Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / f88434168174a99f76853e509877475c7ffde893 / . / core / installer / values-tmpl / core-auth.cue
blob: e2f05c4e9416f00ceea62207f4b19a5533d60724 [file] [log] [blame]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]1input: {
2 subdomain: string
3}
4
Giorgi Lekveishvili03d6f4b2024-03-08 13:05:21 +0400[diff] [blame]5name: "core-auth"
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]6namespace: "core-auth"
7
8_userSchema: ###"""
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]9{
10 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
11 "$schema": "http://json-schema.org/draft-07/schema#",
12 "title": "User",
13 "type": "object",
14 "properties": {
15 "traits": {
16 "type": "object",
17 "properties": {
18 "username": {
19 "type": "string",
20 "format": "username",
21 "title": "Username",
22 "minLength": 3,
23 "ory.sh/kratos": {
24 "credentials": {
25 "password": {
26 "identifier": true
27 }
28 }
29 }
30 }
31 },
32 "additionalProperties": false
33 }
34 }
35}
36"""###
37
38images: {
39 kratos: {
40 repository: "oryd"
41 name: "kratos"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]42 tag: "v1.1.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]43 pullPolicy: "IfNotPresent"
44 }
45 hydra: {
46 repository: "oryd"
47 name: "hydra"
Giorgi Lekveishvili31830562024-03-11 14:40:55 +0400[diff] [blame]48 tag: "v2.2.0-distroless"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]49 pullPolicy: "IfNotPresent"
50 }
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]51 ui: {
52 repository: "giolekva"
53 name: "auth-ui"
54 tag: "latest"
55 pullPolicy: "Always"
56 }
57 postgres: {
58 repository: "library"
59 name: "postgres"
60 tag: "15.3"
61 pullPolicy: "IfNotPresent"
62 }
63}
64
65charts: {
66 auth: {
giof8843412024-05-22 16:38:05 +0400[diff] [blame^]67 kind: "GitRepository"
68 address: "https://github.com/giolekva/pcloud.git"
69 branch: "main"
70 path: "charts/auth"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]71 }
72 postgres: {
giof8843412024-05-22 16:38:05 +0400[diff] [blame^]73 kind: "GitRepository"
74 address: "https://github.com/giolekva/pcloud.git"
75 branch: "main"
76 path: "charts/postgresql"
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]77 }
78}
79
80helm: {
81 postgres: {
82 chart: charts.postgres
83 values: {
84 fullnameOverride: "postgres"
85 image: {
86 registry: images.postgres.registry
87 repository: images.postgres.imageName
88 tag: images.postgres.tag
89 pullPolicy: images.postgres.pullPolicy
90 }
91 service: {
92 type: "ClusterIP"
93 port: 5432
94 }
95 primary: {
96 initdb: {
97 scripts: {
98 "init.sql": """
99 CREATE USER kratos WITH PASSWORD 'kratos';
100 CREATE USER hydra WITH PASSWORD 'hydra';
101 CREATE DATABASE kratos WITH OWNER = kratos;
102 CREATE DATABASE hydra WITH OWNER = hydra;
103 """
104 }
105 }
106 persistence: {
107 size: "1Gi"
108 }
109 securityContext: {
110 enabled: true
111 fsGroup: 0
112 }
113 containerSecurityContext: {
114 enabled: true
115 runAsUser: 0
116 }
117 }
118 volumePermissions: {
119 securityContext: {
120 runAsUser: 0
121 }
122 }
123 }
124 }
125 auth: {
126 chart: charts.auth
Giorgi Lekveishvilia09fad72024-03-21 15:24:35 +0400[diff] [blame]127 dependsOn: [{
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]128 name: "ingress-nginx"
129 namespace: "\(global.namespacePrefix)ingress-private"
Giorgi Lekveishvilia09fad72024-03-21 15:24:35 +0400[diff] [blame]130 }, {
131 name: "postgres"
132 namespace: release.namespace
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]133 }]
134 values: {
135 kratos: {
136 fullnameOverride: "kratos"
137 image: {
138 repository: images.kratos.fullName
139 tag: images.kratos.tag
140 pullPolicy: images.kratos.pullPolicy
141 }
142 service: {
143 admin: {
