Add Ory Kratos service

RADAR-base · May 29, 2024 · cec14e4 · cec14e4
1 parent 9273f13
commit cec14e4
Show file tree

Hide file tree

Showing 6 changed files with 430 additions and 10 deletions.
diff --git a/etc/base.yaml b/etc/base.yaml
@@ -105,6 +105,18 @@ kafka_manager:
   _chart_version: 2.1.6
   _extra_timeout: 0
 
+# --------------------------------------------------------- 05-ory.yaml ---------------------------------------------------------
+
+kratos:
+  _install: false
+  _chart_version: 2.1.6
+  _extra_timeout: 0
+
+kratos_ui:
+    _install: false
+    _chart_version: 2.1.6
+    _extra_timeout: 0
+
 # --------------------------------------------------------- 10-base.yaml ---------------------------------------------------------
 # Use letsencrypt to retrieve SSL certificates.
 cert_manager_letsencrypt:
@@ -150,6 +162,8 @@ catalog_server:
   _install: true
   _chart_version: 0.5.2
   _extra_timeout: 90
+  image:
+    tag: 0.8.7
   replicaCount: 1
   schema_registry: http://cp-schema-registry:8081
 
@@ -319,6 +333,11 @@ radar_gateway:
   _chart_version: 1.1.2
   _extra_timeout: 0
   replicaCount: 1
+  ingress:
+    annotations:
+      # rewrite the uri to the original request, which is encoded to prevent XSS attacks. This would likely be good practice everywhere but is REQUIRED for grizzly servers
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        rewrite ^ $request_uri; 
 
 # --------------------------------------------------------- 20-kafka-analysis.yaml ---------------------------------------------------------
 

diff --git a/etc/base.yaml.gotmpl b/etc/base.yaml.gotmpl
@@ -1,7 +1,7 @@
 # Remove below Go comment to enable management_portal reading
-management_portal:
+# management_portal:
   # read unencrypted keystore
-  keystore: {{ readFile "../etc/management-portal/keystore.p12" | b64enc | quote }}
+  # {{/* keystore: {{ readFile "../etc/management-portal/keystore.p12" | b64enc | quote }} */}}
   # read encrypted keystore
   # {{/* keystore: {{ exec "sops" (list "-d" "../secrets/management-portal/keystore.sops.p12") | b64enc | quote }}  */}}
   #
@@ -12,12 +12,26 @@ management_portal:
   #    # file by setting
   #    {{/* keystore: {{ readFile "certificate.pem" | b64enc | quote }}  */}}
 
+# If radar_grafana is used, please remove the Go template comments and yaml comments.
 radar_grafana:
   dashboards:
     allprojects:
       home:
         json: {{ readFile "radar-grafana/dashboards/allprojects/home.json" | quote }}
 
