Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 925f0deb100ab516297348798a01a5f55db76c1a / . / core / installer / values-tmpl / core-auth.cue
blob: 99840ab97628a7d648a66853cb11776ae4f347cc [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
2 subdomain: string
3}
4
Giorgi Lekveishvili03d6f4b2024-03-08 13:05:21 +0400[diff] [blame]5name: "core-auth"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]6namespace: "core-auth"
7
8_userSchema: ###"""
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]9{
10 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
11 "$schema": "http://json-schema.org/draft-07/schema#",
12 "title": "User",
13 "type": "object",
14 "properties": {
15 "traits": {
16 "type": "object",
17 "properties": {
18 "username": {
19 "type": "string",
20 "format": "username",
21 "title": "Username",
22 "minLength": 3,
23 "ory.sh/kratos": {
24 "credentials": {
25 "password": {
26 "identifier": true
27 }
28 }
29 }
30 }
31 },
32 "additionalProperties": false
33 }
34 }
35}
36"""###
37
38images: {
39 kratos: {
40 repository: "oryd"
41 name: "kratos"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]42 tag: "v1.1.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]43 pullPolicy: "IfNotPresent"
44 }
45 hydra: {
46 repository: "oryd"
47 name: "hydra"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]48 tag: "v2.2.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]49 pullPolicy: "IfNotPresent"
50 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]51 ui: {
52 repository: "giolekva"
53 name: "auth-ui"
54 tag: "latest"
55 pullPolicy: "Always"
56 }
57 postgres: {
58 repository: "library"
59 name: "postgres"
60 tag: "15.3"
61 pullPolicy: "IfNotPresent"
62 }
63}
64
65charts: {
66 auth: {
67 chart: "charts/auth"
68 sourceRef: {
69 kind: "GitRepository"
70 name: "pcloud"
71 namespace: global.id
72 }
73 }
74 postgres: {
75 chart: "charts/postgresql"
76 sourceRef: {
77 kind: "GitRepository"
78 name: "pcloud"
79 namespace: global.id
80 }
81 }
82}
83
84helm: {
85 postgres: {
86 chart: charts.postgres
87 values: {
88 fullnameOverride: "postgres"
89 image: {
90 registry: images.postgres.registry
91 repository: images.postgres.imageName
92 tag: images.postgres.tag
93 pullPolicy: images.postgres.pullPolicy
94 }
95 service: {
96 type: "ClusterIP"
97 port: 5432
98 }
99 primary: {
100 initdb: {
101 scripts: {
102 "init.sql": """
103 CREATE USER kratos WITH PASSWORD 'kratos';
104 CREATE USER hydra WITH PASSWORD 'hydra';
105 CREATE DATABASE kratos WITH OWNER = kratos;
106 CREATE DATABASE hydra WITH OWNER = hydra;
107 """
108 }
109 }
110 persistence: {
111 size: "1Gi"
112 }
113 securityContext: {
114 enabled: true
115 fsGroup: 0
116 }
117 containerSecurityContext: {
118 enabled: true
119 runAsUser: 0
120 }
121 }
122 volumePermissions: {
123 securityContext: {
124 runAsUser: 0
125 }
126 }
127 }
128 }
129 auth: {
130 chart: charts.auth
131 dependsOn: [postgres]
132 dependsOnExternal: [{
133 name: "ingress-nginx"
134 namespace: "\(global.namespacePrefix)ingress-private"
135 }]
136 values: {
137 kratos: {
138 fullnameOverride: "kratos"
139 image: {
140 repository: images.kratos.fullName
141 tag: images.kratos.tag
142 pullPolicy: images.kratos.pullPolicy
143 }
144 service: {
145 admin: {
146 enabled: true
147 type: "ClusterIP"
148 port: 80
149 name: "http"
150 }
151 public: {
152 enabled: true
153 type: "ClusterIP"
154 port: 80
155 name: "http"
156 }
157 }
158 ingress: {
159 admin: {
160 enabled: true
161 className: _ingressPrivate
162 hosts: [{
163 host: "kratos.\(global.privateDomain)"
164 paths: [{
165 path: "/"
166 pathType: "Prefix"
167 }]
168 }]
169 tls: [{
170 hosts: [
171 "kratos.\(global.privateDomain)"
172 ]
173 }]
174 }
175 public: {
176 enabled: true
177 className: _ingressPublic
178 annotations: {
179 "acme.cert-manager.io/http01-edit-in-place": "true"
180 "cert-manager.io/cluster-issuer": _issuerPublic
181 }
182 hosts: [{
183 host: "accounts.\(global.domain)"
184 paths: [{
185 path: "/"
186 pathType: "Prefix"
187 }]
188 }]
189 tls: [{
190 hosts: ["accounts.\(global.domain)"]
191 secretName: "cert-accounts.\(global.domain)"
192 }]
193 }
194 }
195 secret: {
196 enabled: true
197 }
198 kratos: {
199 automigration: {
200 enabled: true
201 }
202 development: false
203 courier: {
204 enabled: false
205 }
206 config: {
207 version: "v0.7.1-alpha.1"
208 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
209 serve: {
210 public: {
211 base_url: "https://accounts.\(global.domain)"
212 cors: {
213 enabled: true
214 debug: false
215 allow_credentials: true
216 allowed_origins: [
217 "https://\(global.domain)",
218 "https://*.\(global.domain)",
219 ]
220 }
221 }
222 admin: {
223 base_url: "https://kratos.\(global.privateDomain)/"
224 }
225 }
226 selfservice: {
227 default_browser_return_url: "https://accounts-ui.\(global.domain)"
