Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / cafd4e63ce3f39090699ef8ec608ddc71d62856a / . / core / installer / values-tmpl / core-auth.cue
blob: 9f6157acaf7e88b341ba3638e4dd26b1a8133ae3 [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]2 network: #Network
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]3 subdomain: string
4}
5
Giorgi Lekveishvili03d6f4b2024-03-08 13:05:21 +0400[diff] [blame]6name: "core-auth"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]7namespace: "core-auth"
8
9_userSchema: ###"""
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]10{
11 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
12 "$schema": "http://json-schema.org/draft-07/schema#",
13 "title": "User",
14 "type": "object",
15 "properties": {
16 "traits": {
17 "type": "object",
18 "properties": {
19 "username": {
20 "type": "string",
21 "format": "username",
22 "title": "Username",
23 "minLength": 3,
24 "ory.sh/kratos": {
25 "credentials": {
26 "password": {
27 "identifier": true
28 }
29 }
30 }
31 }
32 },
33 "additionalProperties": false
34 }
35 }
36}
37"""###
38
39images: {
40 kratos: {
41 repository: "oryd"
42 name: "kratos"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]43 tag: "v1.1.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]44 pullPolicy: "IfNotPresent"
45 }
46 hydra: {
47 repository: "oryd"
48 name: "hydra"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]49 tag: "v2.2.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]50 pullPolicy: "IfNotPresent"
51 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]52 ui: {
53 repository: "giolekva"
54 name: "auth-ui"
55 tag: "latest"
56 pullPolicy: "Always"
57 }
58 postgres: {
59 repository: "library"
60 name: "postgres"
61 tag: "15.3"
62 pullPolicy: "IfNotPresent"
63 }
64}
65
66charts: {
67 auth: {
giof8843412024-05-22 16:38:05 +0400[diff] [blame]68 kind: "GitRepository"
69 address: "https://github.com/giolekva/pcloud.git"
70 branch: "main"
71 path: "charts/auth"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]72 }
73 postgres: {
giof8843412024-05-22 16:38:05 +0400[diff] [blame]74 kind: "GitRepository"
75 address: "https://github.com/giolekva/pcloud.git"
76 branch: "main"
77 path: "charts/postgresql"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]78 }
79}
80
81helm: {
82 postgres: {
83 chart: charts.postgres
84 values: {
85 fullnameOverride: "postgres"
86 image: {
87 registry: images.postgres.registry
88 repository: images.postgres.imageName
89 tag: images.postgres.tag
90 pullPolicy: images.postgres.pullPolicy
91 }
92 service: {
93 type: "ClusterIP"
94 port: 5432
95 }
96 primary: {
97 initdb: {
98 scripts: {
99 "init.sql": """
100 CREATE USER kratos WITH PASSWORD 'kratos';
101 CREATE USER hydra WITH PASSWORD 'hydra';
102 CREATE DATABASE kratos WITH OWNER = kratos;
103 CREATE DATABASE hydra WITH OWNER = hydra;
104 """
105 }
106 }
107 persistence: {
108 size: "1Gi"
109 }
110 securityContext: {
111 enabled: true
112 fsGroup: 0
113 }
114 containerSecurityContext: {
115 enabled: true
116 runAsUser: 0
117 }
118 }
119 volumePermissions: {
120 securityContext: {
121 runAsUser: 0
122 }
123 }
124 }
125 }
126 auth: {
127 chart: charts.auth
Giorgi Lekveishvilia09fad72024-03-21 15:24:35 +0400[diff] [blame]128 dependsOn: [{
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]129 name: "ingress-nginx"
130 namespace: "\(global.namespacePrefix)ingress-private"
Giorgi Lekveishvilia09fad72024-03-21 15:24:35 +0400[diff] [blame]131 }, {
132 name: "postgres"
133 namespace: release.namespace
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]134 }]
135 values: {
136 kratos: {
137 fullnameOverride: "kratos"
138 image: {
139 repository: images.kratos.fullName
140 tag: images.kratos.tag
141 pullPolicy: images.kratos.pullPolicy
142 }
143 service: {
144 admin: {
145 enabled: true
146 type: "ClusterIP"
147 port: 80
148 name: "http"
149 }
150 public: {
151 enabled: true
152 type: "ClusterIP"
153 port: 80
154 name: "http"
155 }
156 }
157 ingress: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]158 admin: enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]159 public: {
160 enabled: true
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]161 className: input.network.ingressClass
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]162 annotations: {
163 "acme.cert-manager.io/http01-edit-in-place": "true"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]164 "cert-manager.io/cluster-issuer": input.network.certificateIssuer
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]165 }
166 hosts: [{
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]167 host: "accounts.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]168 paths: [{
169 path: "/"
170 pathType: "Prefix"
171 }]
172 }]
173 tls: [{
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]174 hosts: ["accounts.\(input.network.domain)"]
175 secretName: "cert-accounts.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]176 }]
177 }
178 }
179 secret: {
180 enabled: true
181 }
182 kratos: {
183 automigration: {
184 enabled: true
185 }
186 development: false
187 courier: {
188 enabled: false
189 }
190 config: {
191 version: "v0.7.1-alpha.1"
192 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
193 serve: {
194 public: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]195 base_url: "https://accounts.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]196 cors: {
197 enabled: true
198 debug: false
199 allow_credentials: true
200 allowed_origins: [
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]201 "https://\(input.network.domain)",
202 "https://*.\(input.network.domain)",
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]203 ]
204 }
205 }
206 admin: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]207 base_url: "https://kratos-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]208 }
209 }
210 selfservice: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]211 default_browser_return_url: "https://accounts-ui.\(input.network.domain)"
Giorgi Lekveishvili0ba5e402024-03-20 15:56:30 +0400[diff] [blame]212 allowed_return_urls: [
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]213 "https://*.\(input.network.domain)/",
214 // TODO(gio): replace with input.network.privateSubdomain
Giorgi Lekveishvili0ba5e402024-03-20 15:56:30 +0400[diff] [blame]215 "https://*.\(global.privateDomain)",
216 ]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]217 methods: {
