Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / e009a5dd3fbd34d4586d2f2f9d08347b0f31ad6b / . / core / installer / values-tmpl / core-auth.cue
blob: 38e6a47bb07a8436b87753df2aa8d77bed64dba6 [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame^]1input: {
2 subdomain: string
3}
4
5userSchema: ###"""
6{
7 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
8 "$schema": "http://json-schema.org/draft-07/schema#",
9 "title": "User",
10 "type": "object",
11 "properties": {
12 "traits": {
13 "type": "object",
14 "properties": {
15 "username": {
16 "type": "string",
17 "format": "username",
18 "title": "Username",
19 "minLength": 3,
20 "ory.sh/kratos": {
21 "credentials": {
22 "password": {
23 "identifier": true
24 }
25 }
26 }
27 }
28 },
29 "additionalProperties": false
30 }
31 }
32}
33"""###
34
35images: {
36 kratos: {
37 repository: "oryd"
38 name: "kratos"
39 tag: "v0.13.0"
40 pullPolicy: "IfNotPresent"
41 }
42 hydra: {
43 repository: "oryd"
44 name: "hydra"
45 tag: "v2.1.2"
46 pullPolicy: "IfNotPresent"
47 }
48 "hydra-maester": {
49 repository: "giolekva"
50 name: "ory-hydra-maester"
51 tag: "latest"
52 pullPolicy: "Always"
53 }
54 ui: {
55 repository: "giolekva"
56 name: "auth-ui"
57 tag: "latest"
58 pullPolicy: "Always"
59 }
60 postgres: {
61 repository: "library"
62 name: "postgres"
63 tag: "15.3"
64 pullPolicy: "IfNotPresent"
65 }
66}
67
68charts: {
69 auth: {
70 chart: "charts/auth"
71 sourceRef: {
72 kind: "GitRepository"
73 name: "pcloud"
74 namespace: global.id
75 }
76 }
77 postgres: {
78 chart: "charts/postgresql"
79 sourceRef: {
80 kind: "GitRepository"
81 name: "pcloud"
82 namespace: global.id
83 }
84 }
85}
86
87helm: {
88 postgres: {
89 chart: charts.postgres
90 values: {
91 fullnameOverride: "postgres"
92 image: {
93 registry: images.postgres.registry
94 repository: images.postgres.imageName
95 tag: images.postgres.tag
96 pullPolicy: images.postgres.pullPolicy
97 }
98 service: {
99 type: "ClusterIP"
100 port: 5432
101 }
102 primary: {
103 initdb: {
104 scripts: {
105 "init.sql": """
106 CREATE USER kratos WITH PASSWORD 'kratos';
107 CREATE USER hydra WITH PASSWORD 'hydra';
108 CREATE DATABASE kratos WITH OWNER = kratos;
109 CREATE DATABASE hydra WITH OWNER = hydra;
110 """
111 }
112 }
113 persistence: {
114 size: "1Gi"
115 }
116 securityContext: {
117 enabled: true
118 fsGroup: 0
119 }
120 containerSecurityContext: {
121 enabled: true
122 runAsUser: 0
123 }
124 }
125 volumePermissions: {
126 securityContext: {
127 runAsUser: 0
128 }
129 }
130 }
131 }
132 auth: {
133 chart: charts.auth
134 dependsOn: [postgres]
135 dependsOnExternal: [{
136 name: "ingress-nginx"
137 namespace: "\(global.namespacePrefix)ingress-private"
138 }]
139 values: {
140 kratos: {
141 fullnameOverride: "kratos"
142 image: {
143 repository: images.kratos.fullName
144 tag: images.kratos.tag
145 pullPolicy: images.kratos.pullPolicy
146 }
147 service: {
148 admin: {
149 enabled: true
150 type: "ClusterIP"
151 port: 80
152 name: "http"
153 }
154 public: {
155 enabled: true
156 type: "ClusterIP"
157 port: 80
158 name: "http"
159 }
160 }
161 ingress: {
162 admin: {
163 enabled: true
164 className: _ingressPrivate
165 hosts: [{
166 host: "kratos.\(global.privateDomain)"
167 paths: [{
168 path: "/"
169 pathType: "Prefix"
170 }]
171 }]
172 tls: [{
173 hosts: [
174 "kratos.\(global.privateDomain)"
175 ]
176 }]
177 }
178 public: {
179 enabled: true
180 className: _ingressPublic
181 annotations: {
182 "acme.cert-manager.io/http01-edit-in-place": "true"
183 "cert-manager.io/cluster-issuer": _issuerPublic
184 }
185 hosts: [{
186 host: "accounts.\(global.domain)"
187 paths: [{
188 path: "/"
189 pathType: "Prefix"
190 }]
191 }]
192 tls: [{
193 hosts: ["accounts.\(global.domain)"]
194 secretName: "cert-accounts.\(global.domain)"
195 }]
196 }
197 }
198 secret: {
199 enabled: true
200 }
201 kratos: {
202 automigration: {
203 enabled: true
204 }
205 development: false
206 courier: {
207 enabled: false
208 }
209 config: {
210 version: "v0.7.1-alpha.1"
211 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
212 serve: {
213 public: {
214 base_url: "https://accounts.\(global.domain)"
215 cors: {
216 enabled: true
217 debug: false
218 allow_credentials: true
219 allowed_origins: [
220 "https://\(global.domain)",
221 "https://*.\(global.domain)",
222 ]
223 }
224 }
225 admin: {
226 base_url: "https://kratos.\(global.privateDomain)/"
227 }
228 }
229 selfservice: {
230 default_browser_return_url: "https://accounts-ui.\(global.domain)"
231 methods: {
232 password: {
233 enabled: true
234 }
235 }
236 flows: {
237 error: {
238 ui_url: "https://accounts-ui.\(global.domain)/error"
239 }
240 settings: {
