# Base Ory Kratos Helm values.
# DOMAIN_SUFFIX is replaced at apply time via sed.
# DSN and secrets come from K8s Secrets managed by VSO VaultDynamicSecret/VaultStaticSecret.

kratos:
  automigration:
    enabled: true
  config:
    version: v0.13.0

    ciphers:
      algorithm: xchacha20-poly1305

    selfservice:
      default_browser_return_url: https://auth.DOMAIN_SUFFIX/
      allowed_return_urls:
        - https://auth.DOMAIN_SUFFIX/
        - https://docs.DOMAIN_SUFFIX/
        - https://meet.DOMAIN_SUFFIX/
        - https://drive.DOMAIN_SUFFIX/
        - https://mail.DOMAIN_SUFFIX/
        - https://messages.DOMAIN_SUFFIX/
        - https://people.DOMAIN_SUFFIX/
        - https://src.DOMAIN_SUFFIX/
        - https://find.DOMAIN_SUFFIX/
        - https://admin.DOMAIN_SUFFIX/
      methods:
        password:
          enabled: true
          config:
            min_password_length: 12
            haveibeenpwned_enabled: true
            identifier_similarity_check_enabled: true
        totp:
          enabled: true
          config:
            issuer: Sunbeam Studios
        webauthn:
          enabled: true
          config:
            passwordless: true
            rp:
              display_name: Sunbeam Studios
              id: DOMAIN_SUFFIX
              origins:
                - https://auth.DOMAIN_SUFFIX
        lookup_secret:
          enabled: true
      flows:
        error:
          ui_url: https://auth.DOMAIN_SUFFIX/error
        login:
          ui_url: https://auth.DOMAIN_SUFFIX/login
        registration:
          ui_url: https://auth.DOMAIN_SUFFIX/registration
          enabled: true
        recovery:
          enabled: true
          use: code
          notify_unknown_recipients: false
          ui_url: https://auth.DOMAIN_SUFFIX/recovery
        verification:
          enabled: true
          use: code
          notify_unknown_recipients: false
          ui_url: https://auth.DOMAIN_SUFFIX/verification
        settings:
          ui_url: https://auth.DOMAIN_SUFFIX/security
          privileged_session_max_age: 15m
          required_aal: highest_available

