diff --git a/etc/base.yaml b/etc/base.yaml index 6dcd1a79..3cff5386 100644 --- a/etc/base.yaml +++ b/etc/base.yaml @@ -217,7 +217,12 @@ kratos: kratos_ui: _install: true - _chart_version: 0.43.1 + _chart_version: 0.0.2 + _extra_timeout: 0 + +hydra: + _install: true + _chart_version: 0.48.0 _extra_timeout: 0 app_config: diff --git a/etc/hydra/values.yaml b/etc/hydra/values.yaml new file mode 100644 index 00000000..38781764 --- /dev/null +++ b/etc/hydra/values.yaml @@ -0,0 +1,62 @@ +ingress: + admin: + enabled: true + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/rewrite-target: /admin/$2 + hosts: + - host: localhost + paths: + - path: "/admin/hydra(/|$)(.*)" + pathType: ImplementationSpecific + tls: + - secretName: radar-base-tls + hosts: + - localhost + public: + enabled: true + className: "nginx" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$1 + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: localhost + paths: + - path: "/hydra/?(.*)" + pathType: ImplementationSpecific + tls: + - secretName: radar-base-tls + hosts: + - localhost +hydra: + automigration: + enabled: true + config: + urls: + self: + issuer: https://localhost/hydra/ + login: https://localhost/login + consent: https://localhost/hydra-ui/consent + + log: + level: debug + format: text + leak_sensitive_values: false + + strategies: + access_token: jwt + jwt: + scope_claim: both + + oauth2: + allowed_top_level_claims: [scope,roles,authorities,sources,user_name] + mirror_top_level_claims: false + + serve: + public: + cors: + enabled: true + admin: + cors: + enabled: true diff --git a/etc/kratos_ui/values.yaml b/etc/kratos-ui/values.yaml similarity index 83% rename from etc/kratos_ui/values.yaml rename to etc/kratos-ui/values.yaml index 9abee33d..819363dc 100644 --- a/etc/kratos_ui/values.yaml +++ b/etc/kratos-ui/values.yaml @@ -10,7 +10,7 @@ ingress: hosts: - host: localhost paths: - - path: "/kratos-ui/?(.*)" + - path: "/kratos-ui(/|$)(.*)" pathType: ImplementationSpecific tls: - secretName: radar-base-tls @@ -26,9 +26,14 @@ kratosPublicUrl: "https://localhost/kratos" kratosBrowserUrl: "https://localhost/kratos" # -- The basePath -basePath: "" +basePath: "/kratos-ui" # -- The jwksUrl jwksUrl: "" projectName: "SecureApp" + +deployment: + extraEnv: + - name: HYDRA_ADMIN_URL + value: http://hydra-admin \ No newline at end of file diff --git a/etc/kratos/values.yaml b/etc/kratos/values.yaml index 52adacf5..00ee6733 100644 --- a/etc/kratos/values.yaml +++ b/etc/kratos/values.yaml @@ -4,10 +4,11 @@ ingress: className: "nginx" annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/rewrite-target: /admin/$2 hosts: - host: localhost paths: - - path: "/admin/kratos/?(.*)" + - path: "/admin/kratos(/|$)(.*)" pathType: ImplementationSpecific tls: - secretName: radar-base-tls @@ -36,11 +37,11 @@ kratos: # -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument. identitySchemas: - "identity.user.schema.json": | + "identity.schema.admin.json": | { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "user", - "title": "user", + "$id": "admin", + "title": "admin", "type": "object", "properties": { "traits": { @@ -69,16 +70,16 @@ kratos: } } }, - "required": [ "email" ] + "required": ["email"] } }, "additionalProperties": false } - "identity.default.schema.json": | + "identity.schema.researcher.json": | { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "default", - "title": "user", + "$id": "researcher", + "title": "researcher", "type": "object", "properties": { "traits": { @@ -107,12 +108,49 @@ kratos: } } }, - "required": [ "email" ] + "required": ["email"] + } + }, + "additionalProperties": false + } + "identity.schema.subject.json": | + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "subject", + "title": "subject", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { + "email": { + "type": "string", + "format": "email", + "title": "E-Mail", + "minLength": 5, + "ory.sh/kratos": { + "credentials": { + "password": { + "identifier": true + }, + "totp": { + "account_name": true + } + }, + "verification": { + "via": "email" + }, + "recovery": { + "via": "email" + } + } + } + }, + "required": ["email"] } }, "additionalProperties": false } - config: session: @@ -196,6 +234,14 @@ kratos: use: link after: default_browser_return_url: https://localhost/kratos-ui + hooks: + - hook: web_hook + config: + method: POST + url: http://management-portal:8080/managementportal/api/kratos/subjects/activate + body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eTogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5IGVsc2UgbnVsbCwKICAgIHBheWxvYWQ6IGlmIHN0ZC5vYmplY3RIYXMoY3R4LCAiZmxvdyIpICYmIHN0ZC5vYmplY3RIYXMoY3R4LmZsb3csICJ0cmFuc2llbnRfcGF5bG9hZCIpIHRoZW4gY3R4LmZsb3cudHJhbnNpZW50X3BheWxvYWQgZWxzZSBudWxsLAogICAgY29va2llczogY3R4LnJlcXVlc3RfY29va2llcwp9Cg== + response: + ignore: true logout: after: @@ -209,19 +255,32 @@ kratos: after: password: hooks: + - hook: web_hook + config: + method: POST + url: http://management-portal:8080/managementportal/api/kratos/subjects + body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eTogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5IGVsc2UgbnVsbCwKICAgIHBheWxvYWQ6IGlmIHN0ZC5vYmplY3RIYXMoY3R4LCAiZmxvdyIpICYmIHN0ZC5vYmplY3RIYXMoY3R4LmZsb3csICJ0cmFuc2llbnRfcGF5bG9hZCIpIHRoZW4gY3R4LmZsb3cudHJhbnNpZW50X3BheWxvYWQgZWxzZSBudWxsLAogICAgY29va2llczogY3R4LnJlcXVlc3RfY29va2llcwp9Cg== + response: + ignore: true - hook: session oidc: hooks: - hook: session identity: - default_schema_id: user + default_schema_id: subject schemas: - # identitySchemas: - - id: user - url: file:///etc/config/identity.user.schema.json + - id: subject + url: file:///etc/config/identity.schema.subject.json + - id: researcher + url: file:///etc/config/identity.schema.researcher.json + - id: admin + url: file:///etc/config/identity.schema.admin.json log: level: debug format: text leak_sensitive_values: true + + oauth2_provider: + url: http://hydra-admin \ No newline at end of file diff --git a/etc/postgresql/values.yaml b/etc/postgresql/values.yaml index c1a843e8..9c675315 100644 --- a/etc/postgresql/values.yaml +++ b/etc/postgresql/values.yaml @@ -114,7 +114,7 @@ primary: ## extraEnvVars: - name: POSTGRES_MULTIPLE_DATABASES - value: managementportal,restsourceauthorizer,appconfig,kratos + value: managementportal,restsourceauthorizer,appconfig,kratos,hydra ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) ## podAnnotations: diff --git a/helmfile.d/10-services.yaml b/helmfile.d/10-services.yaml index 8aa2d79b..df96bb33 100644 --- a/helmfile.d/10-services.yaml +++ b/helmfile.d/10-services.yaml @@ -341,15 +341,22 @@ releases: - name: ingress.public.tls[0].hosts values: - {{ .Values.server_name }} + - name: kratos.config.oauth2_provider.url + value: http://hydra-admin:4445 + - name: kratos.config.selfservice.flows.registration.after.password.hooks[0].config.url + value: https://{{ .Values.server_name }}/managementportal/api/kratos/subjects + - name: kratos.config.selfservice.flows.verification.after.hooks[0].config.url + value: https://{{ .Values.server_name }}/managementportal/api/kratos/subjects/activate + - name: kratos-selfservice-ui-node - chart: radar/kratos-selfservice-ui-node + chart: radar/radar-self-enrolment-ui version: {{ .Values.kratos_ui._chart_version }} installed: {{ .Values.kratos_ui._install }} timeout: {{ add .Values.base_timeout .Values.kratos_ui._extra_timeout }} <<: *logFailedRelease values: - - "../etc/kratos_ui/values.yaml" + - "../etc/kratos-ui/values.yaml" - {{ .Values.kratos_ui | toYaml | indent 8 | trim }} set: - name: serverName @@ -364,6 +371,42 @@ releases: - name: kratosBrowserUrl value: https://{{ .Values.server_name }}/kratos + - name: hydra + chart: radar/hydra + version: {{ .Values.hydra._chart_version }} + installed: {{ .Values.hydra._install }} + timeout: {{ add .Values.base_timeout .Values.hydra._extra_timeout }} + values: + - "../etc/hydra/values.yaml" + - {{ .Values.hydra | toYaml | indent 8 | trim }} + set: + - name: serverName + value: {{ .Values.server_name }} + - name: hydra.config.dsn + value: postgres://{{ .Values.management_portal.postgres.user }}:{{ .Values.management_portal.postgres.password }}@{{ .Values.management_portal.postgres.host }}:{{ .Values.management_portal.postgres.port }}/{{ .Values | get "hydra.jdbc.database" "hydra" }} + - name: hydra.config.urls.self.public + value: https://{{ .Values.server_name }}/hydra/ + - name: hydra.config.urls.self.admin + value: https://{{ .Values.server_name }}/admin/hydra/ + - name: hydra.config.urls.self.issuer + value: https://{{ .Values.server_name }}/hydra/ + - name: hydra.config.urls.login + value: https://{{ .Values.server_name }}/kratos-ui/login + - name: hydra.config.urls.logout + value: https://{{ .Values.server_name }}/kratos-ui/logout + - name: hydra.config.urls.consent + value: https://{{ .Values.server_name }}/kratos-ui/consent + - name: ingress.public.hosts[0].host + value: {{ .Values.server_name }} + - name: ingress.admin.tls[0].hosts + values: + - {{ .Values.server_name }} + - name: ingress.admin.hosts[0].host + value: {{ .Values.server_name }} + - name: ingress.public.tls[0].hosts + values: + - {{ .Values.server_name }} + - name: radar-appserver-postgresql chart: radar/postgresql version: {{ .Values.radar_appserver_postgresql._chart_version }}