Currently deploying Kratos alongside the Kratos SelfService UI Node w/ the Ory Helm Charts on a local k8s cluster (

Docker-Desktop v4.17.0

on

MacOS Monterrey 12.6.3

). Using ingress-nginx as the ingress controller (also w/ Helm, all default values, no values.yaml) which is able to successfully route to Kratos Public API endpoints (validated w/

curl

), and the Kratos SelfService UI Node welcome page (validated w/ browser). PostgreSQL is the backend (validated schema and tables w/

psql

after the automigration job successfully finishes). My kratos values.yaml is using the standard values from the Ory Kratos Helm Chart

v0.11.1, kratos-0.30.0

. Sections

kratos.config.[default,identity,courier,automigration]

are omitted here since they are the same as the aforementioned reference chart:

yaml
kratos:
  development: true
  config:
    dsn: <postgres://kratos:password@myapp-db-postgresql.default.svc.cluster.local:5432/auth>
    serve:
      public:
        base_url: <http://myapp.local>
        cors:
          debug: true
    selfservice:
      default_browser_return_url: <http://myapp.local/welcome>
      flows:
        registration:
          ui_url: <http://myapp.local/registration>
        login:
          ui_url: <http://myapp.local/login>
        error:
          ui_url: <http://myapp.local/error>
    log:
      level: debug
      leak_sensitive_values: true
  identitySchemas:
    "identity.default.schema.json": |
      {
        "default_values_here": default_values
    
      }
service:
  admin:
    enabled: true
    type: NodePort
    port: 80
  public:
    enabled: true
    type: NodePort
    port: 80
ingress:
  admin:
    enabled: true
      #className: "nginx"
    annotations:
      <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
    hosts:
      - host: myapp.local
        paths:
          - path: /admin
            pathType: Prefix
            #pathType: ImplementationSpecific
  public:
    enabled: true
      #className: "nginx"
    annotations:
      <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
    hosts:
      - host: myapp.local
        paths:
          - path: /self-service
            pathType: Prefix
            #pathType: ImplementationSpecific

the UI has the following values.yaml, again, from the Ory SelfService UI Node Helm Chart

v0.10.1, kratos-selfservice-ui-node-0.30.0

documentation:

yaml
ingress:
  enabled: true
    #className: "nginx"
  annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
  hosts:
    - host: myapp.local
      paths:
        - path: /
          pathType: Prefix
          #pathType: ImplementationSpecific
#kratosAdminUrl:   "<http://myapp.local/admin>"
kratosPublicUrl:  "<http://myapp.local>"
kratosBrowserUrl: "<http://myapp.local>"
baseUrl: "<http://myapp.local>"

the local

/etc/hosts

file is

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
127.0.0.1 myapp.local
# End of section

on the browser, I can successfully access

<http://myapp.local/welcome>

and land on the UI

/welcome

page. After hitting the

Sign Up

button

myapp.local/registration

the Kratos Public API returns a redirect of the form:

<http://myapp.local/self-service/registration/browser?return_to=>

which in turn yields a url for the UI w/ flow id:

<http://myapp.local/registration?flow=><flow_id>

this causes the UI to return a status 500 w/:

json
{
  "message": "connect ECONNREFUSED 127.0.0.1:80",
  "name": "Error",
  "stack": "Error: connect ECONNREFUSED 127.0.0.1:80\n    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1161:16)",
  "config": {
    "url": "<http://myapp.local/self-service/registration/flows?id=cac0348a-9322-4f07-aa16-284cb76d150d>",
    "method": "get",
    "headers": {
      "Accept": "application/json, text/plain, */*",
      "cookie": "csrf_token_hash=hash=; csrf_token_hash=hash=",
      "User-Agent": "axios/0.21.4"
    },
    "transformRequest": [
      null
    ],
    "transformResponse": [
      null
    ],
    "timeout": 0,
    "xsrfCookieName": "XSRF-TOKEN",
    "xsrfHeaderName": "X-XSRF-TOKEN",
    "maxContentLength": -1,
    "maxBodyLength": -1,
    "transitional": {
      "silentJSONParsing": true,
      "forcedJSONParsing": true,
      "clarifyTimeoutError": false
    }
  },
  "code": "ECONNREFUSED"
}

I was able to validate my local Kratos deployment w/ the following curl commands:

#!/bin/bash

  baseurl="<http://myapp.local/self-service/registration>"

  # A cookie jar for storing the CSRF tokens
  cookieJar=$(mktemp)
  flowId=$(curl -s -X GET \
      --cookie-jar $cookieJar --cookie $cookieJar \
      -H "Accept: application/json" \
      "$baseurl/browser" | jq -r '.id')

  # The endpoint uses Ory Identities' REST API to fetch information about the request
  registration_flow=$(curl -s -X GET \
      --cookie-jar $cookieJar --cookie $cookieJar \
      -H "Accept: application/json" \
      "$baseurl/flows?id=$flowId" | jq)

  csrf_token=$(echo $registration_flow | jq -r '.ui.nodes[] | select(.attributes.name == "csrf_token") | .attributes.value')

  curl -s -X POST \
      --cookie-jar $cookieJar --cookie $cookieJar \
      -H 'Content-Type: application/json' \
      -H 'Accept: application/json' \
      -d '{"method":"password","csrf_token":"'$csrf_token'","traits.email":"<mailto:email@example.com|email@example.com>","password":"3x4mpl3p55w04d!","traits.tos":"true","transient_payload.consents":"newsletter,usage_stats"}' \
      "$baseurl?flow=$flowId"