studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ory): harden Kratos and Hydra production security configuration

Browse Source 
Kratos: xchacha20-poly1305 cipher for at-rest encryption, 12-char min
password with HaveIBeenPwned + similarity check, recovery/verification
switched to code (not link), anti-enumeration on unknown recipients,
15m privileged session, 24h session extend throttle, JSON structured
logging, WebAuthn passwordless enabled, additionalProperties: false on
all identity schemas, memory limits bumped to 256Mi.

Hydra: expose_internal_errors disabled, PKCE enforced for public
clients, janitor CronJob every 6h, cookie domain set explicitly,
SSRF prevention via disallow_private_ip_ranges, JSON structured
logging, Maester enabledNamespaces includes monitoring.

Also: fixed selfservice URL patch divergence (settings path, missing
allowed_return_urls), removed invalid responseTypes on Hive client.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-24 19:40:58 +00:00
parent 4c02fe18ed
commit 50a4abf94f
5 changed files with 56 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
base/lasuite/oidc-clients.yaml
View File

@@ -4,28 +4,6 @@
# App pods reference those secrets for OIDC_RP_CLIENT_ID/SECRET env vars. # App pods reference those secrets for OIDC_RP_CLIENT_ID/SECRET env vars.
# redirectUris contain DOMAIN_SUFFIX which is replaced by sed at deploy time. # redirectUris contain DOMAIN_SUFFIX which is replaced by sed at deploy time.
# ── Docs ─────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: docs
namespace: lasuite
spec:
clientName: Docs
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://docs.DOMAIN_SUFFIX/api/v1.0/callback/
postLogoutRedirectUris:
- https://docs.DOMAIN_SUFFIX/api/v1.0/logout-callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-docs
skipConsent: true
---
# ── Drive ───────────────────────────────────────────────────────────────────── # ── Drive ─────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1 apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client kind: OAuth2Client
@@ -95,28 +73,6 @@ spec:
secretName: oidc-messages secretName: oidc-messages
skipConsent: true skipConsent: true
--- ---
# ── People ────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: people
namespace: lasuite
spec:
clientName: People
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: openid email profile
redirectUris:
- https://people.DOMAIN_SUFFIX/api/v1.0/callback/
postLogoutRedirectUris:
- https://people.DOMAIN_SUFFIX/api/v1.0/logout-callback/
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-people
skipConsent: true
---
# ── Find ────────────────────────────────────────────────────────────────────── # ── Find ──────────────────────────────────────────────────────────────────────
apiVersion: hydra.ory.sh/v1alpha1 apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client kind: OAuth2Client
@@ -173,8 +129,6 @@ spec:
clientName: Hive clientName: Hive
grantTypes: grantTypes:
- client_credentials - client_credentials
responseTypes:
- token
scope: openid scope: openid
tokenEndpointAuthMethod: client_secret_basic tokenEndpointAuthMethod: client_secret_basic
secretName: oidc-hive secretName: oidc-hive

29
base/ory/hydra-values.yaml
View File

@@ -26,9 +26,23 @@ hydra:
# Revoking a Kratos session (sunbeam user disable) prevents refresh. # Revoking a Kratos session (sunbeam user disable) prevents refresh.
refresh_token: 720h refresh_token: 720h
oauth2:
expose_internal_errors: false
pkce:
enforced_for_public_clients: true
log:
format: json
leak_sensitive_values: false
clients:
http:
disallow_private_ip_ranges: true
serve: serve:
cookies: cookies:
same_site_mode: Lax same_site_mode: Lax
domain: DOMAIN_SUFFIX
public: public:
cors: cors:
enabled: true enabled: true
@@ -46,11 +60,22 @@ hydra-maester:
enabledNamespaces: enabledNamespaces:
- lasuite - lasuite
- matrix - matrix
- monitoring
# ServiceMonitor created as standalone resource (hydra-servicemonitor.yaml) — # ServiceMonitor created as standalone resource (hydra-servicemonitor.yaml) —
# chart's built-in ServiceMonitor requires .Capabilities.APIVersions which # chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
# kustomize helm template doesn't provide. # kustomize helm template doesn't provide.
janitor:
enabled: true
cleanupGrants: true
cleanupRequests: true
cleanupTokens: true
cronjob:
janitor:
schedule: "0 */6 * * *"
deployment: deployment:
extraEnv: extraEnv:
- name: DSN - name: DSN
@@ -60,7 +85,7 @@ deployment:
key: dsn key: dsn
resources: resources:
limits: limits:
memory: 64Mi memory: 256Mi
requests: requests:
memory: 32Mi memory: 64Mi
cpu: 25m cpu: 25m