241 ui_url: "https://accounts-ui.\(global.domain)/settings"
242 privileged_session_max_age: "15m"
243 }
244 recovery: {
245 enabled: false
246 }
247 verification: {
248 enabled: false
249 }
250 logout: {
251 after: {
252 default_browser_return_url: "https://accounts-ui.\(global.domain)/login"
253 }
254 }
255 login: {
256 ui_url: "https://accounts-ui.\(global.domain)/login"
257 lifespan: "10m"
258 after: {
259 password: {
260 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
261 }
262 }
263 }
264 registration: {
265 lifespan: "10m"
266 ui_url: "https://accounts-ui.\(global.domain)/register"
267 after: {
268 password: {
269 hooks: [{
270 hook: "session"
271 }]
272 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
273 }
274 }
275 }
276 }
277 }
278 log: {
279 level: "debug"
280 format: "text"
281 leak_sensitive_values: true
282 }
283 cookies: {
284 path: "/"
285 same_site: "None"
286 domain: global.domain
287 }
288 secrets: {
289 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
290 }
291 hashers: {
292 argon2: {
293 parallelism: 1
294 memory: "128MB"
295 iterations: 2
296 salt_length: 16
297 key_length: 16
298 }
299 }
300 identity: {
301 schemas: [{
302 id: "user"
303 url: "file:///etc/config/identity.schema.json"
304 }]
305 default_schema_id: "user"
306 }
307 courier: {
308 smtp: {
309 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(global.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(global.domain)"
310 }
311 }
312 }
313 identitySchemas: {
314 "identity.schema.json": userSchema
315 }
316 }
317 }
318 hydra: {
319 fullnameOverride: "hydra"
320 image: {
321 repository: images.hydra.fullName
322 tag: images.hydra.tag
323 pullPolicy: images.hydra.pullPolicy
324 }
325 service: {
326 admin: {
327 enabled: true
328 type: "ClusterIP"
329 port: 80
330 name: "http"
331 }
332 public: {
333 enabled: true
334 type: "ClusterIP"
335 port: 80
336 name: "http"
337 }
338 }
339 ingress: {
340 admin: {
341 enabled: true
342 className: _ingressPrivate
343 hosts: [{
344 host: "hydra.\(global.privateDomain)"
345 paths: [{
346 path: "/"
347 pathType: "Prefix"
348 }]
349 }]
350 tls: [{
351 hosts: ["hydra.\(global.privateDomain)"]
352 }]
353 }
354 public: {
355 enabled: true
356 className: _ingressPublic
357 annotations: {
358 "acme.cert-manager.io/http01-edit-in-place": "true"
359 "cert-manager.io/cluster-issuer": _issuerPublic
360 }
361 hosts: [{
362 host: "hydra.\(global.domain)"
363 paths: [{
364 path: "/"
365 pathType: "Prefix"
366 }]
367 }]
368 tls: [{
369 hosts: ["hydra.\(global.domain)"]
370 secretName: "cert-hydra.\(global.domain)"
371 }]
372 }
373 }
374 secret: {
375 enabled: true
376 }
377 maester: {
378 enabled: true
379 }
380 "hydra-maester": {
381 adminService: {
382 name: "hydra-admin"
383 port: 80
384 }
385 image: {
386 repository: images["hydra-maester"].fullName
387 tag: images["hydra-maester"].tag
388 pullPolicy: images["hydra-maester"].pullPolicy
389 }
390 }
391 hydra: {
392 automigration: {
393 enabled: true
394 }
395 config: {
396 version: "v1.10.6"
397 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
398 serve: {
399 cookies: {
400 same_site_mode: "None"
401 }
402 public: {
403 cors: {
404 enabled: true
405 debug: false
406 allow_credentials: true
407 allowed_origins: [
408 "https://\(global.domain)",
409 "https://*.\(global.domain)"
410 ]
411 }
412 }
413 admin: {
414 cors: {
415 allowed_origins: [
416 "https://hydra.\(global.privateDomain)"
417 ]
418 }
419 tls: {
420 allow_termination_from: [
421 "0.0.0.0/0",
422 "10.42.0.0/16",
423 "10.43.0.0/16",
424 ]
425 }
426 }
427 tls: {
428 allow_termination_from: [
429 "0.0.0.0/0",
430 "10.42.0.0/16",
431 "10.43.0.0/16",
432 ]
433 }
434 }
435 urls: {
436 self: {
437 public: "https://hydra.\(global.domain)"
438 issuer: "https://hydra.\(global.domain)"
439 }
440 consent: "https://accounts-ui.\(global.domain)/consent"
441 login: "https://accounts-ui.\(global.domain)/login"
442 logout: "https://accounts-ui.\(global.domain)/logout"
443 }
444 secrets: {
445 system: ["youReallyNeedToChangeThis"]
446 }
447 oidc: {
448 subject_identifiers: {
449 supported_types: [
450 "pairwise",
451 "public",
452 ]
453 pairwise: {
454 salt: "youReallyNeedToChangeThis"
455 }
456 }
457 }
458 log: {
459 level: "trace"
460 leak_sensitive_values: false
461 }
462 }
463 }
464 }
465 ui: {
466 certificateIssuer: _issuerPublic
467 ingressClassName: _ingressPublic
468 domain: global.domain
469 internalDomain: global.privateDomain
470 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
471 enableRegistration: false
472 image: {
473 repository: images.ui.fullName
474 tag: images.ui.tag
475 pullPolicy: images.ui.pullPolicy
476 }
477 }
478 }
479 }
480}