diff --git a/etc/base.yaml b/etc/base.yaml index ff088c322..b407c5589 100644 --- a/etc/base.yaml +++ b/etc/base.yaml @@ -183,6 +183,8 @@ management_portal: _chart_version: 1.4.0 _extra_timeout: 210 replicaCount: 1 # should be 1 + image: + tag: feature-ory-based-authorization postgres: host: postgresql user: postgres @@ -201,6 +203,8 @@ management_portal: from: noreply@example.com starttls: false auth: true + authserver: + server_admin_url: http://hydra-admin:4445 kratos: _install: false @@ -209,24 +213,23 @@ kratos: jdbc: database: kratos kratos: - courier: - smtp: - from_address: radar@thehyve.nl - -kratos_ui: - _install: false - _chart_version: 0.43.1 - _extra_timeout: 0 + config: + courier: + smtp: + from_address: radar@thehyve.nl radar_self_enrolment_ui: - _install: false - _chart_version: 0.2.0 + _install: true + _chart_version: 0.2.3 _extra_timeout: 0 hydra: - _install: false + _install: true _chart_version: 0.48.0 _extra_timeout: 0 + image: + # Remove when chart v0.52.1 is available + tag: v2.3.0 app_config: _install: true diff --git a/etc/hydra/values.yaml b/etc/hydra/values.yaml index 857cbe3a8..395f491cf 100644 --- a/etc/hydra/values.yaml +++ b/etc/hydra/values.yaml @@ -1,6 +1,6 @@ ingress: admin: - enabled: true + enabled: false className: "nginx" annotations: cert-manager.io/cluster-issuer: letsencrypt-prod @@ -42,7 +42,7 @@ hydra: log: level: debug format: text - leak_sensitive_values: false + leak_sensitive_values: true strategies: access_token: jwt @@ -50,11 +50,14 @@ hydra: scope_claim: both oauth2: - allowed_top_level_claims: [scope,roles,authorities,sources,user_name] + allowed_top_level_claims: [scope, roles, authorities, sources, user_name, email] mirror_top_level_claims: false client_credentials: default_grant_allowed_scope: true - + grant: + refresh_token: + rotation_grace_period: 60s # Set grace period. Omit this line to disable. + serve: public: cors: diff --git a/etc/kratos/values.yaml b/etc/kratos/values.yaml index 821231ce0..a44916038 100644 --- a/etc/kratos/values.yaml +++ b/etc/kratos/values.yaml @@ -4,10 +4,11 @@ ingress: className: "nginx" annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/rewrite-target: /admin/$2 hosts: - host: localhost paths: - - path: "/admin/kratos/?(.*)" + - path: "/admin/kratos(/|$)(.*)" pathType: ImplementationSpecific tls: - secretName: radar-base-tls @@ -36,11 +37,11 @@ kratos: # -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument. identitySchemas: - "identity.user.schema.json": | + "identity.schema.admin.json": | { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "user", - "title": "user", + "$id": "admin", + "title": "admin", "type": "object", "properties": { "traits": { @@ -69,16 +70,16 @@ kratos: } } }, - "required": [ "email" ] + "required": ["email"] } }, "additionalProperties": false } - "identity.default.schema.json": | + "identity.schema.researcher.json": | { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "default", - "title": "user", + "$id": "researcher", + "title": "researcher", "type": "object", "properties": { "traits": { @@ -107,12 +108,49 @@ kratos: } } }, - "required": [ "email" ] + "required": ["email"] + } + }, + "additionalProperties": false + } + "identity.schema.subject.json": | + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "subject", + "title": "subject", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { + "email": { + "type": "string", + "format": "email", + "title": "E-Mail", + "minLength": 5, + "ory.sh/kratos": { + "credentials": { + "password": { + "identifier": true + }, + "totp": { + "account_name": true + } + }, + "verification": { + "via": "email" + }, + "recovery": { + "via": "email" + } + } + } + }, + "required": ["email"] } }, "additionalProperties": false } - config: session: @@ -126,6 +164,13 @@ kratos: courier: smtp: from_address: radar@thehyve.nl + templates: + verification_code: + valid: + email: + body: + html: base64://SGksPGJyPjxicj5QbGVhc2XCoHZlcmlmecKgeW91csKgYWNjb3VudMKgYnnCoGVudGVyaW5nwqB0aGXCoGZvbGxvd2luZ8KgY29kZTo8YnI+PGgyPnt7IC5WZXJpZmljYXRpb25Db2RlIH19PC9oMj4= + plaintext: base64://SGksIFBsZWFzZcKgdmVyaWZ5wqB5b3VywqBhY2NvdW50wqBiecKgZW50ZXJpbmfCoHRoZcKgZm9sbG93aW5nwqBjb2RlOiB7eyAuVmVyaWZpY2F0aW9uQ29kZSB9fQ== serve: public: @@ -192,10 +237,18 @@ kratos: # our current flow necessitates that users reset their password after they activate an account in managementportal, # this works as verification ui_url: https://localhost/kratos-ui/verification - enabled: false - use: link + enabled: true + use: code after: default_browser_return_url: https://localhost/kratos-ui + hooks: + - hook: web_hook + config: + method: POST + url: http://management-portal:8080/managementportal/api/kratos/subjects/activate + body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eTogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5IGVsc2UgbnVsbCwKICAgIHBheWxvYWQ6IGlmIHN0ZC5vYmplY3RIYXMoY3R4LCAiZmxvdyIpICYmIHN0ZC5vYmplY3RIYXMoY3R4LmZsb3csICJ0cmFuc2llbnRfcGF5bG9hZCIpIHRoZW4gY3R4LmZsb3cudHJhbnNpZW50X3BheWxvYWQgZWxzZSBudWxsLAogICAgY29va2llczogY3R4LnJlcXVlc3RfY29va2llcwp9Cg== + response: + ignore: true logout: after: @@ -209,19 +262,32 @@ kratos: after: password: hooks: + - hook: web_hook + config: + method: POST + url: http://management-portal:8080/managementportal/api/kratos/subjects + body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eTogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5IGVsc2UgbnVsbCwKICAgIHBheWxvYWQ6IGlmIHN0ZC5vYmplY3RIYXMoY3R4LCAiZmxvdyIpICYmIHN0ZC5vYmplY3RIYXMoY3R4LmZsb3csICJ0cmFuc2llbnRfcGF5bG9hZCIpIHRoZW4gY3R4LmZsb3cudHJhbnNpZW50X3BheWxvYWQgZWxzZSBudWxsLAogICAgY29va2llczogY3R4LnJlcXVlc3RfY29va2llcwp9Cg== + response: + ignore: true - hook: session oidc: hooks: - hook: session identity: - default_schema_id: user + default_schema_id: subject schemas: - # identitySchemas: - - id: user - url: file:///etc/config/identity.user.schema.json + - id: subject + url: file:///etc/config/identity.schema.subject.json + - id: researcher + url: file:///etc/config/identity.schema.researcher.json + - id: admin + url: file:///etc/config/identity.schema.admin.json log: level: debug format: text - leak_sensitive_values: true \ No newline at end of file + leak_sensitive_values: true + + oauth2_provider: + url: http://hydra-admin \ No newline at end of file diff --git a/etc/kratos_ui/values.yaml b/etc/kratos_ui/values.yaml deleted file mode 100644 index 61a603501..000000000 --- a/etc/kratos_ui/values.yaml +++ /dev/null @@ -1,34 +0,0 @@ -config: - csrfCookieName: "radar_csrf" - -ingress: - enabled: true - className: "nginx" - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$1 - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: localhost - paths: - - path: "/kratos-ui/?(.*)" - pathType: ImplementationSpecific - tls: - - secretName: radar-base-tls - hosts: - - localhost -# -- Set this to ORY Kratos's Admin URL -kratosAdminUrl: "kratos-admin" - -# -- Set this to ORY Kratos's public URL -kratosPublicUrl: "https://localhost/kratos" - -# -- Set this to ORY Kratos's public URL accessible from the outside world. -kratosBrowserUrl: "https://localhost/kratos" - -# -- The basePath -basePath: "" - -# -- The jwksUrl -jwksUrl: "" - -projectName: "SecureApp" \ No newline at end of file diff --git a/etc/radar-self-enrolment-ui/values.yaml b/etc/radar-self-enrolment-ui/values.yaml deleted file mode 100644 index 402cddebb..000000000 --- a/etc/radar-self-enrolment-ui/values.yaml +++ /dev/null @@ -1,34 +0,0 @@ -config: - csrfCookieName: "radar_csrf" - -ingress: - enabled: true - path: "/kratos-ui(/|$)(.