+# If data transformation of kafka topic data is needed, please remove the Go template comments and yaml comments.
+# Make sure to reference a ksql transformation file that contains the required transformation logic.
+# The files below are transform the data from the questionnaire_response and questionnaire_app_events topics to the
+# ksql_observations topic, used by the data-dashboard-backend. If using the data-dashboard-backend, please make sure
+# to uncomment the relevant ksql transformer files.
+# Note: never remove the _base_observations_stream.sql file.
+# kafka_data_transformer:
+#  ksql:
+#    queries: |
+#      {{/* - readFile "../etc/kafka-data-transformer/_base_observations_stream.sql"             | nindent 8 */}}
+#      {{/* - readFile "../etc/kafka-data-transformer/questionnaire_response_observations.sql"   | nindent 8 */}}
+#      {{/* - readFile "../etc/kafka-data-transformer/questionnaire_app_events_observations.sql" | nindent 8 */}}
+
 # If appserver is used, please remove the Go template comments and yaml comments.
 # Again, like with management_portal, if you want to store the credentials in a
 # less secure location, please encrypt the JSON file it and read it with sops,
@@ -26,10 +40,3 @@ radar_grafana:
 #radar_appserver:
 #  google_application_credentials: {{ readFile "../etc/radar-appserver/firebase-adminsdk.json" | quote }}
 #*/}}
-
-# Remove below Go comment to read the queries.sql and set the queries
-# in the ksql_server
-#ksql_server:
-#  ksql:
-#    queries: |
-#      {{/*- readFile "cp-ksql-server/queries.sql" | nindent 8 */}}
diff --git a/etc/kratos/values.yaml b/etc/kratos/values.yaml
@@ -0,0 +1,275 @@
+ingress:
+  admin:
+    enabled: true
+    className: "nginx"
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: localhost
+        paths:
+          - path: "/admin/kratos/?(.*)"
+            pathType: ImplementationSpecific
+    tls:
+      - secretName: kratos-admin-tls
+        hosts:
+          - localhost
+  public:
+    enabled: true
+    className: "nginx"
+    annotations:
+      nginx.ingress.kubernetes.io/rewrite-target: /$1
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: localhost
+        paths:
+          - path: "/kratos/?(.*)"
+            pathType: ImplementationSpecific
+    tls:
+      - secretName: kratos-public-tls
+        hosts:
+          - localhost
+
+kratos:
+  development: false
+
+  # -- Enables database migration
+  automigration:
+    enabled: true
+    # -- Configure the way to execute database migration. Possible values: job, initContainer
+    # When set to job, the migration will be executed as a job on release or upgrade.
+    # When set to initContainer, the migration will be executed when Kratos pod is created
+    # Defaults to job
+    type: job
+    # -- Ability to override the entrypoint of the automigration container
+    # (e.g. to source dynamic secrets or export environment dynamic variables)
+    customCommand: [ ]
+    # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
+    # eg:
+    # - sleep 5;
+    #   - kratos
+    customArgs: [ ]
+    # -- resource requests and limits for the automigration initcontainer
+    resources: { }
+
+  # -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument.
+  identitySchemas:
+    "identity.user.schema.json": |
+      {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "$id": "user",
+        "title": "user",
+        "type": "object",
+        "properties": {
+          "traits": {
+            "type": "object",
+            "properties": {
+              "email": {
+                "type": "string",
+                "format": "email",
+                "title": "E-Mail",
+                "minLength": 5,
+                "ory.sh/kratos": {
+                  "credentials": {
+                    "password": {
+                      "identifier": true
+                    },
+                    "totp": {
+                      "account_name": true
+                    }
+                  },
+                  "verification": {
+                    "via": "email"
+                  },
+                  "recovery": {
+                    "via": "email"
+                  }
+                }
+              }
+            },
+            "required": [ "email" ]
+          }
+        },
+        "additionalProperties": false
+      }
+    "identity.default.schema.json": |
+      {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "$id": "default",
+        "title": "user",
+        "type": "object",
+        "properties": {
+          "traits": {
+            "type": "object",
+            "properties": {
+              "email": {
+                "type": "string",
+                "format": "email",
+                "title": "E-Mail",
+                "minLength": 5,
+                "ory.sh/kratos": {
+                  "credentials": {
+                    "password": {
+                      "identifier": true
+                    },
+                    "totp": {
+                      "account_name": true
+                    }
+                  },
+                  "verification": {
+                    "via": "email"
+                  },
+                  "recovery": {
+                    "via": "email"
+                  }
+                }
+              }
+            },
+            "required": [ "email" ]
+          }