    identity:
      default_schema_id: employee
      schemas:
        - id: employee
          url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2VtcGxveWVlLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRW1wbG95ZWUiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkVtYWlsIiwKICAgICAgICAgICJvcnkuc2gva3JhdG9zIjogewogICAgICAgICAgICAiY3JlZGVudGlhbHMiOiB7CiAgICAgICAgICAgICAgInBhc3N3b3JkIjogewogICAgICAgICAgICAgICAgImlkZW50aWZpZXIiOiB0cnVlCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9CiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiZ2l2ZW5fbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiRmlyc3QgbmFtZSIKICAgICAgICB9LAogICAgICAgICJmYW1pbHlfbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiTGFzdCBuYW1lIgogICAgICAgIH0sCiAgICAgICAgIm1pZGRsZV9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJNaWRkbGUgbmFtZSIKICAgICAgICB9LAogICAgICAgICJuaWNrbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiTmlja25hbWUiCiAgICAgICAgfSwKICAgICAgICAicGljdHVyZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogInVyaSIsCiAgICAgICAgICAidGl0bGUiOiAiUHJvZmlsZSBwaWN0dXJlIgogICAgICAgIH0sCiAgICAgICAgInBob25lX251bWJlciI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiUGhvbmUgbnVtYmVyIgogICAgICAgIH0sCiAgICAgICAgImpvYl90aXRsZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiSm9iIHRpdGxlIgogICAgICAgIH0sCiAgICAgICAgImRlcGFydG1lbnQiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIkRlcGFydG1lbnQiCiAgICAgICAgfSwKICAgICAgICAib2ZmaWNlX2xvY2F0aW9uIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJPZmZpY2UgbG9jYXRpb24iCiAgICAgICAgfSwKICAgICAgICAiZW1wbG95ZWVfaWQiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIkVtcGxveWVlIElEIgogICAgICAgIH0sCiAgICAgICAgImhpcmVfZGF0ZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImRhdGUiLAogICAgICAgICAgInRpdGxlIjogIkhpcmUgZGF0ZSIKICAgICAgICB9LAogICAgICAgICJtYW5hZ2VyIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJNYW5hZ2VyIgogICAgICAgIH0KICAgICAgfSwKICAgICAgInJlcXVpcmVkIjogWwogICAgICAgICJlbWFpbCIKICAgICAgXSwKICAgICAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIjogZmFsc2UKICAgIH0KICB9Cn0K
        - id: default
          url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2lkZW50aXR5Lmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiUGVyc29uIChsZWdhY3kpIiwKICAicHJvcGVydGllcyI6IHsKICAgICJ0cmFpdHMiOiB7CiAgICAgICJ0eXBlIjogIm9iamVjdCIsCiAgICAgICJwcm9wZXJ0aWVzIjogewogICAgICAgICJlbWFpbCI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImVtYWlsIiwKICAgICAgICAgICJ0aXRsZSI6ICJFbWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogewogICAgICAgICAgICAgICJwYXNzd29yZCI6IHsKICAgICAgICAgICAgICAgICJpZGVudGlmaWVyIjogdHJ1ZQogICAgICAgICAgICAgIH0KICAgICAgICAgICAgfSwKICAgICAgICAgICAgInJlY292ZXJ5IjogewogICAgICAgICAgICAgICJ2aWEiOiAiZW1haWwiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJ2ZXJpZmljYXRpb24iOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfQogICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgIm5hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgICAgICJmaXJzdCI6IHsKICAgICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgICAgICJ0aXRsZSI6ICJGaXJzdCBuYW1lIgogICAgICAgICAgICB9LAogICAgICAgICAgICAibGFzdCI6IHsKICAgICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgICAgICJ0aXRsZSI6ICJMYXN0IG5hbWUiCiAgICAgICAgICAgIH0KICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsKICAgICAgICAiZW1haWwiCiAgICAgIF0sCiAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyI6IGZhbHNlCiAgICB9CiAgfQp9Cg==
        - id: external
          url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2V4dGVybmFsLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRXh0ZXJuYWwgVXNlciIsCiAgInByb3BlcnRpZXMiOiB7CiAgICAidHJhaXRzIjogewogICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAicHJvcGVydGllcyI6IHsKICAgICAgICAiZW1haWwiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJlbWFpbCIsCiAgICAgICAgICAidGl0bGUiOiAiRW1haWwiLAogICAgICAgICAgIm9yeS5zaC9rcmF0b3MiOiB7CiAgICAgICAgICAgICJjcmVkZW50aWFscyI6IHsKICAgICAgICAgICAgICAicGFzc3dvcmQiOiB7CiAgICAgICAgICAgICAgICAiaWRlbnRpZmllciI6IHRydWUKICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJyZWNvdmVyeSI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9LAogICAgICAgICAgICAidmVyaWZpY2F0aW9uIjogewogICAgICAgICAgICAgICJ2aWEiOiAiZW1haWwiCiAgICAgICAgICAgIH0KICAgICAgICAgIH0KICAgICAgICB9LAogICAgICAgICJnaXZlbl9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJGaXJzdCBuYW1lIgogICAgICAgIH0sCiAgICAgICAgImZhbWlseV9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJMYXN0IG5hbWUiCiAgICAgICAgfSwKICAgICAgICAibmlja25hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIk5pY2tuYW1lIgogICAgICAgIH0sCiAgICAgICAgInBpY3R1cmUiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJ1cmkiLAogICAgICAgICAgInRpdGxlIjogIlByb2ZpbGUgcGljdHVyZSIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsKICAgICAgICAiZW1haWwiCiAgICAgIF0sCiAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyI6IGZhbHNlCiAgICB9CiAgfQp9Cg==

    courier:
      smtp:
        connection_uri: "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true"
        from_address: no-reply@DOMAIN_SUFFIX
        from_name: Sunbeam Studios

    oauth2_provider:
      url: http://hydra-admin.ory.svc.cluster.local:4445

    log:
      format: json
      leak_sensitive_values: false

    session:
      cookie:
        # Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.)
        # receive it. Without this Kratos scopes the cookie to auth.* only, causing
        # redirect loops on admin.*.
        domain: DOMAIN_SUFFIX
        persistent: true
      earliest_possible_extend: 24h
      lifespan: 720h
      whoami:
        required_aal: highest_available

    serve:
      public:
        base_url: https://auth.DOMAIN_SUFFIX/kratos/
        cors:
          enabled: true
          allowed_origins:
            - https://*.DOMAIN_SUFFIX
      admin:
        base_url: http://kratos-admin.ory.svc.cluster.local:4434/

# Chart does not manage secrets — we create them externally via VSO.
# secret.nameOverride points chart at our VaultStaticSecret-managed K8s secret so
# the chart injects SECRETS_DEFAULT/SECRETS_COOKIE from kratos-app-secrets automatically.
# DSN is not injected by the chart when secret.enabled=false — we add it via extraEnv.
secret:
  enabled: false
  nameOverride: kratos-app-secrets

# ServiceMonitor created as standalone resource (kratos-servicemonitor.yaml) —
# chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
# kustomize helm template doesn't provide.

deployment:
  extraEnv:
    - name: DSN
      valueFrom:
        secretKeyRef:
          name: kratos-db-creds
          key: dsn
  resources:
    limits:
      memory: 256Mi
    requests:
      memory: 64Mi
      cpu: 25m