144 enabled: true
145 type: "ClusterIP"
146 port: 80
147 name: "http"
148 }
149 public: {
150 enabled: true
151 type: "ClusterIP"
152 port: 80
153 name: "http"
154 }
155 }
156 ingress: {
157 admin: {
158 enabled: true
gioe72b54f2024-04-22 10:44:41 +0400[diff] [blame]159 className: ingressPrivate
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]160 hosts: [{
161 host: "kratos.\(global.privateDomain)"
162 paths: [{
163 path: "/"
164 pathType: "Prefix"
165 }]
166 }]
167 tls: [{
168 hosts: [
169 "kratos.\(global.privateDomain)"
170 ]
171 }]
172 }
173 public: {
174 enabled: true
gioe72b54f2024-04-22 10:44:41 +0400[diff] [blame]175 className: ingressPublic
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]176 annotations: {
177 "acme.cert-manager.io/http01-edit-in-place": "true"
gioe72b54f2024-04-22 10:44:41 +0400[diff] [blame]178 "cert-manager.io/cluster-issuer": issuerPublic
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]179 }
180 hosts: [{
181 host: "accounts.\(global.domain)"
182 paths: [{
183 path: "/"
184 pathType: "Prefix"
185 }]
186 }]
187 tls: [{
188 hosts: ["accounts.\(global.domain)"]
189 secretName: "cert-accounts.\(global.domain)"
190 }]
191 }
192 }
193 secret: {
194 enabled: true
195 }
196 kratos: {
197 automigration: {
198 enabled: true
199 }
200 development: false
201 courier: {
202 enabled: false
203 }
204 config: {
205 version: "v0.7.1-alpha.1"
206 dsn: "postgres://kratos:kratos@postgres.\(global.namespacePrefix)core-auth.svc:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4"
207 serve: {
208 public: {
209 base_url: "https://accounts.\(global.domain)"
210 cors: {
211 enabled: true
212 debug: false
213 allow_credentials: true
214 allowed_origins: [
215 "https://\(global.domain)",
216 "https://*.\(global.domain)",
217 ]
218 }
219 }
220 admin: {
221 base_url: "https://kratos.\(global.privateDomain)/"
222 }
223 }
224 selfservice: {
225 default_browser_return_url: "https://accounts-ui.\(global.domain)"
Giorgi Lekveishvili0ba5e402024-03-20 15:56:30 +0400[diff] [blame]226 allowed_return_urls: [
227 "https://*.\(global.domain)/",
228 "https://*.\(global.privateDomain)",
229 ]
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]230 methods: {
231 password: {
232 enabled: true
233 }
234 }
235 flows: {
236 error: {
237 ui_url: "https://accounts-ui.\(global.domain)/error"
238 }
239 settings: {
240 ui_url: "https://accounts-ui.\(global.domain)/settings"
241 privileged_session_max_age: "15m"
242 }
243 recovery: {
244 enabled: false
245 }
246 verification: {
247 enabled: false
248 }
249 logout: {
250 after: {
251 default_browser_return_url: "https://accounts-ui.\(global.domain)/login"
252 }
253 }
254 login: {
255 ui_url: "https://accounts-ui.\(global.domain)/login"
256 lifespan: "10m"
257 after: {
258 password: {
259 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
260 }
261 }
262 }
263 registration: {
264 lifespan: "10m"
265 ui_url: "https://accounts-ui.\(global.domain)/register"
266 after: {
267 password: {
268 hooks: [{
269 hook: "session"
270 }]
271 default_browser_return_url: "https://accounts-ui.\(global.domain)/"
272 }
273 }
274 }
275 }
276 }
277 log: {
278 level: "debug"
279 format: "text"
280 leak_sensitive_values: true
281 }
282 cookies: {
283 path: "/"
284 same_site: "None"
285 domain: global.domain
286 }
287 secrets: {
288 cookie: ["PLEASE-CHANGE-ME-I-AM-VERY-INSECURE"]
289 }
290 hashers: {
291 argon2: {
292 parallelism: 1
293 memory: "128MB"
294 iterations: 2
295 salt_length: 16
296 key_length: 16
297 }
298 }
299 identity: {
300 schemas: [{
301 id: "user"
302 url: "file:///etc/config/identity.schema.json"
303 }]
304 default_schema_id: "user"
305 }
306 courier: {
307 smtp: {
308 connection_uri: "smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40\(global.domain):iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.\(global.domain)"