228 methods: {
229 password: {
230 enabled: true
231 }
232 }
233 flows: {
234 error: {
235 ui_url: "https://accounts-ui.\(global.domain)/error"
236 }
237 settings: {
238 ui_url: "https://accounts-ui.\(global.domain)/settings"
239 privileged_session_max_age: "15m"
240 }
241 recovery: {
242 enabled: false
243 }
244 verification: {
245 enabled: false
246 }
247 logout: {
248 after: {
249 default_browser_return_url: "https://accounts-ui.\(global.domain)/login"
250 }
251 }
252 login: {
253 ui_url: "https://accounts-ui.\(global.domain)/login"
254 lifespan: "10m"
255 after: {
256 password: {
257 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
258 }
259 }
260 }
261 registration: {
262 lifespan: "10m"
263 ui_url: "https://accounts-ui.\(global.domain)/register"
264 after: {
265 password: {
266 hooks: [{
267 hook: "session"
268 }]
269 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
270 }
271 }
272 }
273 }
274 }
275 log: {
276 level: "debug"
277 format: "text"
278 leak_sensitive_values: true
279 }
280 cookies: {
281 path: "/"
282 same_site: "None"
283 domain: global.domain
284 }
285 secrets: {
286 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
287 }
288 hashers: {
289 argon2: {
290 parallelism: 1
291 memory: "128MB"
292 iterations: 2
293 salt_length: 16
294 key_length: 16
295 }
296 }
297 identity: {
298 schemas: [{
299 id: "user"
300 url: "file:///etc/config/identity.schema.json"
301 }]
302 default_schema_id: "user"
303 }
304 courier: {
305 smtp: {
306 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(global.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(global.domain)"
307 }
308 }
309 }
310 identitySchemas: {
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]311 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]312 }
313 }
314 }
315 hydra: {
316 fullnameOverride: "hydra"
317 image: {
318 repository: images.hydra.fullName
319 tag: images.hydra.tag
320 pullPolicy: images.hydra.pullPolicy
321 }
322 service: {
323 admin: {
324 enabled: true
325 type: "ClusterIP"
326 port: 80
327 name: "http"
328 }
329 public: {
330 enabled: true
331 type: "ClusterIP"
332 port: 80
333 name: "http"
334 }
335 }
336 ingress: {
337 admin: {
338 enabled: true
339 className: _ingressPrivate
340 hosts: [{
341 host: "hydra.\(global.privateDomain)"
342 paths: [{
343 path: "/"
344 pathType: "Prefix"
345 }]
346 }]
347 tls: [{
348 hosts: ["hydra.\(global.privateDomain)"]
349 }]
350 }
351 public: {
352 enabled: true
353 className: _ingressPublic
354 annotations: {
355 "acme.cert-manager.io/http01-edit-in-place": "true"
356 "cert-manager.io/cluster-issuer": _issuerPublic
357 }
358 hosts: [{
359 host: "hydra.\(global.domain)"
360 paths: [{
361 path: "/"
362 pathType: "Prefix"
363 }]
364 }]
365 tls: [{
366 hosts: ["hydra.\(global.domain)"]
367 secretName: "cert-hydra.\(global.domain)"
368 }]
369 }
370 }
371 secret: {
372 enabled: true
373 }
374 maester: {
Giorgi Lekveishvili925f0de2024-03-14 18:51:56 +0400[diff] [blame^]375 enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]376 }
377 hydra: {
378 automigration: {
379 enabled: true
380 }
381 config: {
382 version: "v1.10.6"
383 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
384 serve: {
385 cookies: {
386 same_site_mode: "None"
387 }
388 public: {
389 cors: {
390 enabled: true
391 debug: false
392 allow_credentials: true
393 allowed_origins: [
394 "https://\(global.domain)",
395 "https://*.\(global.domain)"
396 ]
397 }
398 }
399 admin: {
400 cors: {
401 allowed_origins: [
402 "https://hydra.\(global.privateDomain)"
403 ]
404 }
405 tls: {
406 allow_termination_from: [
407 "0.0.0.0/0",
408 "10.42.0.0/16",
409 "10.43.0.0/16",
410 ]
411 }
412 }
413 tls: {
414 allow_termination_from: [
415 "0.0.0.0/0",
416 "10.42.0.0/16",
417 "10.43.0.0/16",
418 ]
419 }
420 }
421 urls: {
422 self: {
423 public: "https://hydra.\(global.domain)"
424 issuer: "https://hydra.\(global.domain)"
425 }
426 consent: "https://accounts-ui.\(global.domain)/consent"
427 login: "https://accounts-ui.\(global.domain)/login"
428 logout: "https://accounts-ui.\(global.domain)/logout"
429 }
430 secrets: {
431 system: ["youReallyNeedToChangeThis"]
432 }
433 oidc: {
434 subject_identifiers: {
435 supported_types: [
436 "pairwise",
437 "public",
438 ]
439 pairwise: {
440 salt: "youReallyNeedToChangeThis"
441 }
442 }
443 }
444 log: {
445 level: "trace"
446 leak_sensitive_values: false
447 }
448 }
449 }
450 }
451 ui: {
452 certificateIssuer: _issuerPublic
453 ingressClassName: _ingressPublic
454 domain: global.domain
455 internalDomain: global.privateDomain
456 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
457 enableRegistration: false
458 image: {
459 repository: images.ui.fullName
460 tag: images.ui.tag
461 pullPolicy: images.ui.pullPolicy
462 }
463 }
464 }
465 }
466}