5
base/ory/kratos-selfservice-urls.yaml
View File

@@ -10,7 +10,7 @@ data:
selfservice.flows.login.ui_url: "https://auth.DOMAIN_SUFFIX/login" selfservice.flows.login.ui_url: "https://auth.DOMAIN_SUFFIX/login"
selfservice.flows.registration.ui_url: "https://auth.DOMAIN_SUFFIX/registration" selfservice.flows.registration.ui_url: "https://auth.DOMAIN_SUFFIX/registration"
selfservice.flows.recovery.ui_url: "https://auth.DOMAIN_SUFFIX/recovery" selfservice.flows.recovery.ui_url: "https://auth.DOMAIN_SUFFIX/recovery"
selfservice.flows.settings.ui_url: "https://auth.DOMAIN_SUFFIX/settings" selfservice.flows.settings.ui_url: "https://auth.DOMAIN_SUFFIX/security"
selfservice.allowed_return_urls: | selfservice.allowed_return_urls: |
- https://auth.DOMAIN_SUFFIX/ - https://auth.DOMAIN_SUFFIX/
- https://docs.DOMAIN_SUFFIX/ - https://docs.DOMAIN_SUFFIX/
@@ -20,4 +20,7 @@ data:
- https://messages.DOMAIN_SUFFIX/ - https://messages.DOMAIN_SUFFIX/
- https://people.DOMAIN_SUFFIX/ - https://people.DOMAIN_SUFFIX/
- https://src.DOMAIN_SUFFIX/ - https://src.DOMAIN_SUFFIX/
- https://find.DOMAIN_SUFFIX/
- https://cal.DOMAIN_SUFFIX/
- https://projects.DOMAIN_SUFFIX/
- https://admin.DOMAIN_SUFFIX/ - https://admin.DOMAIN_SUFFIX/

