diff --git a/base/ory/kratos-values.yaml b/base/ory/kratos-values.yaml
index 0f911be..e3fc53b 100644
--- a/base/ory/kratos-values.yaml
+++ b/base/ory/kratos-values.yaml
@@ -20,13 +20,17 @@ kratos:
         - https://people.DOMAIN_SUFFIX/
         - https://src.DOMAIN_SUFFIX/
         - https://find.DOMAIN_SUFFIX/
+        - https://admin.DOMAIN_SUFFIX/
       flows:
+        error:
+          ui_url: https://auth.DOMAIN_SUFFIX/error
         login:
           ui_url: https://auth.DOMAIN_SUFFIX/login
         registration:
           ui_url: https://auth.DOMAIN_SUFFIX/registration
           enabled: true
         recovery:
+          enabled: true
           ui_url: https://auth.DOMAIN_SUFFIX/recovery
         settings:
           ui_url: https://auth.DOMAIN_SUFFIX/settings
@@ -43,6 +47,16 @@ kratos:
         from_address: no-reply@DOMAIN_SUFFIX
         from_name: Sunbeam
 
+    oauth2_provider:
+      url: http://hydra-admin.ory.svc.cluster.local:4445
+
+    session:
+      cookie:
+        # Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.)
+        # receive it. Without this Kratos scopes the cookie to auth.* only, causing
+        # redirect loops on admin.*.
+        domain: DOMAIN_SUFFIX
+
     serve:
       public:
         base_url: https://auth.DOMAIN_SUFFIX/kratos/
diff --git a/base/ory/login-ui-deployment.yaml b/base/ory/login-ui-deployment.yaml
index 5ca097e..edaac6c 100644
--- a/base/ory/login-ui-deployment.yaml
+++ b/base/ory/login-ui-deployment.yaml
@@ -22,7 +22,7 @@ spec:
               protocol: TCP
           env:
             - name: KRATOS_PUBLIC_URL
-              value: "http://kratos-public.ory.svc.cluster.local:4433"
+              value: "http://kratos-public.ory.svc.cluster.local:80"
             - name: KRATOS_BROWSER_URL
               value: "https://auth.DOMAIN_SUFFIX/kratos"
             - name: HYDRA_ADMIN_URL