Merge pull request #266 from RADAR-base/ory-kratos

[kratos] Add Ory Kratos service

Author: keyvaann

etc/base.yaml

@@ -184,6 +184,8 @@ management_portal:
   replicaCount: 1  # should be 1
   postgres:
     host: postgresql
+    user: postgres
+    port: 5432
     ssl:
       enabled: false
   managementportal:
@@ -192,7 +194,25 @@ management_portal:
     oauth_checking_key_aliases_0: radarbase-managementportal-ec
     oauth_checking_key_aliases_1: selfsigned
   smtp:
+    username: secret
     password: secret
+    host: localhost
+
+kratos:
+  _install: true
+  _chart_version: 0.43.1
+  _extra_timeout: 0
+  jdbc:
+    database: kratos
+  kratos:
+    courier:
+      smtp:
+        from_address: [email protected]
+
+kratos_ui:
+  _install: true
+  _chart_version: 0.43.1
+  _extra_timeout: 0
 
 app_config:
   _install: true

etc/kratos/values.yaml

@@ -0,0 +1,227 @@
+ingress:
+  admin:
+    enabled: true
+    className: "nginx"
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: localhost
+        paths:
+          - path: "/admin/kratos/?(.*)"
+            pathType: ImplementationSpecific
+    tls:
+      - secretName: radar-base-tls
+        hosts:
+          - localhost
+  public:
+    enabled: true
+    className: "nginx"
+    annotations:
+      nginx.ingress.kubernetes.io/rewrite-target: /$1
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: localhost
+        paths:
+          - path: "/kratos/?(.*)"
+            pathType: ImplementationSpecific
+    tls:
+      - secretName: kratos-public-tls
+        hosts:
+          - localhost
+
+kratos:
+  # -- Enables database migration
+  automigration:
+    enabled: true
+
+  # -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument.
+  identitySchemas:
+    "identity.user.schema.json": |
+      {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "$id": "user",
+        "title": "user",
+        "type": "object",
+        "properties": {
+          "traits": {
+            "type": "object",
+            "properties": {
+              "email": {
+                "type": "string",
+                "format": "email",
+                "title": "E-Mail",
+                "minLength": 5,
+                "ory.sh/kratos": {
+                  "credentials": {
+                    "password": {
+                      "identifier": true
+                    },
+                    "totp": {
+                      "account_name": true
+                    }
+                  },
+                  "verification": {
+                    "via": "email"
+                  },
+                  "recovery": {
+                    "via": "email"
+                  }
+                }
+              }
+            },
+            "required": [ "email" ]
+          }
+        },
+        "additionalProperties": false
+      }
+    "identity.default.schema.json": |
+      {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "$id": "default",
+        "title": "user",
+        "type": "object",
+        "properties": {
+          "traits": {
+            "type": "object",
+            "properties": {
+              "email": {
+                "type": "string",
+                "format": "email",
+                "title": "E-Mail",
+                "minLength": 5,
+                "ory.sh/kratos": {
+                  "credentials": {
+                    "password": {
+                      "identifier": true
+                    },
+                    "totp": {
+                      "account_name": true
+                    }
+                  },
+                  "verification": {
+                    "via": "email"
+                  },
+                  "recovery": {
+                    "via": "email"
+                  }
+                }
+              }
+            },
+            "required": [ "email" ]
+          }
+        },
+        "additionalProperties": false
+      }
+
+  config:
+
+    session:
+      # Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.
+      lifespan: 24h
+
+      cookie:
+        ##-- If false, cookie is removed when the browser is closed --##
+        persistent: false
+
+    courier:
+      smtp:
+        from_address: [email protected]
+
+    serve:
+      public:
+        base_url: https://localhost/kratos/
+        cors:
+          enabled: true
+          allowed_origins:
+            - https://localhost/kratos-ui/
+          allowed_methods:
+            - POST
+            - GET
+            - PUT
+            - PATCH
+            - DELETE
+          allowed_headers:
+            - Authorization
+            - Cookie
+            - Content-Type
+            - Accept
+          exposed_headers:
+            - Content-Type
+            - Set-Cookie
+            - Accept
+          allow_credentials: true
+      admin:
+        base_url: https://localhost/admin/kratos/
+
+    selfservice:
+      default_browser_return_url: https://localhost/managementportal
+      allowed_return_urls:
+        - "https://localhost/"
+        - "http://localhost/"
+
+      methods:
+        password:
+          config:
+            haveibeenpwned_enabled: true
+            max_breaches: 0
+            ignore_network_errors: false
+            min_password_length: 12
+            identifier_similarity_check_enabled: true
+          enabled: true
+        totp:
+          config:
+            issuer: Radar
+          enabled: true
+        link:
+          enabled: true
+
+      flows:
+        error:
+          ui_url: https://localhost/kratos-ui/error
+
+        settings:
+          ui_url: https://localhost/kratos-ui/settings
+          required_aal: highest_available
+
+        recovery:
+          enabled: true
+          ui_url: https://localhost/kratos-ui/recovery
+          use: link
+
+        verification:
+          # our current flow necessitates that users reset their password after they activate an account in managementportal,
+          # this works as verification
+          ui_url: https://localhost/kratos-ui/verification
+          enabled: false
+          use: link
+          after:
+            default_browser_return_url: https://localhost/kratos-ui
+
+        logout:
+          after:
+            default_browser_return_url: https://localhost/kratos-ui/login
+
+        login:
+          ui_url: https://localhost/kratos-ui/login
+
+        registration:
+          ui_url: https://localhost/kratos-ui/registration
+          after:
+            password:
+              hooks:
+                -   hook: session
+            oidc:
+              hooks:
+                -   hook: session
+
+    identity:
+      default_schema_id: user
+      schemas:
+        # identitySchemas:
+        -   id: user
+            url: file:///etc/config/identity.user.schema.json
+
+    log:
+      level: debug
+      format: text
+      leak_sensitive_values: true