30
base/ory/kratos-values.yaml
View File

@@ -8,6 +8,9 @@ kratos:
config: config:
version: v0.13.0 version: v0.13.0
ciphers:
algorithm: xchacha20-poly1305
selfservice: selfservice:
default_browser_return_url: https://auth.DOMAIN_SUFFIX/ default_browser_return_url: https://auth.DOMAIN_SUFFIX/
allowed_return_urls: allowed_return_urls:
@@ -24,6 +27,10 @@ kratos:
methods: methods:
password: password:
enabled: true enabled: true
config:
min_password_length: 12
haveibeenpwned_enabled: true
identifier_similarity_check_enabled: true
totp: totp:
enabled: true enabled: true
config: config:
@@ -31,7 +38,7 @@ kratos:
webauthn: webauthn:
enabled: true enabled: true
config: config:
passwordless: false passwordless: true
rp: rp:
display_name: Sunbeam Studios display_name: Sunbeam Studios
id: DOMAIN_SUFFIX id: DOMAIN_SUFFIX
@@ -49,24 +56,28 @@ kratos:
enabled: true enabled: true
recovery: recovery:
enabled: true enabled: true
use: code
notify_unknown_recipients: false
ui_url: https://auth.DOMAIN_SUFFIX/recovery ui_url: https://auth.DOMAIN_SUFFIX/recovery
verification: verification:
enabled: true enabled: true
use: code
notify_unknown_recipients: false
ui_url: https://auth.DOMAIN_SUFFIX/verification ui_url: https://auth.DOMAIN_SUFFIX/verification
settings: settings:
ui_url: https://auth.DOMAIN_SUFFIX/security ui_url: https://auth.DOMAIN_SUFFIX/security
privileged_session_max_age: 5m privileged_session_max_age: 15m
required_aal: highest_available required_aal: highest_available
identity: identity:
default_schema_id: employee default_schema_id: employee
schemas: schemas:
- id: employee - id: employee
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2VtcGxveWVlLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRW1wbG95ZWUiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkVtYWlsIiwKICAgICAgICAgICJvcnkuc2gva3JhdG9zIjogewogICAgICAgICAgICAiY3JlZGVudGlhbHMiOiB7ICJwYXNzd29yZCI6IHsgImlkZW50aWZpZXIiOiB0cnVlIH0gfSwKICAgICAgICAgICAgInJlY292ZXJ5IjogeyAidmlhIjogImVtYWlsIiB9LAogICAgICAgICAgICAidmVyaWZpY2F0aW9uIjogeyAidmlhIjogImVtYWlsIiB9CiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiZ2l2ZW5fbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkZpcnN0IG5hbWUiIH0sCiAgICAgICAgImZhbWlseV9uYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTGFzdCBuYW1lIiB9LAogICAgICAgICJtaWRkbGVfbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIk1pZGRsZSBuYW1lIiB9LAogICAgICAgICJuaWNrbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIk5pY2tuYW1lIiB9LAogICAgICAgICJwaWN0dXJlIjogeyAidHlwZSI6ICJzdHJpbmciLCAiZm9ybWF0IjogInVyaSIsICJ0aXRsZSI6ICJQcm9maWxlIHBpY3R1cmUiIH0sCiAgICAgICAgInBob25lX251bWJlciI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIlBob25lIG51bWJlciIgfSwKICAgICAgICAiam9iX3RpdGxlIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiSm9iIHRpdGxlIiB9LAogICAgICAgICJkZXBhcnRtZW50IjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiRGVwYXJ0bWVudCIgfSwKICAgICAgICAib2ZmaWNlX2xvY2F0aW9uIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiT2ZmaWNlIGxvY2F0aW9uIiB9LAogICAgICAgICJlbXBsb3llZV9pZCI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkVtcGxveWVlIElEIiB9LAogICAgICAgICJoaXJlX2RhdGUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJmb3JtYXQiOiAiZGF0ZSIsICJ0aXRsZSI6ICJIaXJlIGRhdGUiIH0sCiAgICAgICAgIm1hbmFnZXIiOiB7ICJ0eXBlIjogInN0cmluZyIsICJ0aXRsZSI6ICJNYW5hZ2VyIiB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsiZW1haWwiXQogICAgfQogIH0KfQo= url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2VtcGxveWVlLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRW1wbG95ZWUiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkVtYWlsIiwKICAgICAgICAgICJvcnkuc2gva3JhdG9zIjogewogICAgICAgICAgICAiY3JlZGVudGlhbHMiOiB7CiAgICAgICAgICAgICAgInBhc3N3b3JkIjogewogICAgICAgICAgICAgICAgImlkZW50aWZpZXIiOiB0cnVlCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9CiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiZ2l2ZW5fbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiRmlyc3QgbmFtZSIKICAgICAgICB9LAogICAgICAgICJmYW1pbHlfbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiTGFzdCBuYW1lIgogICAgICAgIH0sCiAgICAgICAgIm1pZGRsZV9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJNaWRkbGUgbmFtZSIKICAgICAgICB9LAogICAgICAgICJuaWNrbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiTmlja25hbWUiCiAgICAgICAgfSwKICAgICAgICAicGljdHVyZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogInVyaSIsCiAgICAgICAgICAidGl0bGUiOiAiUHJvZmlsZSBwaWN0dXJlIgogICAgICAgIH0sCiAgICAgICAgInBob25lX251bWJlciI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiUGhvbmUgbnVtYmVyIgogICAgICAgIH0sCiAgICAgICAgImpvYl90aXRsZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiSm9iIHRpdGxlIgogICAgICAgIH0sCiAgICAgICAgImRlcGFydG1lbnQiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIkRlcGFydG1lbnQiCiAgICAgICAgfSwKICAgICAgICAib2ZmaWNlX2xvY2F0aW9uIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJPZmZpY2UgbG9jYXRpb24iCiAgICAgICAgfSwKICAgICAgICAiZW1wbG95ZWVfaWQiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIkVtcGxveWVlIElEIgogICAgICAgIH0sCiAgICAgICAgImhpcmVfZGF0ZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImRhdGUiLAogICAgICAgICAgInRpdGxlIjogIkhpcmUgZGF0ZSIKICAgICAgICB9LAogICAgICAgICJtYW5hZ2VyIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJNYW5hZ2VyIgogICAgICAgIH0KICAgICAgfSwKICAgICAgInJlcXVpcmVkIjogWwogICAgICAgICJlbWFpbCIKICAgICAgXSwKICAgICAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIjogZmFsc2UKICAgIH0KICB9Cn0K
- id: default - id: default
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2lkZW50aXR5Lmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiUGVyc29uIChsZWdhY3kpIiwKICAicHJvcGVydGllcyI6IHsKICAgICJ0cmFpdHMiOiB7CiAgICAgICJ0eXBlIjogIm9iamVjdCIsCiAgICAgICJwcm9wZXJ0aWVzIjogewogICAgICAgICJlbWFpbCI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImVtYWlsIiwKICAgICAgICAgICJ0aXRsZSI6ICJFbWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogeyAicGFzc3dvcmQiOiB7ICJpZGVudGlmaWVyIjogdHJ1ZSB9IH0sCiAgICAgICAgICAgICJyZWNvdmVyeSI6IHsgInZpYSI6ICJlbWFpbCIgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsgInZpYSI6ICJlbWFpbCIgfQogICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgIm5hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgICAgICJmaXJzdCI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkZpcnN0IG5hbWUiIH0sCiAgICAgICAgICAgICJsYXN0IjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTGFzdCBuYW1lIiB9CiAgICAgICAgICB9CiAgICAgICAgfQogICAgICB9LAogICAgICAicmVxdWlyZWQiOiBbImVtYWlsIl0KICAgIH0KICB9Cn0K url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2lkZW50aXR5Lmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiUGVyc29uIChsZWdhY3kpIiwKICAicHJvcGVydGllcyI6IHsKICAgICJ0cmFpdHMiOiB7CiAgICAgICJ0eXBlIjogIm9iamVjdCIsCiAgICAgICJwcm9wZXJ0aWVzIjogewogICAgICAgICJlbWFpbCI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImVtYWlsIiwKICAgICAgICAgICJ0aXRsZSI6ICJFbWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogewogICAgICAgICAgICAgICJwYXNzd29yZCI6IHsKICAgICAgICAgICAgICAgICJpZGVudGlmaWVyIjogdHJ1ZQogICAgICAgICAgICAgIH0KICAgICAgICAgICAgfSwKICAgICAgICAgICAgInJlY292ZXJ5IjogewogICAgICAgICAgICAgICJ2aWEiOiAiZW1haWwiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJ2ZXJpZmljYXRpb24iOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfQogICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgIm5hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgICAgICJmaXJzdCI6IHsKICAgICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgICAgICJ0aXRsZSI6ICJGaXJzdCBuYW1lIgogICAgICAgICAgICB9LAogICAgICAgICAgICAibGFzdCI6IHsKICAgICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgICAgICJ0aXRsZSI6ICJMYXN0IG5hbWUiCiAgICAgICAgICAgIH0KICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsKICAgICAgICAiZW1haWwiCiAgICAgIF0sCiAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyI6IGZhbHNlCiAgICB9CiAgfQp9Cg==
- id: external - id: external
