narrow-kitchen-3944
05/12/2022, 12:13 PMkratos:
autoMigrate: true
identitySchemas:
"identity.default.schema.json": |
{
"$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
},
"totp": {
"account_name": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
},
"role": {
"title": "Role",
"type": "string",
"default": "user",
"enum": ["user", "admin"]
}
},
"required": [
"email"
],
"additionalProperties": true
}
}
}
config:
version: v0.9.0-alpha.3
serve:
# admin:
# port: 80
public:
base_url: <https://kratos.example.com>
cors:
enabled: true
allowed_origins:
- <https://example.com>
- https://*.<http://example.com|example.com>
- <http://localhost:3000>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Cookie
- Content-Type
- X-Session-Token
exposed_headers:
- Content-Type
- Set-Cookie
dsn: <postgres://secretDb>
courier:
smtp:
connection_uri: <smtps://secretSmtp>
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/identity.default.schema.json
log:
level: debug
format: text
leak_sensitive_values: true
selfservice:
default_browser_return_url: <https://appLogin.example.com>
allowed_return_urls:
- https://*.<http://example.com|example.com>
- <https://appLogin.example.com>
- <https://app2.example.com>
- <https://app2.example.com>
- <http://localhost:3000>
methods:
password:
enabled: true
flows:
error:
ui_url: <https://appLogin.example.com/error>
settings:
ui_url: <https://appLogin.example.com/settings>
privileged_session_max_age: 15m
recovery:
enabled: false
ui_url: <https://appLogin.example.com/recovery>
verification:
enabled: false
ui_url: <https://appLogin.example.com/verification>
after:
default_browser_return_url: <https://appLogin.example.com/>
logout:
after:
default_browser_return_url: <https://appLogin.example.com/>
login:
ui_url: <https://appLogin.example.com/>
after:
default_browser_return_url: <https://appLogin.example.com/>
lifespan: 10m
registration:
lifespan: 10m
ui_url: <https://appLogin.example.com/registration>
after:
password:
hooks:
- hook: session
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
secrets:
cookie:
- SOME_LONG_SECRET
cipher:
- SOME_LONG_SECRET
cookies:
domain: <http://example.com|example.com>
path: /
same_site: Lax
# session:
# cookie:
# domain: .<http://example.com|example.com>
# path: /
# same_site: Lax
image:
# -- ORY KRATOS image
repository: oryd/kratos
# -- ORY KRATOS VERSION
# Alternative format: image: oryd/kratos:v0.6.3-alpha.1
tag: v0.9.0-alpha.3
# pullPolicy: IfNotPresent
imagePullPolicy: Always
deployment:
# -- Configure the probes for when the deployment is considered ready and ongoing health check
livenessProbe:
httpGet:
path: /health/alive
port: http-admin
initialDelaySeconds: 60
periodSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /health/ready
port: http-admin
initialDelaySeconds: 60
periodSeconds: 10
failureThreshold: 5
# -- If you want to mount external volume
# For example, mount a secret containing Certificate root CA to verify database
# TLS connection.
ingress:
admin:
enabled: true
className: nginx
annotations:
<http://kubernetes.io/ingress.allow-http|kubernetes.io/ingress.allow-http>: "false"
<http://nginx.ingress.kubernetes.io/proxy-body-size|nginx.ingress.kubernetes.io/proxy-body-size>: "0"
<http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
<http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
<http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
hosts:
- host: <http://admin-kratos.example.com|admin-kratos.example.com>
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: kratosadmin-tls
hosts:
- <http://admin-kratos.example.com|admin-kratos.example.com>
public:
enabled: true
annotations:
<http://kubernetes.io/ingress.allow-http|kubernetes.io/ingress.allow-http>: "false"
<http://nginx.ingress.kubernetes.io/proxy-body-size|nginx.ingress.kubernetes.io/proxy-body-size>: "0"
<http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
<http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
<http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
className: nginx
hosts:
- host: <http://kratos.example.com|kratos.example.com>
paths:
- path: /
pathType: Prefix
tls:
- secretName: kratospublic-tls
hosts:
- <http://kratos.example.com|kratos.example.com>
damp-sunset-69236
05/12/2022, 1:00 PMcookies:
domain: <http://example.com|example.com>
path: /
same_site: Lax
to this
cookies:
domain: <http://example.com|example.com>