etc/kratos_ui/values.yaml

@@ -0,0 +1,34 @@
+config:
+  csrfCookieName: "radar_csrf"
+
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+    - host: localhost
+      paths:
+        - path: "/kratos-ui/?(.*)"
+          pathType: ImplementationSpecific
+  tls:
+    - secretName: radar-base-tls
+      hosts:
+        - localhost
+# -- Set this to ORY Kratos's Admin URL
+kratosAdminUrl: "kratos-admin"
+
+# -- Set this to ORY Kratos's public URL
+kratosPublicUrl: "https://localhost/kratos"
+
+# -- Set this to ORY Kratos's public URL accessible from the outside world.
+kratosBrowserUrl: "https://localhost/kratos"
+
+# -- The basePath
+basePath: ""
+
+# -- The jwksUrl
+jwksUrl: ""
+
+projectName: "SecureApp"

etc/postgresql/values.yaml

@@ -114,7 +114,7 @@ primary:
   ##
   extraEnvVars:
     - name: POSTGRES_MULTIPLE_DATABASES
-      value: managementportal,restsourceauthorizer,appconfig
+      value: managementportal,restsourceauthorizer,appconfig,kratos
   ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary)
   ##
   podAnnotations:

helmfile.d/10-managementportal.yaml

@@ -86,3 +86,85 @@ releases:
         value: https://{{ .Values.server_name }}/managementportal/oauth
       - name: authCallbackUrl
         value: https://{{ .Values.server_name }}/appconfig/login
+
+  - name: kratos
+    chart: radar/kratos
+    version: {{ .Values.kratos._chart_version }}
+    installed: {{ .Values.kratos._install }}
+    timeout: {{ add .Values.base_timeout .Values.kratos._extra_timeout }}
+    <<: *logFailedRelease
+    values:
+      - "../etc/kratos/values.yaml"
+      - {{ .Values.kratos | toYaml | indent 8 | trim }}
+    set:
+      - name: serverName
+        value: {{ .Values.server_name }}
+      - name: kratos.config.dsn
+        value: postgres://{{ .Values.management_portal.postgres.user }}:{{ .Values.management_portal.postgres.password }}@{{ .Values.management_portal.postgres.host }}:{{ .Values.management_portal.postgres.port }}/{{ .Values | get "kratos.jdbc.database" "kratos" }}
+      - name: kratos.config.courier.smtp.connection_uri
+        #  Note: encoding of "/" in password is necessary for the smtp connection_uri because kratos is not able to handle this.
+        value: smtp://{{ .Values.management_portal.smtp.username }}:{{ replace "/" "%2F" .Values.management_portal.smtp.password }}@{{ .Values.management_portal.smtp.host }}:{{ .Values | get "management_portal.smtp.port" 587 }}
+      - name: kratos.config.serve.public.base_url
+        value: https://{{ .Values.server_name }}/kratos/
+      - name: kratos.config.serve.admin.base_url
+        value: https://{{ .Values.server_name }}/admin/kratos/
+      - name: kratos.config.serve.public.cors.allowed_origins
+        values:
+        - https://{{ .Values.server_name }}/kratos-ui/
