
411 "https://\(global.domain)",
412 "https://*.\(global.domain)"
413 ]
414 }
415 }
416 admin: {
417 cors: {
418 allowed_origins: [
419 "https://hydra.\(global.privateDomain)"
420 ]
421 }
422 tls: {
423 allow_termination_from: [
424 "0.0.0.0/0",
425 "10.42.0.0/16",
426 "10.43.0.0/16",
427 ]
428 }
429 }
430 tls: {
431 allow_termination_from: [
432 "0.0.0.0/0",
433 "10.42.0.0/16",
434 "10.43.0.0/16",
435 ]
436 }
437 }
438 urls: {
439 self: {
440 public: "https://hydra.\(global.domain)"
441 issuer: "https://hydra.\(global.domain)"
442 }
443 consent: "https://accounts-ui.\(global.domain)/consent"
444 login: "https://accounts-ui.\(global.domain)/login"
445 logout: "https://accounts-ui.\(global.domain)/logout"
446 }
447 secrets: {
448 system: ["youReallyNeedToChangeThis"]
449 }
450 oidc: {
451 subject_identifiers: {
452 supported_types: [
453 "pairwise",
454 "public",
455 ]
456 pairwise: {
457 salt: "youReallyNeedToChangeThis"
458 }
459 }
460 }
461 log: {
462 level: "trace"
463 leak_sensitive_values: false
464 }
465 }
466 }
467 }
468 ui: {
469 certificateIssuer: _issuerPublic
470 ingressClassName: _ingressPublic
471 domain: global.domain
472 internalDomain: global.privateDomain
473 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
474 enableRegistration: false
475 image: {
476 repository: images.ui.fullName
477 tag: images.ui.tag
478 pullPolicy: images.ui.pullPolicy
479 }
480 }
481 }
482 }
483}