309 }
310 }
311 }
312 identitySchemas: {
Giorgi Lekveishvili08af67a2024-01-18 08:53:05 +0400[diff] [blame]313 "identity.schema.json": _userSchema
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]314 }
315 }
316 }
317 hydra: {
318 fullnameOverride: "hydra"
319 image: {
320 repository: images.hydra.fullName
321 tag: images.hydra.tag
322 pullPolicy: images.hydra.pullPolicy
323 }
324 service: {
325 admin: {
326 enabled: true
327 type: "ClusterIP"
328 port: 80
329 name: "http"
330 }
331 public: {
332 enabled: true
333 type: "ClusterIP"
334 port: 80
335 name: "http"
336 }
337 }
338 ingress: {
339 admin: {
340 enabled: true
gioe72b54f2024-04-22 10:44:41 +0400[diff] [blame]341 className: ingressPrivate
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]342 hosts: [{
343 host: "hydra.\(global.privateDomain)"
344 paths: [{
345 path: "/"
346 pathType: "Prefix"
347 }]
348 }]
349 tls: [{
350 hosts: ["hydra.\(global.privateDomain)"]
351 }]
352 }
353 public: {
354 enabled: true
gioe72b54f2024-04-22 10:44:41 +0400[diff] [blame]355 className: ingressPublic
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]356 annotations: {
357 "acme.cert-manager.io/http01-edit-in-place": "true"
gioe72b54f2024-04-22 10:44:41 +0400[diff] [blame]358 "cert-manager.io/cluster-issuer": issuerPublic
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]359 }
360 hosts: [{
361 host: "hydra.\(global.domain)"
362 paths: [{
363 path: "/"
364 pathType: "Prefix"
365 }]
366 }]
367 tls: [{
368 hosts: ["hydra.\(global.domain)"]
369 secretName: "cert-hydra.\(global.domain)"
370 }]
371 }
372 }
373 secret: {
374 enabled: true
375 }
376 maester: {
Giorgi Lekveishvili925f0de2024-03-14 18:51:56 +0400[diff] [blame]377 enabled: false
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]378 }
379 hydra: {
380 automigration: {
381 enabled: true
382 }
383 config: {
384 version: "v1.10.6"
385 dsn: "postgres://hydra:hydra@postgres.\(global.namespacePrefix)core-auth.svc:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
386 serve: {
387 cookies: {
388 same_site_mode: "None"
389 }
390 public: {
391 cors: {
392 enabled: true
393 debug: false
394 allow_credentials: true
395 allowed_origins: [
396 "https://\(global.domain)",
397 "https://*.\(global.domain)"
398 ]
399 }
400 }
401 admin: {
402 cors: {
403 allowed_origins: [
404 "https://hydra.\(global.privateDomain)"
405 ]
406 }
407 tls: {
408 allow_termination_from: [
409 "0.0.0.0/0",
410 "10.42.0.0/16",
411 "10.43.0.0/16",
412 ]
413 }
414 }
415 tls: {
416 allow_termination_from: [
417 "0.0.0.0/0",
418 "10.42.0.0/16",
419 "10.43.0.0/16",
420 ]
421 }
422 }
423 urls: {
424 self: {
425 public: "https://hydra.\(global.domain)"
426 issuer: "https://hydra.\(global.domain)"
427 }
428 consent: "https://accounts-ui.\(global.domain)/consent"
429 login: "https://accounts-ui.\(global.domain)/login"
430 logout: "https://accounts-ui.\(global.domain)/logout"
431 }
432 secrets: {
433 system: ["youReallyNeedToChangeThis"]
434 }
435 oidc: {
436 subject_identifiers: {
437 supported_types: [
438 "pairwise",
439 "public",
440 ]
441 pairwise: {
442 salt: "youReallyNeedToChangeThis"
443 }
444 }
445 }
446 log: {
447 level: "trace"
448 leak_sensitive_values: false
449 }
450 }
451 }
452 }
453 ui: {
gioe72b54f2024-04-22 10:44:41 +0400[diff] [blame]454 certificateIssuer: issuerPublic
455 ingressClassName: ingressPublic
Giorgi Lekveishvilie009a5d2024-01-05 14:10:11 +0400[diff] [blame]456 domain: global.domain
457 internalDomain: global.privateDomain
458 hydra: "hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
459 enableRegistration: false
460 image: {
461 repository: images.ui.fullName
462 tag: images.ui.tag
463 pullPolicy: images.ui.pullPolicy
464 }
465 }
466 }
467 }
468}