Sienna Meridian Satterwhite
97628b0f6f
Identity permissions flow from Kratos metadata_admin.groups through Hydra ID token claims to Gitea's OIDC group-to-team mapping: - super-admin → site admin + Owners + Employees teams - employee → Owners + Employees teams - community → Contributors team (social sign-up users) Kratos: Discord + GitHub social login providers, community identity schema, OIDC method enabled with env-var credential injection via VSO. Gitea: OIDC-only login (no local registration, no password form), APP_NAME, favicon, auto-registration with account linking. Also: messages-mta-in recreate strategy + liveness probe for milter.
183 lines
13 KiB
YAML
183 lines
13 KiB
YAML
# Base Ory Kratos Helm values.
|
|
# DOMAIN_SUFFIX is replaced at apply time via sed.
|
|
# DSN and secrets come from K8s Secrets managed by VSO VaultDynamicSecret/VaultStaticSecret.
|
|
|
|
kratos:
|
|
automigration:
|
|
enabled: true
|
|
config:
|
|
version: v0.13.0
|
|
|
|
ciphers:
|
|
algorithm: xchacha20-poly1305
|
|
|
|
selfservice:
|
|
default_browser_return_url: https://auth.DOMAIN_SUFFIX/
|
|
allowed_return_urls:
|
|
- https://auth.DOMAIN_SUFFIX/
|
|
- https://docs.DOMAIN_SUFFIX/
|
|
- https://meet.DOMAIN_SUFFIX/
|
|
- https://drive.DOMAIN_SUFFIX/
|
|
- https://mail.DOMAIN_SUFFIX/
|
|
- https://messages.DOMAIN_SUFFIX/
|
|
- https://people.DOMAIN_SUFFIX/
|
|
- https://src.DOMAIN_SUFFIX/
|
|
- https://find.DOMAIN_SUFFIX/
|
|
- https://admin.DOMAIN_SUFFIX/
|
|
methods:
|
|
password:
|
|
enabled: true
|
|
config:
|
|
min_password_length: 12
|
|
haveibeenpwned_enabled: true
|
|
identifier_similarity_check_enabled: true
|
|
totp:
|
|
enabled: true
|
|
config:
|
|
issuer: Sunbeam Studios
|
|
webauthn:
|
|
enabled: true
|
|
config:
|
|
passwordless: true
|
|
rp:
|
|
display_name: Sunbeam Studios
|
|
id: DOMAIN_SUFFIX
|
|
origins:
|
|
- https://auth.DOMAIN_SUFFIX
|
|
lookup_secret:
|
|
enabled: true
|
|
oidc:
|
|
enabled: true
|
|
config:
|
|
providers:
|
|
- id: discord
|
|
provider: discord
|
|
client_id: $DISCORD_CLIENT_ID
|
|
client_secret: $DISCORD_CLIENT_SECRET
|
|
scope:
|
|
- identify
|
|
- email
|
|
mapper_url: "base64://eyJpZCI6ICJ7eyBpZiAucHJvdmlkZXJfaWQgfX17eyAucHJvdmlkZXJfaWQgfX17eyBlbHNlIH19e3sgLnByb3ZpZGVyIH19e3sgZW5kIH19Ont7IC5zdWIgfX0iLCAidHJhaXRzIjogeyJlbWFpbCI6ICJ7eyAuZW1haWwgfX0iLCAibmlja25hbWUiOiAie3sgLnVzZXJuYW1lIH19IiwgInBpY3R1cmUiOiAie3sgaWYgLmF2YXRhciB9fWh0dHBzOi8vY2RuLmRpc2NvcmRhcHAuY29tL2F2YXRhcnMve3sgLnN1YiB9fS97eyAuYXZhdGFyIH19LnBuZ3t7IGVuZCB9fSJ9LCAibWV0YWRhdGFfcHVibGljIjogeyJwcm92aWRlciI6ICJkaXNjb3JkIn19"
|
|
- id: github
|
|
provider: github
|
|
client_id: $GITHUB_CLIENT_ID
|
|
client_secret: $GITHUB_CLIENT_SECRET
|
|
scope:
|
|
- user:email
|
|
mapper_url: "base64://eyJpZCI6ICJ7eyBpZiAucHJvdmlkZXJfaWQgfX17eyAucHJvdmlkZXJfaWQgfX17eyBlbHNlIH19e3sgLnByb3ZpZGVyIH19e3sgZW5kIH19Ont7IC5zdWIgfX0iLCAidHJhaXRzIjogeyJlbWFpbCI6ICJ7eyAuZW1haWwgfX0iLCAibmlja25hbWUiOiAie3sgLmxvZ2luIH19IiwgImdpdmVuX25hbWUiOiAie3sgLm5hbWUgfX0iLCAicGljdHVyZSI6ICJ7eyAuYXZhdGFyX3VybCB9fSJ9LCAibWV0YWRhdGFfcHVibGljIjogeyJwcm92aWRlciI6ICJnaXRodWIifX0="
