core/installer/values-tmpl/core-auth.yaml

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: core-auth
  namespace: {{ .Release.Namespace }}
spec:
  dependsOn:
  - name: core-auth-storage
    namespace: {{ .Release.Namespace }}
  - name: ingress-private # TODO(giolekva): is this needed?
    namespace: {{ .Global.Id }}-ingress-private
  chart:
    spec:
      chart: charts/auth
      sourceRef:
        kind: GitRepository
        name: pcloud
        namespace: {{ .Global.Id }}
  interval: 1m0s
  values:
    kratos:
      fullnameOverride: kratos
      image:
        repository: oryd/kratos
        tag: v0.13.0
        pullPolicy: IfNotPresent
      service:
        admin:
          enabled: true
          type: ClusterIP
          port: 80
          name: http
        public:
          enabled: true
          type: ClusterIP
          port: 80
          name: http
      ingress:
        admin:
          enabled: true
          className: {{ .Global.Id }}-ingress-private
          hosts:
          - host: kratos.p.{{ .Global.Domain }}
            paths:
            - path: /
              pathType: Prefix
          tls:
          - hosts:
            - kratos.p.{{ .Global.Domain }}
        public:
          enabled: true
          className: {{ .Global.PCloudEnvName }}-ingress-public
          annotations:
            acme.cert-manager.io/http01-edit-in-place: "true"
            cert-manager.io/cluster-issuer: {{ .Global.Id }}-public
          hosts:
          - host: accounts.{{ .Global.Domain }}
            paths:
            - path: /
              pathType: Prefix
          tls:
          - hosts:
            - accounts.{{ .Global.Domain }}
            secretName: cert-accounts.{{ .Global.Domain }}
      secret:
        enabled: true
      kratos:
        automigration:
          enabled: true
        development: false
        courier:
          enabled: false
        config:
          version: v0.7.1-alpha.1
          dsn: postgres://kratos:kratos@postgres.{{ .Global.Id }}-core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
          serve:
            public:
              base_url: https://accounts.{{ .Global.Domain }}
              cors:
                enabled: true
                debug: false
                allow_credentials: true
                allowed_origins:
                - https://{{ .Global.Domain }}
                - https://*.{{ .Global.Domain }}
            admin:
              base_url: https://kratos.p.{{ .Global.Domain }}/
          selfservice:
            default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}
            # whitelisted_return_urls:
            #   - https://accounts-ui.{{ .Global.Domain }}
            methods:
              password:
                enabled: true
            flows:
              error:
                ui_url: https://accounts-ui.{{ .Global.Domain }}/error
              settings:
                ui_url: https://accounts-ui.{{ .Global.Domain }}/settings
                privileged_session_max_age: 15m
              recovery:
                enabled: false
              verification:
                enabled: false
              logout:
                after:
                  default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/login
              login:
                ui_url: https://accounts-ui.{{ .Global.Domain }}/login
                lifespan: 10m
                after:
                  password:
                    default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/
              registration:
                lifespan: 10m
                ui_url: https://accounts-ui.{{ .Global.Domain }}/register
                after:
                  password:
                    hooks:
                      -
                        hook: session
                    default_browser_return_url: https://accounts-ui.{{ .Global.Domain }}/
          log:
            level: debug
            format: text
            leak_sensitive_values: true
          cookies:
            path: /
            same_site: None
            domain: {{ .Global.Domain }}
          secrets:
            cookie:
              - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
            # cipher:
            #   - 32-LONG-SECRET-NOT-SECURE-AT-ALL
          # ciphers:
          #   algorithm: xchacha20-poly1305
          hashers:
            argon2:
              parallelism: 1
              memory: 128MB
              iterations: 2
              salt_length: 16
              key_length: 16
          identity:
            schemas:
            - id: user
              url: file:///etc/config/identity.schema.json
            default_schema_id: user
          courier:
            smtp:
              connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Global.Domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Global.Domain }}
        identitySchemas:
          "identity.schema.json": |
            {
              "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
              "$schema": "http://json-schema.org/draft-07/schema#",
              "title": "User",
              "type": "object",
              "properties": {
                "traits": {
                  "type": "object",
                  "properties": {
                    "username": {
                      "type": "string",
                      "format": "username",
                      "title": "Username",
                      "minLength": 3,
                      "ory.sh/kratos": {
                        "credentials": {
                          "password": {
                            "identifier": true
                          }
                        }
                      }
                    }
                  },
                  "additionalProperties": false
                }
              }
            }
    hydra:
      fullnameOverride: hydra
      image:
        repository: oryd/hydra
        tag: v2.1.2
        pullPolicy: IfNotPresent
        # repository: giolekva/ory-hydra
        # tag: latest
        # pullPolicy: Always
      service:
        admin:
          enabled: true
          type: ClusterIP
          port: 80
          name: http
        public:
          enabled: true
          type: ClusterIP
          port: 80
          name: http
      ingress:
        admin:
          enabled: true
          className: {{ .Global.Id }}-ingress-private
          hosts:
          - host: hydra.p.{{ .Global.Domain }}
            paths:
            - path: /
              pathType: Prefix
          tls:
          - hosts:
            - hydra.p.{{ .Global.Domain }}
        public:
          enabled: true
          className: {{ .Global.PCloudEnvName }}-ingress-public
          annotations:
            acme.cert-manager.io/http01-edit-in-place: "true"
            cert-manager.io/cluster-issuer: {{ .Global.Id }}-public
          hosts:
          - host: hydra.{{ .Global.Domain }}
            paths:
            - path: /
              pathType: Prefix
          tls:
          - hosts:
            - hydra.{{ .Global.Domain }}
            secretName: cert-hydra.{{ .Global.Domain }}
      secret:
        enabled: true
      maester:
        enabled: true
      hydra-maester:
        adminService:
          name: hydra-admin
          port: 80
        image:
          repository: giolekva/ory-hydra-maester
          tag: latest
          pullPolicy: IfNotPresent
      hydra:
        automigration:
          enabled: true
        config:
          version: v1.10.6
          dsn: postgres://hydra:hydra@postgres.{{ .Global.Id }}-core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
          serve:
            cookies:
              same_site_mode: None
            public:
              cors:
                enabled: true
                debug: false
                allow_credentials: true
                allowed_origins:
                  - https://{{ .Global.Domain }}
                  - https://*.{{ .Global.Domain }}
            admin:
              # host: localhost
              cors:
                allowed_origins:
                  - https://hydra.p.{{ .Global.Domain }}
              tls:
                allow_termination_from:
                  - 0.0.0.0/0
                  - 10.42.0.0/16
                  - 10.43.0.0/16
            tls:
              allow_termination_from:
                - 0.0.0.0/0
                - 10.42.0.0/16
                - 10.43.0.0/16
          urls:
            self:
              public: https://hydra.{{ .Global.Domain }}
              issuer: https://hydra.{{ .Global.Domain }}
            consent: https://accounts-ui.{{ .Global.Domain }}/consent
            login: https://accounts-ui.{{ .Global.Domain }}/login
            logout: https://accounts-ui.{{ .Global.Domain }}/logout
          secrets:
            system:
              - youReallyNeedToChangeThis
          oidc:
            subject_identifiers:
              supported_types:
                - pairwise
                - public
              pairwise:
                salt: youReallyNeedToChangeThis
          log:
            level: trace
            leak_sensitive_values: false
    ui:
      certificateIssuer: {{ .Global.Id }}-public
      ingressClassName: {{ .Global.PCloudEnvName }}-ingress-public
      domain: {{ .Global.Domain }}
      internalDomain: p.{{ .Global.Domain }}
      hydra: hydra-admin.{{ .Global.Id }}-core-auth.svc.cluster.local
      enableRegistration: false