sbbb/base/ory/kratos-values.yaml

# Base Ory Kratos Helm values.
# DOMAIN_SUFFIX is replaced at apply time via sed.
# DSN and secrets come from K8s Secrets managed by VSO VaultDynamicSecret/VaultStaticSecret.

kratos:
  automigration:
    enabled: true
  config:
    version: v0.13.0

    selfservice:
      default_browser_return_url: https://auth.DOMAIN_SUFFIX/
      allowed_return_urls:
        - https://auth.DOMAIN_SUFFIX/
        - https://docs.DOMAIN_SUFFIX/
        - https://meet.DOMAIN_SUFFIX/
        - https://drive.DOMAIN_SUFFIX/
        - https://mail.DOMAIN_SUFFIX/
        - https://chat.DOMAIN_SUFFIX/
        - https://people.DOMAIN_SUFFIX/
        - https://src.DOMAIN_SUFFIX/
        - https://find.DOMAIN_SUFFIX/
        - https://admin.DOMAIN_SUFFIX/
      flows:
        error:
          ui_url: https://auth.DOMAIN_SUFFIX/error
        login:
          ui_url: https://auth.DOMAIN_SUFFIX/login
        registration:
          ui_url: https://auth.DOMAIN_SUFFIX/registration
          enabled: true
        recovery:
          enabled: true
          ui_url: https://auth.DOMAIN_SUFFIX/recovery
        settings:
          ui_url: https://auth.DOMAIN_SUFFIX/settings

    identity:
      default_schema_id: default
      schemas:
        - id: default
          url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2lkZW50aXR5Lmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiUGVyc29uIiwKICAicHJvcGVydGllcyI6IHsKICAgICJ0cmFpdHMiOiB7CiAgICAgICJ0eXBlIjogIm9iamVjdCIsCiAgICAgICJwcm9wZXJ0aWVzIjogewogICAgICAgICJlbWFpbCI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImVtYWlsIiwKICAgICAgICAgICJ0aXRsZSI6ICJFbWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogewogICAgICAgICAgICAgICJwYXNzd29yZCI6IHsKICAgICAgICAgICAgICAgICJpZGVudGlmaWVyIjogdHJ1ZQogICAgICAgICAgICAgIH0KICAgICAgICAgICAgfSwKICAgICAgICAgICAgInJlY292ZXJ5IjogewogICAgICAgICAgICAgICJ2aWEiOiAiZW1haWwiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJ2ZXJpZmljYXRpb24iOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfQogICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgIm5hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgICAgICJmaXJzdCI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkZpcnN0IG5hbWUiIH0sCiAgICAgICAgICAgICJsYXN0IjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTGFzdCBuYW1lIiB9CiAgICAgICAgICB9CiAgICAgICAgfQogICAgICB9LAogICAgICAicmVxdWlyZWQiOiBbImVtYWlsIl0KICAgIH0KICB9Cn0K

    courier:
      smtp:
        connection_uri: "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true"
        from_address: no-reply@DOMAIN_SUFFIX
        from_name: Sunbeam

    oauth2_provider:
      url: http://hydra-admin.ory.svc.cluster.local:4445

    session:
      cookie:
        # Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.)
        # receive it. Without this Kratos scopes the cookie to auth.* only, causing
        # redirect loops on admin.*.
        domain: DOMAIN_SUFFIX

    serve:
      public:
        base_url: https://auth.DOMAIN_SUFFIX/kratos/
        cors:
          enabled: true
          allowed_origins:
            - https://*.DOMAIN_SUFFIX
      admin:
        base_url: http://kratos-admin.ory.svc.cluster.local:4434/

# Chart does not manage secrets — we create them externally via VSO.
# secret.nameOverride points chart at our VaultStaticSecret-managed K8s secret so
# the chart injects SECRETS_DEFAULT/SECRETS_COOKIE from kratos-app-secrets automatically.
# DSN is not injected by the chart when secret.enabled=false — we add it via extraEnv.
secret:
  enabled: false
  nameOverride: kratos-app-secrets

deployment:
  extraEnv:
    - name: DSN
      valueFrom:
        secretKeyRef:
          name: kratos-db-creds
          key: dsn
  resources:
    limits:
      memory: 64Mi
    requests:
      memory: 32Mi
      cpu: 25m