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2V4dGVybmFsLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRXh0ZXJuYWwgVXNlciIsCiAgInByb3BlcnRpZXMiOiB7CiAgICAidHJhaXRzIjogewogICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAicHJvcGVydGllcyI6IHsKICAgICAgICAiZW1haWwiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJlbWFpbCIsCiAgICAgICAgICAidGl0bGUiOiAiRW1haWwiLAogICAgICAgICAgIm9yeS5zaC9rcmF0b3MiOiB7CiAgICAgICAgICAgICJjcmVkZW50aWFscyI6IHsgInBhc3N3b3JkIjogeyAiaWRlbnRpZmllciI6IHRydWUgfSB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7ICJ2aWEiOiAiZW1haWwiIH0sCiAgICAgICAgICAgICJ2ZXJpZmljYXRpb24iOiB7ICJ2aWEiOiAiZW1haWwiIH0KICAgICAgICAgIH0KICAgICAgICB9LAogICAgICAgICJnaXZlbl9uYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiRmlyc3QgbmFtZSIgfSwKICAgICAgICAiZmFtaWx5X25hbWUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJ0aXRsZSI6ICJMYXN0IG5hbWUiIH0sCiAgICAgICAgIm5pY2tuYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTmlja25hbWUiIH0sCiAgICAgICAgInBpY3R1cmUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJmb3JtYXQiOiAidXJpIiwgInRpdGxlIjogIlByb2ZpbGUgcGljdHVyZSIgfQogICAgICB9LAogICAgICAicmVxdWlyZWQiOiBbImVtYWlsIl0KICAgIH0KICB9Cn0K url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2V4dGVybmFsLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRXh0ZXJuYWwgVXNlciIsCiAgInByb3BlcnRpZXMiOiB7CiAgICAidHJhaXRzIjogewogICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAicHJvcGVydGllcyI6IHsKICAgICAgICAiZW1haWwiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJlbWFpbCIsCiAgICAgICAgICAidGl0bGUiOiAiRW1haWwiLAogICAgICAgICAgIm9yeS5zaC9rcmF0b3MiOiB7CiAgICAgICAgICAgICJjcmVkZW50aWFscyI6IHsKICAgICAgICAgICAgICAicGFzc3dvcmQiOiB7CiAgICAgICAgICAgICAgICAiaWRlbnRpZmllciI6IHRydWUKICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJyZWNvdmVyeSI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9LAogICAgICAgICAgICAidmVyaWZpY2F0aW9uIjogewogICAgICAgICAgICAgICJ2aWEiOiAiZW1haWwiCiAgICAgICAgICAgIH0KICAgICAgICAgIH0KICAgICAgICB9LAogICAgICAgICJnaXZlbl9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJGaXJzdCBuYW1lIgogICAgICAgIH0sCiAgICAgICAgImZhbWlseV9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJMYXN0IG5hbWUiCiAgICAgICAgfSwKICAgICAgICAibmlja25hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIk5pY2tuYW1lIgogICAgICAgIH0sCiAgICAgICAgInBpY3R1cmUiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJ1cmkiLAogICAgICAgICAgInRpdGxlIjogIlByb2ZpbGUgcGljdHVyZSIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsKICAgICAgICAiZW1haWwiCiAgICAgIF0sCiAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyI6IGZhbHNlCiAgICB9CiAgfQp9Cg==
courier: courier:
smtp: smtp:
@@ -77,6 +88,10 @@ kratos:
oauth2_provider: oauth2_provider:
url: http://hydra-admin.ory.svc.cluster.local:4445 url: http://hydra-admin.ory.svc.cluster.local:4445
log:
format: json
leak_sensitive_values: false
session: session:
cookie: cookie:
# Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.) # Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.)
@@ -84,6 +99,7 @@ kratos:
# redirect loops on admin.*. # redirect loops on admin.*.
domain: DOMAIN_SUFFIX domain: DOMAIN_SUFFIX
persistent: true persistent: true
earliest_possible_extend: 24h
lifespan: 720h lifespan: 720h
whoami: whoami:
required_aal: highest_available required_aal: highest_available
@@ -119,7 +135,7 @@ deployment:
key: dsn key: dsn
resources: resources:
limits: limits:
memory: 64Mi memory: 256Mi
requests: requests:
memory: 32Mi memory: 64Mi
cpu: 25m cpu: 25m

2
base/ory/vault-secrets.yaml
View File

@@ -70,6 +70,8 @@ spec:
text: "{{ index .Secrets \"secrets-cookie\" }}" text: "{{ index .Secrets \"secrets-cookie\" }}"
smtpConnectionURI: smtpConnectionURI:
text: "{{ index .Secrets \"smtp-connection-uri\" }}" text: "{{ index .Secrets \"smtp-connection-uri\" }}"
secretsCipher:
text: "{{ index .Secrets \"secrets-cipher\" }}"
--- ---
# Kratos DB credentials from OpenBao database secrets engine (static role, 24h rotation). # Kratos DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1 apiVersion: secrets.hashicorp.com/v1beta1