From 6cc60c66fffa0489304c4ccd2dae39a4726be61b Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Tue, 3 Mar 2026 11:30:52 +0000 Subject: [PATCH] feat(ory): add kratos-admin-ui service Deploy the custom Kratos admin UI (Deno/Hono + Cunningham React): - K8s Deployment + Service in ory namespace - VSO VaultStaticSecret for cookie/csrf/admin-identity-ids secrets - Pingora route for admin.DOMAIN_SUFFIX --- base/ingress/pingora-config.yaml | 4 ++ base/ory/kratos-admin-deployment.yaml | 68 +++++++++++++++++++++++++++ base/ory/kustomization.yaml | 1 + base/ory/vault-secrets.yaml | 26 ++++++++++ 4 files changed, 99 insertions(+) create mode 100644 base/ory/kratos-admin-deployment.yaml diff --git a/base/ingress/pingora-config.yaml b/base/ingress/pingora-config.yaml index 43a0a19..e02ab64 100644 --- a/base/ingress/pingora-config.yaml +++ b/base/ingress/pingora-config.yaml @@ -109,6 +109,10 @@ data: backend = "http://kratos-public.ory.svc.cluster.local:80" strip_prefix = true + [[routes]] + host_prefix = "admin" + backend = "http://kratos-admin-ui.ory.svc.cluster.local:3000" + [[routes]] host_prefix = "s3" backend = "http://seaweedfs-filer.storage.svc.cluster.local:8333" diff --git a/base/ory/kratos-admin-deployment.yaml b/base/ory/kratos-admin-deployment.yaml new file mode 100644 index 0000000..47a82a4 --- /dev/null +++ b/base/ory/kratos-admin-deployment.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kratos-admin-ui + namespace: ory +spec: + replicas: 1 + selector: + matchLabels: + app: kratos-admin-ui + template: + metadata: + labels: + app: kratos-admin-ui + spec: + containers: + - name: kratos-admin-ui + image: src.DOMAIN_SUFFIX/studio/kratos-admin-ui:latest + ports: + - name: http + containerPort: 3000 + protocol: TCP + env: + - name: KRATOS_PUBLIC_URL + value: "http://kratos-public.ory.svc.cluster.local:80" + - name: KRATOS_ADMIN_URL + value: "http://kratos-admin.ory.svc.cluster.local:80" + - name: PUBLIC_URL + value: "https://admin.DOMAIN_SUFFIX" + - name: CUNNINGHAM_THEME + value: "dsfr-light" + - name: PORT + value: "3000" + - name: ADMIN_IDENTITY_IDS + valueFrom: + secretKeyRef: + name: kratos-admin-ui-secrets + key: admin-identity-ids + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: kratos-admin-ui-secrets + key: cookie-secret + - name: CSRF_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: kratos-admin-ui-secrets + key: csrf-cookie-secret + resources: + limits: + memory: 256Mi + requests: + memory: 64Mi + cpu: 25m +--- +apiVersion: v1 +kind: Service +metadata: + name: kratos-admin-ui + namespace: ory +spec: + selector: + app: kratos-admin-ui + ports: + - name: http + port: 3000 + targetPort: 3000 + protocol: TCP diff --git a/base/ory/kustomization.yaml b/base/ory/kustomization.yaml index 59aa6bc..0a7f243 100644 --- a/base/ory/kustomization.yaml +++ b/base/ory/kustomization.yaml @@ -10,6 +10,7 @@ kind: Kustomization resources: - namespace.yaml - login-ui-deployment.yaml + - kratos-admin-deployment.yaml # Hydra chart CRDs are not rendered by helm template; apply manually. - hydra-oauth2client-crd.yaml - vault-secrets.yaml diff --git a/base/ory/vault-secrets.yaml b/base/ory/vault-secrets.yaml index defe01d..4ab996a 100644 --- a/base/ory/vault-secrets.yaml +++ b/base/ory/vault-secrets.yaml @@ -136,3 +136,29 @@ spec: templates: dsn: text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable" +--- +# Kratos Admin UI secrets. +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: kratos-admin-ui-secrets + namespace: ory +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: kratos-admin + refreshAfter: 30s + destination: + name: kratos-admin-ui-secrets + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + cookie-secret: + text: "{{ index .Secrets \"cookie-secret\" }}" + csrf-cookie-secret: + text: "{{ index .Secrets \"csrf-cookie-secret\" }}" + admin-identity-ids: + text: "{{ index .Secrets \"admin-identity-ids\" }}"