feat(ory): add kratos-admin-ui service

Deploy the custom Kratos admin UI (Deno/Hono + Cunningham React): - K8s Deployment + Service in ory namespace - VSO VaultStaticSecret for cookie/csrf/admin-identity-ids secrets - Pingora route for admin.DOMAIN_SUFFIX
2026-03-03 11:30:52 +00:00
parent 9092e2711b
commit 6cc60c66ff
4 changed files with 99 additions and 0 deletions
--- a/base/ory/kratos-admin-deployment.yaml
+++ b/base/ory/kratos-admin-deployment.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kratos-admin-ui
+  namespace: ory
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kratos-admin-ui
+  template:
+    metadata:
+      labels:
+        app: kratos-admin-ui
+    spec:
+      containers:
+        - name: kratos-admin-ui
+          image: src.DOMAIN_SUFFIX/studio/kratos-admin-ui:latest
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          env:
+            - name: KRATOS_PUBLIC_URL
+              value: "http://kratos-public.ory.svc.cluster.local:80"
+            - name: KRATOS_ADMIN_URL
+              value: "http://kratos-admin.ory.svc.cluster.local:80"
+            - name: PUBLIC_URL
+              value: "https://admin.DOMAIN_SUFFIX"
+            - name: CUNNINGHAM_THEME
+              value: "dsfr-light"
+            - name: PORT
+              value: "3000"
+            - name: ADMIN_IDENTITY_IDS
+              valueFrom:
+                secretKeyRef:
+                  name: kratos-admin-ui-secrets
+                  key: admin-identity-ids
+            - name: COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: kratos-admin-ui-secrets
+                  key: cookie-secret
+            - name: CSRF_COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: kratos-admin-ui-secrets
+                  key: csrf-cookie-secret
+          resources:
+            limits:
+              memory: 256Mi
+            requests:
+              memory: 64Mi
+              cpu: 25m
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kratos-admin-ui
+  namespace: ory
+spec:
+  selector:
+    app: kratos-admin-ui
+  ports:
+    - name: http
+      port: 3000
+      targetPort: 3000
+      protocol: TCP
--- a/base/ory/kustomization.yaml
+++ b/base/ory/kustomization.yaml
@@ -10,6 +10,7 @@ kind: Kustomization
 resources:
  - namespace.yaml
  - login-ui-deployment.yaml
+  - kratos-admin-deployment.yaml
  # Hydra chart CRDs are not rendered by helm template; apply manually.
  - hydra-oauth2client-crd.yaml
  - vault-secrets.yaml
--- a/base/ory/vault-secrets.yaml
+++ b/base/ory/vault-secrets.yaml
@@ -136,3 +136,29 @@ spec:
      templates:
        dsn:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable"
+---
+# Kratos Admin UI secrets.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: kratos-admin-ui-secrets
+  namespace: ory
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: kratos-admin
+  refreshAfter: 30s
+  destination:
+    name: kratos-admin-ui-secrets
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        cookie-secret:
+          text: "{{ index .Secrets \"cookie-secret\" }}"
+        csrf-cookie-secret:
+          text: "{{ index .Secrets \"csrf-cookie-secret\" }}"
+        admin-identity-ids:
+          text: "{{ index .Secrets \"admin-identity-ids\" }}"