studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7cb6bb1bd2b2d3b261d1372e892174bb3bc7c7d2
sbbb/base/ory/kratos-selfservice-urls.yaml

27 lines
1.0 KiB
YAML
Raw Normal View History

feat(infra): data, storage, devtools, and ory layer updates - data: CNPG cluster tuning, OpenBao values, OpenSearch deployment fixes, OpenSearch PVC, barman vault secret for S3 backup credentials - storage: SeaweedFS filer updates (s3.json via secret subPath), PVC for filer persistent storage - devtools: Gitea values (SSH service, custom theme), gitea-theme-cm ConfigMap - ory: add kratos-selfservice-urls.yaml for self-service flow URLs - media: LiveKit values updated (TURN config, STUN, resource limits) - vso: kustomization cleanup
2026-03-06 12:07:28 +00:00
# Kratos selfservice UI URLs — patch over the Helm-rendered kratos-config ConfigMap.
# DOMAIN_SUFFIX is substituted by sunbeam apply.
apiVersion: v1
kind: ConfigMap
metadata:
name: kratos-config
namespace: ory
data:
selfservice.default_browser_return_url: "https://auth.DOMAIN_SUFFIX/"
selfservice.flows.login.ui_url: "https://auth.DOMAIN_SUFFIX/login"
selfservice.flows.registration.ui_url: "https://auth.DOMAIN_SUFFIX/registration"
selfservice.flows.recovery.ui_url: "https://auth.DOMAIN_SUFFIX/recovery"
fix(ory): harden Kratos and Hydra production security configuration Kratos: xchacha20-poly1305 cipher for at-rest encryption, 12-char min password with HaveIBeenPwned + similarity check, recovery/verification switched to code (not link), anti-enumeration on unknown recipients, 15m privileged session, 24h session extend throttle, JSON structured logging, WebAuthn passwordless enabled, additionalProperties: false on all identity schemas, memory limits bumped to 256Mi. Hydra: expose_internal_errors disabled, PKCE enforced for public clients, janitor CronJob every 6h, cookie domain set explicitly, SSRF prevention via disallow_private_ip_ranges, JSON structured logging, Maester enabledNamespaces includes monitoring. Also: fixed selfservice URL patch divergence (settings path, missing allowed_return_urls), removed invalid responseTypes on Hive client.
2026-03-24 19:40:58 +00:00
selfservice.flows.settings.ui_url: "https://auth.DOMAIN_SUFFIX/security"
feat(infra): data, storage, devtools, and ory layer updates - data: CNPG cluster tuning, OpenBao values, OpenSearch deployment fixes, OpenSearch PVC, barman vault secret for S3 backup credentials - storage: SeaweedFS filer updates (s3.json via secret subPath), PVC for filer persistent storage - devtools: Gitea values (SSH service, custom theme), gitea-theme-cm ConfigMap - ory: add kratos-selfservice-urls.yaml for self-service flow URLs - media: LiveKit values updated (TURN config, STUN, resource limits) - vso: kustomization cleanup
2026-03-06 12:07:28 +00:00
selfservice.allowed_return_urls: |
- https://auth.DOMAIN_SUFFIX/
- https://docs.DOMAIN_SUFFIX/
- https://meet.DOMAIN_SUFFIX/
- https://drive.DOMAIN_SUFFIX/
- https://mail.DOMAIN_SUFFIX/
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
- https://messages.DOMAIN_SUFFIX/
feat(infra): data, storage, devtools, and ory layer updates - data: CNPG cluster tuning, OpenBao values, OpenSearch deployment fixes, OpenSearch PVC, barman vault secret for S3 backup credentials - storage: SeaweedFS filer updates (s3.json via secret subPath), PVC for filer persistent storage - devtools: Gitea values (SSH service, custom theme), gitea-theme-cm ConfigMap - ory: add kratos-selfservice-urls.yaml for self-service flow URLs - media: LiveKit values updated (TURN config, STUN, resource limits) - vso: kustomization cleanup
2026-03-06 12:07:28 +00:00
- https://people.DOMAIN_SUFFIX/
- https://src.DOMAIN_SUFFIX/
fix(ory): harden Kratos and Hydra production security configuration Kratos: xchacha20-poly1305 cipher for at-rest encryption, 12-char min password with HaveIBeenPwned + similarity check, recovery/verification switched to code (not link), anti-enumeration on unknown recipients, 15m privileged session, 24h session extend throttle, JSON structured logging, WebAuthn passwordless enabled, additionalProperties: false on all identity schemas, memory limits bumped to 256Mi. Hydra: expose_internal_errors disabled, PKCE enforced for public clients, janitor CronJob every 6h, cookie domain set explicitly, SSRF prevention via disallow_private_ip_ranges, JSON structured logging, Maester enabledNamespaces includes monitoring. Also: fixed selfservice URL patch divergence (settings path, missing allowed_return_urls), removed invalid responseTypes on Hive client.
2026-03-24 19:40:58 +00:00
- https://find.DOMAIN_SUFFIX/
- https://cal.DOMAIN_SUFFIX/
- https://projects.DOMAIN_SUFFIX/
feat(infra): data, storage, devtools, and ory layer updates - data: CNPG cluster tuning, OpenBao values, OpenSearch deployment fixes, OpenSearch PVC, barman vault secret for S3 backup credentials - storage: SeaweedFS filer updates (s3.json via secret subPath), PVC for filer persistent storage - devtools: Gitea values (SSH service, custom theme), gitea-theme-cm ConfigMap - ory: add kratos-selfservice-urls.yaml for self-service flow URLs - media: LiveKit values updated (TURN config, STUN, resource limits) - vso: kustomization cleanup
2026-03-06 12:07:28 +00:00
- https://admin.DOMAIN_SUFFIX/
Reference in New Issue Copy Permalink