|
|
flows:
|
|
error:
|
|
ui_url: https://auth.DOMAIN_SUFFIX/error
|
|
login:
|
|
ui_url: https://auth.DOMAIN_SUFFIX/login
|
|
registration:
|
|
ui_url: https://auth.DOMAIN_SUFFIX/registration
|
|
enabled: true
|
|
recovery:
|
|
enabled: true
|
|
use: code
|
|
notify_unknown_recipients: false
|
|
ui_url: https://auth.DOMAIN_SUFFIX/recovery
|
|
verification:
|
|
enabled: true
|
|
use: code
|
|
notify_unknown_recipients: false
|
|
ui_url: https://auth.DOMAIN_SUFFIX/verification
|
|
settings:
|
|
ui_url: https://auth.DOMAIN_SUFFIX/security
|
|
privileged_session_max_age: 15m
|
|
required_aal: highest_available
|
|
|
|
identity:
|
|
default_schema_id: employee
|
|
schemas:
|
|
- id: employee
|
|
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2VtcGxveWVlLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRW1wbG95ZWUiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkVtYWlsIiwKICAgICAgICAgICJvcnkuc2gva3JhdG9zIjogewogICAgICAgICAgICAiY3JlZGVudGlhbHMiOiB7CiAgICAgICAgICAgICAgInBhc3N3b3JkIjogewogICAgICAgICAgICAgICAgImlkZW50aWZpZXIiOiB0cnVlCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9CiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiZ2l2ZW5fbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiRmlyc3QgbmFtZSIKICAgICAgICB9LAogICAgICAgICJmYW1pbHlfbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiTGFzdCBuYW1lIgogICAgICAgIH0sCiAgICAgICAgIm1pZGRsZV9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJNaWRkbGUgbmFtZSIKICAgICAgICB9LAogICAgICAgICJuaWNrbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiTmlja25hbWUiCiAgICAgICAgfSwKICAgICAgICAicGljdHVyZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogInVyaSIsCiAgICAgICAgICAidGl0bGUiOiAiUHJvZmlsZSBwaWN0dXJlIgogICAgICAgIH0sCiAgICAgICAgInBob25lX251bWJlciI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiUGhvbmUgbnVtYmVyIgogICAgICAgIH0sCiAgICAgICAgImpvYl90aXRsZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiSm9iIHRpdGxlIgogICAgICAgIH0sCiAgICAgICAgImRlcGFydG1lbnQiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIkRlcGFydG1lbnQiCiAgICAgICAgfSwKICAgICAgICAib2ZmaWNlX2xvY2F0aW9uIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJPZmZpY2UgbG9jYXRpb24iCiAgICAgICAgfSwKICAgICAgICAiZW1wbG95ZWVfaWQiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIkVtcGxveWVlIElEIgogICAgICAgIH0sCiAgICAgICAgImhpcmVfZGF0ZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImRhdGUiLAogICAgICAgICAgInRpdGxlIjogIkhpcmUgZGF0ZSIKICAgICAgICB9LAogICAgICAgICJtYW5hZ2VyIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJNYW5hZ2VyIgogICAgICAgIH0KICAgICAgfSwKICAgICAgInJlcXVpcmVkIjogWwogICAgICAgICJlbWFpbCIKICAgICAgXSwKICAgICAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIjogZmFsc2UKICAgIH0KICB9Cn0K
|
|
- id: default
|
|