+        },
+        "additionalProperties": false
+      }
+
+  # -- You can customize the emails Kratos is sending (also uncomment config.courier.template_override_path below)
+  emailTemplates: { }
+  # emailTemplates:
+  #   recovery:
+  #     valid:
+  #       subject: Recover access to your account
+  #       body: |-
+  #         Hi, please recover access to your account by clicking the following link:
+  #         <a href="{{ .RecoveryURL }}">{{ .RecoveryURL }}</a>
+  #       plainBody: |-
+  #         Hi, please recover access to your account by clicking the following link: {{ .RecoveryURL }}
+  #     invalid:
+  #       subject: Account access attempted
+  #       body: |-
+  #         Hi, you (or someone else) entered this email address when trying to recover access to an account.
+  #         However, this email address is not on our database of registered users and therefore the attempt has failed. If this was you, check if you signed up using a different address. If this was not you, please ignore this email.
+  #       plainBody: |-
+  #         Hi, you (or someone else) entered this email address when trying to recover access to an account.
+  #   verification:
+  #     valid:
+  #       subject: Please verify your email address
+  #       body: |-
+  #         Hi, please verify your account by clicking the following link:
+  #         <a href="{{ .VerificationURL }}">{{ .VerificationURL }}</a>
+  #       plainBody: |-
+  #         Hi, please verify your account by clicking the following link: {{ .VerificationURL }}
+  #     invalid:
+  #       subject:
+  #       body:
+  #       plainBody:
+
+  config:
+
+    session:
+      # Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.
+      lifespan: 24h
+
+      cookie:
+        ##-- If false, cookie is removed when the browser is closed --##
+        persistent: false
+
+    courier:
+      smtp:
+        from_address: radar@thehyve.nl
+
+    serve:
+      public:
+        base_url: https://localhost/kratos/
+        cors:
+          enabled: true
+          allowed_origins:
+            - https://localhost/kratos-ui/
+          allowed_methods:
+            - POST
+            - GET
+            - PUT
+            - PATCH
+            - DELETE
+          allowed_headers:
+            - Authorization
+            - Cookie
+            - Content-Type
+            - Accept
+          exposed_headers:
+            - Content-Type
+            - Set-Cookie
+            - Accept
+          allow_credentials: true
+      admin:
+        base_url: https://localhost/admin/kratos/
+
+    selfservice:
+      default_browser_return_url: https://localhost/managementportal
+      allowed_return_urls:
+        - "https://localhost/"
+        - "http://localhost/"
+
+      methods:
+        password:
+          config:
+            haveibeenpwned_enabled: true
+            max_breaches: 0
+            ignore_network_errors: false
+            min_password_length: 12
+            identifier_similarity_check_enabled: true
+          enabled: true
+        totp:
+          config:
+            issuer: Radar
+          enabled: true
+        link:
+          enabled: true
+
+      flows:
+        error:
+          ui_url: https://localhost/kratos-ui/error
+
+        settings:
+          ui_url: https://localhost/kratos-ui/settings
+          required_aal: highest_available
+
+        recovery:
+          enabled: true
+          ui_url: https://localhost/kratos-ui/recovery
+          use: link
+
+        verification:
+          # our current flow necessitates that users reset their password after they activate an account in managementportal,
+          # this works as verification
+          ui_url: https://localhost/kratos-ui/verification
+          enabled: false
+          use: link
+          after:
+            default_browser_return_url: https://localhost/kratos-ui
+
+        logout:
+          after:
+            default_browser_return_url: https://localhost/kratos-ui/login
+
+        login:
+          ui_url: https://localhost/kratos-ui/login
+
+        registration:
+          ui_url: https://localhost/kratos-ui/registration
+          after:
+            password:
+              hooks:
+                -   hook: session
+            oidc:
+              hooks:
+                -   hook: session
+
+    identity:
+      default_schema_id: user
+      schemas:
+        # identitySchemas:
+        -   id: user
+            url: file:///etc/config/identity.user.schema.json
+
+    log:
+      level: debug
+      format: text
+      leak_sensitive_values: true
diff --git a/etc/kratos_ui/values.yaml b/etc/kratos_ui/values.yaml
@@ -0,0 +1,34 @@
+config:
+  csrfCookieName: "radar_csrf"
+
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+    - host: localhost
+      paths:
+        - path: "/kratos-ui/?(.*)"
+          pathType: ImplementationSpecific
+  tls:
+    - secretName: radar-kratos-tls
+      hosts:
+        - localhost
+        # -- Set this to ORY Kratos's Admin URL
+kratosAdminUrl: "kratos-admin"
+
+# -- Set this to ORY Kratos's public URL
+kratosPublicUrl: "https://localhost/kratos"
+
+# -- Set this to ORY Kratos's public URL accessible from the outside world.
+kratosBrowserUrl: "https://localhost/kratos"
+
+# -- The basePath
+basePath: ""
+
+# -- The jwksUrl
+jwksUrl: ""
+
+projectName: "SecureApp"