Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 9877f292b2b037beea96dc916144feb7b8700a30 / . / core / installer / values-tmpl / core-auth.cue
blob: 079da27227f9c5d2c5261a60c35e3d274ba88534 [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]2 network: #Network
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]3 subdomain: string
4}
5
Giorgi Lekveishvili03d6f4b2024-03-08 13:05:21 +0400[diff] [blame]6name: "core-auth"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]7namespace: "core-auth"
8
9_userSchema: ###"""
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]10{
11 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
12 "$schema": "http://json-schema.org/draft-07/schema#",
13 "title": "User",
14 "type": "object",
15 "properties": {
16 "traits": {
17 "type": "object",
18 "properties": {
19 "username": {
20 "type": "string",
21 "format": "username",
22 "title": "Username",
23 "minLength": 3,
24 "ory.sh/kratos": {
25 "credentials": {
26 "password": {
27 "identifier": true
28 }
29 }
30 }
31 }
32 },
33 "additionalProperties": false
34 }
35 }
36}
37"""###
38
39images: {
40 kratos: {
41 repository: "oryd"
42 name: "kratos"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]43 tag: "v1.1.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]44 pullPolicy: "IfNotPresent"
45 }
46 hydra: {
47 repository: "oryd"
48 name: "hydra"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]49 tag: "v2.2.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]50 pullPolicy: "IfNotPresent"
51 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]52 ui: {
53 repository: "giolekva"
54 name: "auth-ui"
55 tag: "latest"
56 pullPolicy: "Always"
57 }
58 postgres: {
59 repository: "library"
60 name: "postgres"
61 tag: "15.3"
62 pullPolicy: "IfNotPresent"
63 }
64}
65
66charts: {
67 auth: {
giof8843412024-05-22 16:38:05 +0400[diff] [blame]68 kind: "GitRepository"
gio9877f292024-08-17 15:11:15 +0400[diff] [blame^]69 address: "https://code.v1.dodo.cloud/helm-charts"
giof8843412024-05-22 16:38:05 +0400[diff] [blame]70 branch: "main"
71 path: "charts/auth"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]72 }
73 postgres: {
giof8843412024-05-22 16:38:05 +0400[diff] [blame]74 kind: "GitRepository"
gio9877f292024-08-17 15:11:15 +0400[diff] [blame^]75 address: "https://code.v1.dodo.cloud/helm-charts"
giof8843412024-05-22 16:38:05 +0400[diff] [blame]76 branch: "main"
77 path: "charts/postgresql"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]78 }
79}
80
81helm: {
82 postgres: {
83 chart: charts.postgres
84 values: {
85 fullnameOverride: "postgres"
86 image: {
87 registry: images.postgres.registry
88 repository: images.postgres.imageName
89 tag: images.postgres.tag
90 pullPolicy: images.postgres.pullPolicy
91 }
92 service: {
93 type: "ClusterIP"
94 port: 5432
95 }
96 primary: {
97 initdb: {
98 scripts: {
99 "init.sql": """
100 CREATE USER kratos WITH PASSWORD 'kratos';
101 CREATE USER hydra WITH PASSWORD 'hydra';
102 CREATE DATABASE kratos WITH OWNER = kratos;
103 CREATE DATABASE hydra WITH OWNER = hydra;
104 """
105 }
106 }
107 persistence: {
108 size: "1Gi"
109 }
110 securityContext: {
111 enabled: true
112 fsGroup: 0
113 }
114 containerSecurityContext: {
115 enabled: true
116 runAsUser: 0
117 }
118 }
119 volumePermissions: {
120 securityContext: {
121 runAsUser: 0
122 }
123 }
124 }
125 }
126 auth: {
127 chart: charts.auth
Giorgi Lekveishvilia09fad72024-03-21 15:24:35 +0400[diff] [blame]128 dependsOn: [{
Giorgi Lekveishvilia09fad72024-03-21 15:24:35 +0400[diff] [blame]129 name: "postgres"
130 namespace: release.namespace
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]131 }]
132 values: {
133 kratos: {
134 fullnameOverride: "kratos"
135 image: {
136 repository: images.kratos.fullName
137 tag: images.kratos.tag
138 pullPolicy: images.kratos.pullPolicy
139 }
140 service: {
141 admin: {
142 enabled: true
143 type: "ClusterIP"
144 port: 80
145 name: "http"
146 }
147 public: {
148 enabled: true
149 type: "ClusterIP"
150 port: 80
151 name: "http"
152 }
153 }
154 ingress: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]155 admin: enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]156 public: {
157 enabled: true
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]158 className: input.network.ingressClass
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]159 annotations: {
160 "acme.cert-manager.io/http01-edit-in-place": "true"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]161 "cert-manager.io/cluster-issuer": input.network.certificateIssuer
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]162 }
163 hosts: [{
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]164 host: "accounts.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]165 paths: [{
166 path: "/"
167 pathType: "Prefix"
168 }]
169 }]
170 tls: [{
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]171 hosts: ["accounts.\(input.network.domain)"]
172 secretName: "cert-accounts.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]173 }]
174 }
175 }
176 secret: {
177 enabled: true
178 }
179 kratos: {
180 automigration: {
181 enabled: true
182 }
183 development: false
184 courier: {
185 enabled: false
186 }
187 config: {
188 version: "v0.7.1-alpha.1"
189 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
190 serve: {
191 public: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]192 base_url: "https://accounts.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]193 cors: {
194 enabled: true
195 debug: false
196 allow_credentials: true
197 allowed_origins: [
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]198 "https://\(input.network.domain)",
199 "https://*.\(input.network.domain)",
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]200 ]
201 }
202 }
203 admin: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]204 base_url: "https://kratos-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]205 }
206 }
207 selfservice: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]208 default_browser_return_url: "https://accounts-ui.\(input.network.domain)"
Giorgi Lekveishvili0ba5e402024-03-20 15:56:30 +0400[diff] [blame]209 allowed_return_urls: [
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]210 "https://*.\(input.network.domain)/",
211 // TODO(gio): replace with input.network.privateSubdomain
Giorgi Lekveishvili0ba5e402024-03-20 15:56:30 +0400[diff] [blame]212 "https://*.\(global.privateDomain)",