218 password: {
219 enabled: true
220 }
221 }
222 flows: {
223 error: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]224 ui_url: "https://accounts-ui.\(input.network.domain)/error"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]225 }
226 settings: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]227 ui_url: "https://accounts-ui.\(input.network.domain)/settings"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]228 privileged_session_max_age: "15m"
229 }
230 recovery: {
231 enabled: false
232 }
233 verification: {
234 enabled: false
235 }
236 logout: {
237 after: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]238 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/login"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]239 }
240 }
241 login: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]242 ui_url: "https://accounts-ui.\(input.network.domain)/login"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]243 lifespan: "10m"
244 after: {
245 password: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]246 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]247 }
248 }
249 }
250 registration: {
251 lifespan: "10m"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]252 ui_url: "https://accounts-ui.\(input.network.domain)/register"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]253 after: {
254 password: {
255 hooks: [{
256 hook: "session"
257 }]
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]258 default_browser_return_url: "https://accounts-ui.\(input.network.domain)/"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]259 }
260 }
261 }
262 }
263 }
264 log: {
265 level: "debug"
266 format: "text"
267 leak_sensitive_values: true
268 }
269 cookies: {
270 path: "/"
271 same_site: "None"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]272 domain: input.network.domain
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]273 }
274 secrets: {
275 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
276 }
277 hashers: {
278 argon2: {
279 parallelism: 1
280 memory: "128MB"
281 iterations: 2
282 salt_length: 16
283 key_length: 16
284 }
285 }
286 identity: {
287 schemas: [{
288 id: "user"
289 url: "file:///etc/config/identity.schema.json"
290 }]
291 default_schema_id: "user"
292 }
293 courier: {
294 smtp: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]295 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(input.network.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]296 }
297 }
298 }
299 identitySchemas: {
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]300 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]301 }
302 }
303 }
304 hydra: {
305 fullnameOverride: "hydra"
306 image: {
307 repository: images.hydra.fullName
308 tag: images.hydra.tag
309 pullPolicy: images.hydra.pullPolicy
310 }
311 service: {
312 admin: {
313 enabled: true
314 type: "ClusterIP"
315 port: 80
316 name: "http"
317 }
318 public: {
319 enabled: true
320 type: "ClusterIP"
321 port: 80
322 name: "http"
323 }
324 }
325 ingress: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]326 admin: enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]327 public: {
328 enabled: true
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]329 className: input.network.ingressClass
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]330 annotations: {
331 "acme.cert-manager.io/http01-edit-in-place": "true"
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]332 "cert-manager.io/cluster-issuer": input.network.certificateIssuer
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]333 }
334 hosts: [{
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]335 host: "hydra.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]336 paths: [{
337 path: "/"
338 pathType: "Prefix"
339 }]
340 }]
341 tls: [{
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]342 hosts: ["hydra.\(input.network.domain)"]
343 secretName: "cert-hydra.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]344 }]
345 }
346 }
347 secret: {
348 enabled: true
349 }
350 maester: {
Giorgi Lekveishvili925f0de2024-03-14 18:51:56 +0400[diff] [blame]351 enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]352 }
353 hydra: {
354 automigration: {
355 enabled: true
356 }
357 config: {
358 version: "v1.10.6"
359 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
360 serve: {
361 cookies: {
362 same_site_mode: "None"
363 }
364 public: {
365 cors: {
366 enabled: true
367 debug: false
368 allow_credentials: true
369 allowed_origins: [
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]370 "https://\(input.network.domain)",
371 "https://*.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]372 ]
373 }
374 }
375 admin: {
376 cors: {
377 allowed_origins: [
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]378 "https://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]379 ]
380 }
381 tls: {
382 allow_termination_from: [
383 "0.0.0.0/0",
384 "10.42.0.0/16",
385 "10.43.0.0/16",
386 ]
387 }
388 }
389 tls: {
390 allow_termination_from: [
391 "0.0.0.0/0",
392 "10.42.0.0/16",
393 "10.43.0.0/16",
394 ]
395 }
396 }
397 urls: {
398 self: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]399 public: "https://hydra.\(input.network.domain)"
400 issuer: "https://hydra.\(input.network.domain)"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]401 }
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]402 consent: "https://accounts-ui.\(input.network.domain)/consent"
403 login: "https://accounts-ui.\(input.network.domain)/login"
404 logout: "https://accounts-ui.\(input.network.domain)/logout"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]405 }
406 secrets: {
407 system: ["youReallyNeedToChangeThis"]
408 }
409 oidc: {
410 subject_identifiers: {
411 supported_types: [
412 "pairwise",
413 "public",
414 ]
415 pairwise: {
416 salt: "youReallyNeedToChangeThis"
417 }
418 }
419 }
420 log: {
421 level: "trace"
422 leak_sensitive_values: false
423 }
424 }
425 }
426 }
427 ui: {
gio7841f4f2024-07-26 19:53:49 +0400[diff] [blame]428 certificateIssuer: input.network.certificateIssuer
429 ingressClassName: input.network.ingressClass
430 domain: input.network.domain
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]431 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
432 enableRegistration: false
433 image: {
434 repository: images.ui.fullName
435 tag: images.ui.tag
436 pullPolicy: images.ui.pullPolicy
437 }
438 }
439 }
440 }
441}