Hi I am self-hosting Ory Kratos and courier in our...
# generalr
rhythmic-air-73121
08/24/2024, 5:07 PMHi I am self-hosting Ory Kratos and courier in our kubernetes cluster. and we recently move to using secrets. As part of that i tried moving the COURIER_SMTP_CONNECTION_URI from the configmap to the courier deployment, and authentication with aws SES is now failing. I have checked the creds multiple times and can confirm they are valid.
errors seen:
Copy code
{"audience":"application","level":"info","msg":"No tracer configured - skipping tracing setup","service_name":"Ory Kratos","service_version":"v1.0.0","time":"2024-08-23T10:20:35.420542208Z"}
{"audience":"application","connMaxLifetime":0,"idlePool":4,"level":"debug","msg":"Connecting to SQL Database","pool":20,"service_name":"Ory Kratos","service_version":"v1.0.0","time":"2024-08-23T10:20:35.420622987Z"}
{"audience":"application","level":"info","msg":"Courier worker started.","service_name":"Ory Kratos","service_version":"v1.0.0","time":"2024-08-23T10:20:36.008540172Z"}
{"audience":"application","error":{"message":"535 Authentication Credentials Invalid","stack_trace":"stack trace could not be recovered from error type *textproto.Error"},"level":"error","message_from":"<mailto:hello@YYY.net|hello@YYY.net>","message_id":"6ce14c29-0115-4a10-87a2-b4e48471f00b","message_nid":"f40b1c5d-34a9-4b07-a788-5df5c52ab2ee","msg":"Unable to send email using SMTP connection.","service_name":"Ory Kratos","service_version":"v1.0.0","smtp_server":"<http://email-smtp.us-east-1.amazonaws.com:2465|email-smtp.us-east-1.amazonaws.com:2465>","smtp_ssl_enabled":true,"time":"2024-08-23T10:29:03.495567703Z"} Copy code
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
<http://reloader.stakater.com/auto|reloader.stakater.com/auto>: 'true'
labels:
<http://app.kubernetes.io/instance|app.kubernetes.io/instance>: kratos-courier
name: kratos-courier
namespace: quasar
spec:
replicas: 1
selector:
matchLabels:
app: kratos-courier
template:
metadata:
labels:
app: kratos-courier
spec:
containers:
- args:
- courier
- watch
- '--config'
- /etc/config/kratos.yaml
env:
- name: SES_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: SES_ACCESS_KEY_ID
name: mail-ses-creds
- name: SES_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: SES_SECRET_ACCESS_KEY
name: mail-ses-creds
- name: DB_USER
valueFrom:
secretKeyRef:
key: DB_USER
name: kratos-db-creds
- name: DB_PASS
valueFrom:
secretKeyRef:
key: DB_PASS
name: kratos-db-creds
- name: DSN
value: >-
postgresql://$(DB_USER):$(DB_PASS)@taaja-test-db.cdy9hdhasdasd.us-east-x.rds.amazonaws.com:5432/kratosdb?sslmode=disable&max_conns=20&max_idle_conns=4
- name: COURIER_SMTP_CONNECTION_URI
value: >-
smtps://$(SES_ACCESS_KEY_ID):$(SES_SECRET_ACCESS_KEY)@email-smtp.us-east-1.amazonaws.com:2465
image: 'oryd/kratos:v1.0.0'
imagePullPolicy: Always
name: kratos
ports:
- containerPort: 4433
name: public-port
protocol: TCP
- containerPort: 4434
name: admin-port
protocol: TCP
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /mnt/secrets-store
name: secrets-store-inline
readOnly: true
- mountPath: /etc/config
name: ory-kratos-courier-config-volume
readOnly: true
serviceAccountName: secrets-sa
volumes:
- csi:
driver: <http://secrets-store.csi.k8s.io|secrets-store.csi.k8s.io>
readOnly: true
volumeAttributes:
secretProviderClass: kratos-courier-deployment-aws-secrets
name: secrets-store-inline
- configMap:
name: ory-kratos-courier-config-volume
name: ory-kratos-courier-config-volume5 Views