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2lkZW50aXR5Lmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiUGVyc29uIChsZWdhY3kpIiwKICAicHJvcGVydGllcyI6IHsKICAgICJ0cmFpdHMiOiB7CiAgICAgICJ0eXBlIjogIm9iamVjdCIsCiAgICAgICJwcm9wZXJ0aWVzIjogewogICAgICAgICJlbWFpbCI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImVtYWlsIiwKICAgICAgICAgICJ0aXRsZSI6ICJFbWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogewogICAgICAgICAgICAgICJwYXNzd29yZCI6IHsKICAgICAgICAgICAgICAgICJpZGVudGlmaWVyIjogdHJ1ZQogICAgICAgICAgICAgIH0KICAgICAgICAgICAgfSwKICAgICAgICAgICAgInJlY292ZXJ5IjogewogICAgICAgICAgICAgICJ2aWEiOiAiZW1haWwiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJ2ZXJpZmljYXRpb24iOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfQogICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgIm5hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgICAgICJmaXJzdCI6IHsKICAgICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgICAgICJ0aXRsZSI6ICJGaXJzdCBuYW1lIgogICAgICAgICAgICB9LAogICAgICAgICAgICAibGFzdCI6IHsKICAgICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgICAgICJ0aXRsZSI6ICJMYXN0IG5hbWUiCiAgICAgICAgICAgIH0KICAgICAgICAgIH0KICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsKICAgICAgICAiZW1haWwiCiAgICAgIF0sCiAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyI6IGZhbHNlCiAgICB9CiAgfQp9Cg==
|
|
- id: external
|
|
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2V4dGVybmFsLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRXh0ZXJuYWwgVXNlciIsCiAgInByb3BlcnRpZXMiOiB7CiAgICAidHJhaXRzIjogewogICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAicHJvcGVydGllcyI6IHsKICAgICAgICAiZW1haWwiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJlbWFpbCIsCiAgICAgICAgICAidGl0bGUiOiAiRW1haWwiLAogICAgICAgICAgIm9yeS5zaC9rcmF0b3MiOiB7CiAgICAgICAgICAgICJjcmVkZW50aWFscyI6IHsKICAgICAgICAgICAgICAicGFzc3dvcmQiOiB7CiAgICAgICAgICAgICAgICAiaWRlbnRpZmllciI6IHRydWUKICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJyZWNvdmVyeSI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9LAogICAgICAgICAgICAidmVyaWZpY2F0aW9uIjogewogICAgICAgICAgICAgICJ2aWEiOiAiZW1haWwiCiAgICAgICAgICAgIH0KICAgICAgICAgIH0KICAgICAgICB9LAogICAgICAgICJnaXZlbl9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJGaXJzdCBuYW1lIgogICAgICAgIH0sCiAgICAgICAgImZhbWlseV9uYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJMYXN0IG5hbWUiCiAgICAgICAgfSwKICAgICAgICAibmlja25hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgInRpdGxlIjogIk5pY2tuYW1lIgogICAgICAgIH0sCiAgICAgICAgInBpY3R1cmUiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJ1cmkiLAogICAgICAgICAgInRpdGxlIjogIlByb2ZpbGUgcGljdHVyZSIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsKICAgICAgICAiZW1haWwiCiAgICAgIF0sCiAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyI6IGZhbHNlCiAgICB9CiAgfQp9Cg==
|
|
- id: community
|
|
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2NvbW11bml0eS5qc29uIiwKICAiJHNjaGVtYSI6ICJodHRwOi8vanNvbi1zY2hlbWEub3JnL2RyYWZ0LTA3L3NjaGVtYSMiLAogICJ0eXBlIjogIm9iamVjdCIsCiAgInRpdGxlIjogIkNvbW11bml0eSBNZW1iZXIiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkVtYWlsIiwKICAgICAgICAgICJvcnkuc2gva3JhdG9zIjogewogICAgICAgICAgICAiY3JlZGVudGlhbHMiOiB7CiAgICAgICAgICAgICAgInBhc3N3b3JkIjogewogICAgICAgICAgICAgICAgImlkZW50aWZpZXIiOiB0cnVlCiAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAidG90cCI6IHsKICAgICAgICAgICAgICAgICJhY2NvdW50X25hbWUiOiB0cnVlCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9CiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiZ2l2ZW5fbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiRmlyc3QgbmFtZSIKICAgICAgICB9LAogICAgICAgICJmYW1pbHlfbmFtZSI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAidGl0bGUiOiAiTGFzdCBuYW1lIgogICAgICAgIH0sCiAgICAgICAgIm5pY2tuYW1lIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJ0aXRsZSI6ICJOaWNrbmFtZSIKICAgICAgICB9LAogICAgICAgICJwaWN0dXJlIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAidXJpIiwKICAgICAgICAgICJ0aXRsZSI6ICJQcm9maWxlIHBpY3R1cmUiCiAgICAgICAgfQogICAgICB9LAogICAgICAicmVxdWlyZWQiOiBbCiAgICAgICAgImVtYWlsIgogICAgICBdLAogICAgICAiYWRkaXRpb25hbFByb3BlcnRpZXMiOiBmYWxzZQogICAgfQogIH0KfQo=
|
|
|
|
courier:
|
|
smtp:
|
|
connection_uri: "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true"
|
|
from_address: no-reply@DOMAIN_SUFFIX
|
|
from_name: Sunbeam Studios
|
|
|
|
oauth2_provider:
|
|
url: http://hydra-admin.ory.svc.cluster.local:4445
|
|
|
|
log:
|
|
format: json
|
|
leak_sensitive_values: false
|
|
|
|
session:
|
|
cookie:
|
|
# Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.)
|
|
# receive it. Without this Kratos scopes the cookie to auth.* only, causing
|
|
# redirect loops on admin.*.
|
|
domain: DOMAIN_SUFFIX
|
|
persistent: true
|
|
earliest_possible_extend: 24h
|
|
lifespan: 720h
|
|
whoami:
|
|
required_aal: highest_available
|
|
|
|
serve:
|
|
public:
|
|
base_url: https://auth.DOMAIN_SUFFIX/kratos/
|
|
cors:
|
|
enabled: true
|
|
allowed_origins:
|
|
- https://*.DOMAIN_SUFFIX
|
|
admin:
|
|
base_url: http://kratos-admin.ory.svc.cluster.local:4434/
|
|
|
|
# Chart does not manage secrets — we create them externally via VSO.
|
|
# secret.nameOverride points chart at our VaultStaticSecret-managed K8s secret so
|
|
# the chart injects SECRETS_DEFAULT/SECRETS_COOKIE from kratos-app-secrets automatically.
|
|
# DSN is not injected by the chart when secret.enabled=false — we add it via extraEnv.
|
|
secret:
|
|
enabled: false
|
|
nameOverride: kratos-app-secrets
|
|
|
|
# ServiceMonitor created as standalone resource (kratos-servicemonitor.yaml) —
|
|
# chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
|
|
# kustomize helm template doesn't provide.
|
|
|
|
deployment:
|
|
extraEnv:
|
|
- name: DSN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: kratos-db-creds
|
|
key: dsn
|
|
- name: DISCORD_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: kratos-social-discord
|
|
key: client-id
|
|
- name: DISCORD_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: kratos-social-discord
|
|
key: client-secret
|
|
- name: GITHUB_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: kratos-social-github
|
|
key: client-id
|
|
- name: GITHUB_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: kratos-social-github
|
|
key: client-secret
|
|
resources:
|
|
limits:
|
|
memory: 256Mi
|
|
requests:
|
|
memory: 64Mi
|
|
cpu: 25m
|