+      - name: kratos.config.selfservice.default_browser_return_url
+        value: https://{{ .Values.server_name }}/managementportal
+      - name: kratos.config.selfservice.allowed_return_urls
+        values:
+          - https://{{ .Values.server_name }}/
+          # FIXME: http://localhost/ is not a valid return URL for production
+          - http://{{ .Values.server_name }}/
+      - name: kratos.config.selfservice.flows.error.ui_url
+        value: https://{{ .Values.server_name }}/kratos-ui/error
+      - name: kratos.config.selfservice.flows.settings.ui_url
+        value: https://{{ .Values.server_name }}/kratos-ui/settings
+      - name: kratos.config.selfservice.flows.recovery.ui_url
+        value: https://{{ .Values.server_name }}/kratos-ui/recovery
+      - name: kratos.config.selfservice.flows.registration.ui_url
+        value: https://{{ .Values.server_name }}/kratos-ui/registration
+      - name: kratos.config.selfservice.flows.login.ui_url
+        value: https://{{ .Values.server_name }}/kratos-ui/login
+      - name: kratos.config.selfservice.flows.logout.after.default_browser_return_url
+        value: https://{{ .Values.server_name }}/kratos-ui/login
+      - name: kratos.config.selfservice.flows.verification.ui_url
+        value: https://{{ .Values.server_name }}/kratos-ui/verification
+      - name: kratos.config.selfservice.flows.verification.after.default_browser_return_url
+        value: https://{{ .Values.server_name }}/kratos-ui
+      - name: kratos.config.selfservice.flows.settings.ui_url
+        value: https://{{ .Values.server_name }}/kratos-ui/settings
+      - name: ingress.public.hosts[0].host
+        value: {{ .Values.server_name }}
+      - name: ingress.admin.tls[0].hosts
+        values:
+          - {{ .Values.server_name }}
+      - name: ingress.admin.hosts[0].host
+        value: {{ .Values.server_name }}
+      - name: ingress.public.tls[0].hosts
+        values:
+          - {{ .Values.server_name }}
+
+  - name: kratos-selfservice-ui-node
+    chart: radar/kratos-selfservice-ui-node
+    version: {{ .Values.kratos_ui._chart_version }}
+    installed: {{ .Values.kratos_ui._install }}
+    timeout: {{ add .Values.base_timeout .Values.kratos_ui._extra_timeout }}
+    <<: *logFailedRelease
+    values:
+      - "../etc/kratos_ui/values.yaml"
+      - {{ .Values.kratos_ui | toYaml | indent 8 | trim }}
+    set:
+      - name: serverName
+        value: {{ .Values.server_name }}
+      - name: ingress.hosts[0].host
+        value: {{ .Values.server_name }}
+      - name: ingress.tls[0].hosts
+        values:
+          - {{ .Values.server_name }}
+      - name: kratosPublicUrl
+        value: https://{{ .Values.server_name }}/kratos
+      - name: kratosBrowserUrl
+        value: https://{{ .Values.server_name }}/kratos