RADAR-base · keyvaann · Feb 6, 2025 · Mar 25, 2025 · Mar 31, 2025 · Mar 31, 2025
diff --git a/etc/base.yaml b/etc/base.yaml
@@ -183,6 +183,8 @@ management_portal:
   _chart_version: 1.4.0
   _extra_timeout: 210
   replicaCount: 1  # should be 1
+  image:
+    tag: feature-ory-based-authorization
   postgres:
     host: postgresql
     user: postgres
@@ -201,6 +203,8 @@ management_portal:
     from: noreply@example.com
     starttls: false
     auth: true
+  authserver:
+    server_admin_url: http://hydra-admin:4445
 
 kratos:
   _install: false
@@ -209,22 +213,18 @@ kratos:
   jdbc:
     database: kratos
   kratos:
-    courier:
-      smtp:
-        from_address: radar@thehyve.nl
-
-kratos_ui:
-  _install: false
-  _chart_version: 0.43.1
-  _extra_timeout: 0
+        config:
+            courier:
+                smtp:
+                    from_address: radar@thehyve.nl
 
 radar_self_enrolment_ui:
-  _install: false
-  _chart_version: 0.2.0
+  _install: true
+  _chart_version: 0.2.3
   _extra_timeout: 0
 
 hydra:
-  _install: false
+  _install: true
   _chart_version: 0.48.0
   _extra_timeout: 0
 

diff --git a/etc/kratos/values.yaml b/etc/kratos/values.yaml
@@ -4,10 +4,11 @@ ingress:
     className: "nginx"
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod
+      nginx.ingress.kubernetes.io/rewrite-target: /admin/$2
     hosts:
       - host: localhost
         paths:
-          - path: "/admin/kratos/?(.*)"
+          - path: "/admin/kratos(/|$)(.*)"
             pathType: ImplementationSpecific
     tls:
       - secretName: radar-base-tls
@@ -36,11 +37,11 @@ kratos:
 
   # -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument.
   identitySchemas:
-    "identity.user.schema.json": |
+    "identity.schema.admin.json": |
       {
         "$schema": "http://json-schema.org/draft-07/schema#",
-        "$id": "user",
-        "title": "user",
+        "$id": "admin",
+        "title": "admin",
         "type": "object",
         "properties": {
           "traits": {
@@ -69,16 +70,16 @@ kratos:
                 }
               }
             },
-            "required": [ "email" ]
+            "required": ["email"]
           }
         },
         "additionalProperties": false
       }
-    "identity.default.schema.json": |
+    "identity.schema.researcher.json": |
       {
         "$schema": "http://json-schema.org/draft-07/schema#",
-        "$id": "default",
-        "title": "user",
+        "$id": "researcher",
+        "title": "researcher",
         "type": "object",
         "properties": {
           "traits": {
@@ -107,12 +108,49 @@ kratos:
                 }
               }
             },
-            "required": [ "email" ]
+            "required": ["email"]
+          }
+        },
+        "additionalProperties": false
+      }
+    "identity.schema.subject.json": |
+      {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "$id": "subject",
+        "title": "subject",
+        "type": "object",
+        "properties": {
+          "traits": {
+            "type": "object",
+            "properties": {
+              "email": {
+                "type": "string",
+                "format": "email",
+                "title": "E-Mail",
+                "minLength": 5,
+                "ory.sh/kratos": {
+                  "credentials": {
+                    "password": {
+                      "identifier": true
+                    },
+                    "totp": {
+                      "account_name": true
+                    }
+                  },
+                  "verification": {
+                    "via": "email"
+                  },
+                  "recovery": {
+                    "via": "email"
+                  }
+                }
+              }
+            },
+            "required": ["email"]
           }
         },
         "additionalProperties": false
       }
-
   config:
 
     session:
@@ -192,10 +230,18 @@ kratos:
           # our current flow necessitates that users reset their password after they activate an account in managementportal,
           # this works as verification
           ui_url: https://localhost/kratos-ui/verification
-          enabled: false
-          use: link
+          enabled: true
+          use: code
           after:
             default_browser_return_url: https://localhost/kratos-ui
+            hooks:
+              -   hook: web_hook
+                  config:
+                    method: POST
+                    url: http://management-portal:8080/managementportal/api/kratos/subjects/activate
+                    body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eTogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5IGVsc2UgbnVsbCwKICAgIHBheWxvYWQ6IGlmIHN0ZC5vYmplY3RIYXMoY3R4LCAiZmxvdyIpICYmIHN0ZC5vYmplY3RIYXMoY3R4LmZsb3csICJ0cmFuc2llbnRfcGF5bG9hZCIpIHRoZW4gY3R4LmZsb3cudHJhbnNpZW50X3BheWxvYWQgZWxzZSBudWxsLAogICAgY29va2llczogY3R4LnJlcXVlc3RfY29va2llcwp9Cg==
+                    response:
+                      ignore: true
 