213 ]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]214 methods: {
215 password: {
216 enabled: true
217 }
218 }
219 flows: {
220 error: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]221 ui_url: "https://accounts-ui.\(input.network.domain)/error"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]222 }
223 settings: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]224 ui_url: "https://accounts-ui.\(input.network.domain)/settings"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]225 privileged_session_max_age: "15m"
226 }
227 recovery: {
228 enabled: false
229 }
230 verification: {
231 enabled: false
232 }
233 logout: {
234 after: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]235 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/login"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]236 }
237 }
238 login: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]239 ui_url: "https://accounts-ui.\(input.network.domain)/login"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]240 lifespan: "10m"
241 after: {
242 password: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]243 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]244 }
245 }
246 }
247 registration: {
248 lifespan: "10m"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]249 ui_url: "https://accounts-ui.\(input.network.domain)/register"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]250 after: {
251 password: {
252 hooks: [{
253 hook: "session"
254 }]
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]255 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]256 }
257 }
258 }
259 }
260 }
261 log: {
262 level: "debug"
263 format: "text"
264 leak_sensitive_values: true
265 }
266 cookies: {
267 path: "/"
268 same_site: "None"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]269 domain: input.network.domain
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]270 }
271 secrets: {
272 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
273 }
274 hashers: {
275 argon2: {
276 parallelism: 1
277 memory: "128MB"
278 iterations: 2
279 salt_length: 16
280 key_length: 16
281 }
282 }
283 identity: {
284 schemas: [{
285 id: "user"
286 url: "file:///etc/config/identity.schema.json"
287 }]
288 default_schema_id: "user"
289 }
290 courier: {
291 smtp: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]292 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(input.network.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]293 }
294 }
295 }
296 identitySchemas: {
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]297 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]298 }
299 }
300 }
301 hydra: {
302 fullnameOverride: "hydra"
303 image: {
304 repository: images.hydra.fullName
305 tag: images.hydra.tag
306 pullPolicy: images.hydra.pullPolicy
307 }
308 service: {
309 admin: {
310 enabled: true
311 type: "ClusterIP"
312 port: 80
313 name: "http"
314 }
315 public: {
316 enabled: true
317 type: "ClusterIP"
318 port: 80
319 name: "http"
320 }
321 }
322 ingress: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]323 admin: enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]324 public: {
325 enabled: true
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]326 className: input.network.ingressClass
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]327 annotations: {
328 "acme.cert-manager.io/http01-edit-in-place": "true"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]329 "cert-manager.io/cluster-issuer": input.network.certificateIssuer
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]330 }
331 hosts: [{
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]332 host: "hydra.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]333 paths: [{
334 path: "/"
335 pathType: "Prefix"
336 }]
337 }]
338 tls: [{
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]339 hosts: ["hydra.\(input.network.domain)"]
340 secretName: "cert-hydra.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]341 }]
342 }
343 }
344 secret: {
345 enabled: true
346 }
347 maester: {
Giorgi Lekveishvili925f0de2024-03-14 18:51:56 +0400[diff] [blame]348 enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]349 }
350 hydra: {
351 automigration: {
352 enabled: true
353 }
354 config: {
355 version: "v1.10.6"
356 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
357 serve: {
358 cookies: {
359 same_site_mode: "None"
360 }
361 public: {
362 cors: {
363 enabled: true
364 debug: false
365 allow_credentials: true
366 allowed_origins: [
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]367 "https://\(input.network.domain)",
368 "https://*.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]369 ]
370 }
371 }
372 admin: {
373 cors: {
374 allowed_origins: [
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]375 "https://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]376 ]
377 }
378 tls: {
379 allow_termination_from: [
380 "0.0.0.0/0",
381 "10.42.0.0/16",
382 "10.43.0.0/16",
383 ]
384 }
385 }
386 tls: {
387 allow_termination_from: [
388 "0.0.0.0/0",
389 "10.42.0.0/16",
390 "10.43.0.0/16",
391 ]
392 }
393 }
394 urls: {
395 self: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]396 public: "https://hydra.\(input.network.domain)"
397 issuer: "https://hydra.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]398 }
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]399 consent: "https://accounts-ui.\(input.network.domain)/consent"
400 login: "https://accounts-ui.\(input.network.domain)/login"
401 logout: "https://accounts-ui.\(input.network.domain)/logout"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]402 }
403 secrets: {
404 system: ["youReallyNeedToChangeThis"]
405 }
406 oidc: {
407 subject_identifiers: {
408 supported_types: [
409 "pairwise",
410 "public",
411 ]
412 pairwise: {
413 salt: "youReallyNeedToChangeThis"
414 }
415 }
416 }
417 log: {
418 level: "trace"
419 leak_sensitive_values: false
420 }
421 }
422 }
423 }
424 ui: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]425 certificateIssuer: input.network.certificateIssuer
426 ingressClassName: input.network.ingressClass
427 domain: input.network.domain
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]428 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
429 enableRegistration: false
430 image: {
431 repository: images.ui.fullName
432 tag: images.ui.tag
433 pullPolicy: images.ui.pullPolicy
434 }
435 }
436 }
437 }
438}