Sienna Meridian Satterwhite
97628b0f6f
Identity permissions flow from Kratos metadata_admin.groups through Hydra ID token claims to Gitea's OIDC group-to-team mapping: - super-admin → site admin + Owners + Employees teams - employee → Owners + Employees teams - community → Contributors team (social sign-up users) Kratos: Discord + GitHub social login providers, community identity schema, OIDC method enabled with env-var credential injection via VSO. Gitea: OIDC-only login (no local registration, no password form), APP_NAME, favicon, auto-registration with account linking. Also: messages-mta-in recreate strategy + liveness probe for milter.
208 lines
5.3 KiB
YAML
208 lines
5.3 KiB
YAML
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: vso-auth
|
|
namespace: ory
|
|
spec:
|
|
method: kubernetes
|
|
mount: kubernetes
|
|
kubernetes:
|
|
role: vso
|
|
serviceAccount: default
|
|
---
|
|
# Hydra app secrets (non-rotating). DSN comes from VaultDynamicSecret hydra-db-creds.
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: hydra
|
|
namespace: ory
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: hydra
|
|
refreshAfter: 30s
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: hydra
|
|
destination:
|
|
name: hydra
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
secretsSystem:
|
|
text: "{{ index .Secrets \"system-secret\" }}"
|
|
secretsCookie:
|
|
text: "{{ index .Secrets \"cookie-secret\" }}"
|
|
"pairwise-salt":
|
|
text: "{{ index .Secrets \"pairwise-salt\" }}"
|
|
---
|
|
# Kratos non-rotating encryption keys. DSN comes from VaultDynamicSecret kratos-db-creds.
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: kratos-app-secrets
|
|
namespace: ory
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: kratos
|
|
refreshAfter: 30s
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: kratos
|
|
- kind: StatefulSet
|
|
name: kratos-courier
|
|
destination:
|
|
name: kratos-app-secrets
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
secretsDefault:
|
|
text: "{{ index .Secrets \"secrets-default\" }}"
|
|
secretsCookie:
|
|
text: "{{ index .Secrets \"secrets-cookie\" }}"
|
|
smtpConnectionURI:
|
|
text: "{{ index .Secrets \"smtp-connection-uri\" }}"
|
|
secretsCipher:
|
|
text: "{{ index .Secrets \"secrets-cipher\" }}"
|
|
---
|
|
# Kratos DB credentials from OpenBao database secrets engine (static role, 24h rotation).
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
name: kratos-db-creds
|
|
namespace: ory
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: database
|
|
path: static-creds/kratos
|
|
allowStaticCreds: true
|
|
refreshAfter: 5m
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: kratos
|
|
- kind: StatefulSet
|
|
name: kratos-courier
|
|
destination:
|
|
name: kratos-db-creds
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
dsn:
|
|
text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/kratos_db?sslmode=disable"
|
|
---
|
|
# Hydra DB credentials from OpenBao database secrets engine (static role, 24h rotation).
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
name: hydra-db-creds
|
|
namespace: ory
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: database
|
|
path: static-creds/hydra
|
|
allowStaticCreds: true
|
|
refreshAfter: 5m
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: hydra
|
|
destination:
|
|
name: hydra-db-creds
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
dsn:
|
|
text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable"
|
|
---
|
|
# Kratos Admin UI secrets.
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: kratos-admin-ui-secrets
|
|
namespace: ory
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: kratos-admin
|
|
refreshAfter: 30s
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: kratos-admin-ui
|
|
destination:
|
|
name: kratos-admin-ui-secrets
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
cookie-secret:
|
|
text: "{{ index .Secrets \"cookie-secret\" }}"
|
|
csrf-cookie-secret:
|
|
text: "{{ index .Secrets \"csrf-cookie-secret\" }}"
|
|
admin-identity-ids:
|
|
text: "{{ index .Secrets \"admin-identity-ids\" }}"
|
|
s3-access-key:
|
|
text: "{{ index .Secrets \"s3-access-key\" }}"
|
|
s3-secret-key:
|
|
text: "{{ index .Secrets \"s3-secret-key\" }}"
|
|
---
|
|
# Discord OAuth2 credentials for Kratos social sign-in.
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: kratos-social-discord
|
|
namespace: ory
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: kratos-social-discord
|
|
refreshAfter: 30s
|
|
destination:
|
|
name: kratos-social-discord
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
client-id:
|
|
text: "{{ index .Secrets \"client-id\" }}"
|
|
client-secret:
|
|
text: "{{ index .Secrets \"client-secret\" }}"
|
|
---
|
|
# GitHub OAuth2 credentials for Kratos social sign-in.
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: kratos-social-github
|
|
namespace: ory
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: kratos-social-github
|
|
refreshAfter: 30s
|
|
destination:
|
|
name: kratos-social-github
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
client-id:
|
|
text: "{{ index .Secrets \"client-id\" }}"
|
|
client-secret:
|
|
text: "{{ index .Secrets \"client-secret\" }}"
|