*)" - -# -- Set this to ORY Kratos's Admin URL -kratosAdminUrl: "kratos-admin" - -# -- Set this to ORY Kratos's public URL -kratosPublicUrl: "https://localhost/kratos" - -# -- Set this to ORY Kratos's public URL accessible from the outside world. -kratosBrowserUrl: "https://localhost/kratos" - -# -- The basePath -basePath: "/kratos-ui" - -# -- The jwksUrl -jwksUrl: "" - -projectName: "SecureApp" - -deployment: - extraEnv: - - name: HYDRA_ADMIN_URL - value: http://hydra-admin - -livenessProbe: - enabled: false - -readinessProbe: - enabled: false \ No newline at end of file diff --git a/helmfile.d/10-services.yaml b/helmfile.d/10-services.yaml index e908e7b78..3438c9ba5 100644 --- a/helmfile.d/10-services.yaml +++ b/helmfile.d/10-services.yaml @@ -257,6 +257,12 @@ releases: - name: oauth_clients.grafana_dashboard.redirect_uri values: - "https://dashboard.{{ .Values.server_name }}/login/generic_oauth" + - name: identity_server.server_url + value: https://{{ .Values.server_name }}/kratos + - name: authserver.server_url + value: https://{{ .Values.server_name }}/hydra + - name: authserver.login_url + value: https://{{ .Values.server_name }}/hydra - name: app-config chart: radar/app-config @@ -346,28 +352,12 @@ releases: - name: ingress.public.tls[0].hosts values: - {{ .Values.server_name }} - - - name: kratos-selfservice-ui-node - chart: radar/kratos-selfservice-ui-node - version: {{ .Values.kratos_ui._chart_version }} - installed: {{ .Values.kratos_ui._install }} - timeout: {{ add .Values.base_timeout .Values.kratos_ui._extra_timeout }} - <<: *logFailedRelease - values: - - "../etc/kratos_ui/values.yaml" - - {{ .Values.kratos_ui | toYaml | indent 8 | trim }} - set: - - name: serverName - value: {{ .Values.server_name }} - - name: ingress.hosts[0].host - value: {{ .Values.server_name }} - - name: ingress.tls[0].hosts - values: - - {{ .Values.server_name }} - - name: kratosPublicUrl - value: https://{{ .Values.server_name }}/kratos - - name: kratosBrowserUrl - value: https://{{ .Values.server_name }}/kratos + - name: kratos.config.oauth2_provider.url + value: http://hydra-admin:4445 + - name: kratos.config.selfservice.flows.registration.after.password.hooks[0].config.url + value: https://{{ .Values.server_name }}/managementportal/api/kratos/subjects + - name: kratos.config.selfservice.flows.verification.after.hooks[0].config.url + value: https://{{ .Values.server_name }}/managementportal/api/kratos/subjects/activate - name: radar-self-enrolment-ui chart: radar/radar-self-enrolment-ui @@ -376,17 +366,18 @@ releases: timeout: {{ add .Values.base_timeout .Values.radar_self_enrolment_ui._extra_timeout }} <<: *logFailedRelease values: - - "../etc/radar-self-enrolment-ui/values.yaml" - {{ .Values.radar_self_enrolment_ui | toYaml | indent 8 | trim }} set: - name: serverName value: {{ .Values.server_name }} - name: ingress.hosts[0] value: {{ .Values.server_name }} - - name: kratosPublicUrl - value: https://{{ .Values.server_name }}/kratos - name: kratosBrowserUrl value: https://{{ .Values.server_name }}/kratos + - name: hydraPublicUrl + value: https://{{ .Values.server_name }}/hydra + - name: server_name + value: "{{ .Values.server_name }}" - name: hydra chart: radar/hydra