         logout:
           after:
@@ -209,19 +255,32 @@ kratos:
           after:
             password:
               hooks:
+                -   hook: web_hook
+                    config:
+                      method: POST
+                      url: http://management-portal:8080/managementportal/api/kratos/subjects
+                      body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eTogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5IGVsc2UgbnVsbCwKICAgIHBheWxvYWQ6IGlmIHN0ZC5vYmplY3RIYXMoY3R4LCAiZmxvdyIpICYmIHN0ZC5vYmplY3RIYXMoY3R4LmZsb3csICJ0cmFuc2llbnRfcGF5bG9hZCIpIHRoZW4gY3R4LmZsb3cudHJhbnNpZW50X3BheWxvYWQgZWxzZSBudWxsLAogICAgY29va2llczogY3R4LnJlcXVlc3RfY29va2llcwp9Cg==
+                      response:
+                        ignore: true
                 -   hook: session
             oidc:
               hooks:
                 -   hook: session
 
     identity:
-      default_schema_id: user
+      default_schema_id: subject
       schemas:
-        # identitySchemas:
-        -   id: user
-            url: file:///etc/config/identity.user.schema.json
+        - id: subject
+          url: file:///etc/config/identity.schema.subject.json
+        - id: researcher
+          url: file:///etc/config/identity.schema.researcher.json
+        - id: admin
+          url: file:///etc/config/identity.schema.admin.json
 
     log:
       level: debug
       format: text
-      leak_sensitive_values: true
+      leak_sensitive_values: true
+
+    oauth2_provider:
+      url: http://hydra-admin
diff --git a/etc/kratos_ui/values.yaml b/etc/kratos_ui/values.yaml
diff --git a/etc/radar-self-enrolment-ui/values.yaml b/etc/radar-self-enrolment-ui/values.yaml
diff --git a/helmfile.d/10-services.yaml b/helmfile.d/10-services.yaml
@@ -257,6 +257,10 @@ releases:
       - name: oauth_clients.grafana_dashboard.redirect_uri
         values:
           - "https://dashboard.{{ .Values.server_name }}/login/generic_oauth"
+      - name: authserver.server_url
+        value: https:// {{ .Values.server_name }}/hydra
+      - name: authserver.login_url
+        value: https:// {{ .Values.server_name }}/hydra
 
   - name: app-config
     chart: radar/app-config
@@ -346,28 +350,12 @@ releases:
       - name: ingress.public.tls[0].hosts
         values:
           - {{ .Values.server_name }}
-
-  - name: kratos-selfservice-ui-node
-    chart: radar/kratos-selfservice-ui-node
-    version: {{ .Values.kratos_ui._chart_version }}
-    installed: {{ .Values.kratos_ui._install }}
-    timeout: {{ add .Values.base_timeout .Values.kratos_ui._extra_timeout }}
-    <<: *logFailedRelease
-    values:
-      - "../etc/kratos_ui/values.yaml"    
-      - {{ .Values.kratos_ui | toYaml | indent 8 | trim }}
-    set:
-      - name: serverName
-        value: {{ .Values.server_name }}
-      - name: ingress.hosts[0].host
-        value: {{ .Values.server_name }}        
-      - name: ingress.tls[0].hosts
-        values:
-          - {{ .Values.server_name }}
-      - name: kratosPublicUrl
-        value: https://{{ .Values.server_name }}/kratos
-      - name: kratosBrowserUrl
-        value: https://{{ .Values.server_name }}/kratos
+      - name: kratos.config.oauth2_provider.url
+        value: http://hydra-admin:4445
+      - name: kratos.config.selfservice.flows.registration.after.password.hooks[0].config.url
+        value: https://{{ .Values.server_name }}/managementportal/api/kratos/subjects
+      - name: kratos.config.selfservice.flows.verification.after.hooks[0].config.url
+        value: https://{{ .Values.server_name }}/managementportal/api/kratos/subjects/activate
 
   - name: radar-self-enrolment-ui
     chart: radar/radar-self-enrolment-ui
@@ -376,17 +364,16 @@ releases:
     timeout: {{ add .Values.base_timeout .Values.radar_self_enrolment_ui._extra_timeout }}
     <<: *logFailedRelease
     values:
-      - "../etc/radar-self-enrolment-ui/values.yaml"
       - {{ .Values.radar_self_enrolment_ui | toYaml | indent 8 | trim }}
     set:
       - name: serverName
         value: {{ .Values.server_name }}
       - name: ingress.hosts[0]
         value: {{ .Values.server_name }}
-      - name: kratosPublicUrl
-        value: https://{{ .Values.server_name }}/kratos
       - name: kratosBrowserUrl
         value: https://{{ .Values.server_name }}/kratos
+      - name: hydraPublicUrl
+        value: https://{{ .Values.server_name }}/hydra
 
   - name: hydra
     chart: radar/hydra