Skip to content

Commit 2e41f7b

Browse files
davidcheungdavidcheung
authored
improvement: support user-auth local dev kratos (#62)
kratos redirect URLs are driven by config and are static, this will allow spining up another instance of user_auth(kratos) without oathkeeper, and allow the cookies to be sent cross-site 127.0.0.1:3000 -> backend on the cloud (for dev-env) allow modifying scheme allowing dev-instance of kratos with localhost
1 parent bdeaaab commit 2e41f7b

4 files changed

Lines changed: 36 additions & 17 deletions

File tree

modules/user_auth/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,9 +35,11 @@ No requirements.
3535
| backend\_service\_domain | Domain of the backend service | `string` | n/a | yes |
3636
| cookie\_signing\_secret\_key | Default secret key for signing cookies | `string` | n/a | yes |
3737
| create\_namespace | Whether to create the auth namespace(defaults to true), otherwise just references the namespace | `bool` | `true` | no |
38+
| disable\_oathkeeper | To not provision Oathkeeper, this is useful when you want multiple Kratos setup, while only 1 Oathkeeper proxy to route to them, for example sharing Oathkeeper between a Dev and Staging Kratos | `bool` | `false` | no |
3839
| external\_secret\_backend | The backend external-secrets will pull secret data from to create a corresponding secret in kubernetes. If empty, external-secrets will not be used. You'll need to make sure the secret is created manually. | `string` | `"secretsManager"` | no |
3940
| external\_secret\_name | Name of a secret in an external secrets backend that contains the content to pull into a kubernetes secret for Kratos to use | `string` | n/a | yes |
4041
| frontend\_service\_domain | Domain of the frontend | `string` | n/a | yes |
42+
| frontend\_use\_https | Whether frontend URLs should be https, unless your developing locally you should leave the default as is. | `bool` | `true` | no |
4143
| jwks\_content | The content of a JWKS file for Oathkeeper | `string` | n/a | yes |
4244
| k8s\_local\_exec\_context | Custom resource (Oathkeeper Rules are created using local-exec with kubectl), if not specified it will target your current context from kubeconfig | `string` | `""` | no |
4345
| kratos\_default\_redirect\_ui\_path | Setting the default path after self-service flows(login/signup/verify/settings), kratos will redirect you to frontend | `string` | `"/dashboard"` | no |

modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ apiVersion: oathkeeper.ory.sh/v1alpha1
66
kind: Rule
77
metadata:
88
name: kratos-${name}-public
9-
namespace: user-auth
9+
namespace: ${auth_namespace}
1010
spec:
1111
upstream:
12-
url: http://kratos-${name}-public.user-auth
12+
url: http://kratos-${name}-public.${auth_namespace}
1313
stripPath: ${public_selfserve_endpoint}
1414
preserveHost: true
1515
match:
@@ -36,10 +36,10 @@ apiVersion: oathkeeper.ory.sh/v1alpha1
3636
kind: Rule
3737
metadata:
3838
name: kratos-${name}-form-data
39-
namespace: user-auth
39+
namespace: ${auth_namespace}
4040
spec:
4141
upstream:
42-
url: http://kratos-${name}-admin.user-auth
42+
url: http://kratos-${name}-admin.${auth_namespace}
4343
stripPath: ${admin_selfserve_endpoint}
4444
preserveHost: true
4545
match:

modules/user_auth/main.tf

Lines changed: 18 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@ locals {
1414
}
1515
}
1616

17-
default_flow_return_url = "https://${var.frontend_service_domain}${var.kratos_default_redirect_ui_path}"
17+
frontend_scheme = var.frontend_use_https ? "https" : "http"
18+
default_flow_return_url = "${local.frontend_scheme}://${var.frontend_service_domain}${var.kratos_default_redirect_ui_path}"
1819
kratos_values_override = {
1920
secret = {
2021
nameOverride = var.kratos_secret_name
@@ -32,38 +33,38 @@ locals {
3233

3334
selfservice = {
3435
whitelisted_return_urls = var.whitelisted_return_urls
35-
default_browser_return_url = "https://${var.frontend_service_domain}/"
36+
default_browser_return_url = "${local.frontend_scheme}://${var.frontend_service_domain}/"
3637
flows = {
3738
settings = {
38-
ui_url = "https://${var.frontend_service_domain}/auth/settings"
39+
ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/settings"
3940
after = {
4041
default_browser_return_url = local.default_flow_return_url
4142
}
4243
}
4344

4445
verification = {
45-
ui_url = "https://${var.frontend_service_domain}/auth/verify"
46+
ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/verify"
4647
after = {
4748
default_browser_return_url = local.default_flow_return_url
4849
}
4950
}
5051

5152
recovery = {
52-
ui_url = "https://${var.frontend_service_domain}/auth/recovery"
53+
ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/recovery"
5354
after = {
5455
default_browser_return_url = local.default_flow_return_url
5556
}
5657
}
5758

5859
login = {
59-
ui_url = "https://${var.frontend_service_domain}/auth/login"
60+
ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/login"
6061
after = {
6162
default_browser_return_url = local.default_flow_return_url
6263
}
6364
}
6465

6566
registration = {
66-
ui_url = "https://${var.frontend_service_domain}/auth/registration"
67+
ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/registration"
6768
after = {
6869
default_browser_return_url = local.default_flow_return_url
6970
password = {
@@ -76,7 +77,7 @@ locals {
7677
}
7778

7879
error = {
79-
ui_url = "https://${var.frontend_service_domain}/auth/errors"
80+
ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/errors"
8081
}
8182

8283
}
@@ -95,17 +96,17 @@ locals {
9596
# https://github.com/ory/k8s/blob/master/helm/charts/oathkeeper/templates/ingress-proxy.yaml
9697
proxy = {
9798
hosts = [{
98-
host = var.backend_service_domain
99+
host = var.backend_service_domain
99100
paths = ["/"]
100101
}]
101102

102103
tls = [{
103-
hosts = [var.backend_service_domain]
104+
hosts = [var.backend_service_domain]
104105
secretName = "oathkeeper-proxy-tls-secret"
105106
}]
106107

107108
annotations = {
108-
"nginx.ingress.kubernetes.io/cors-allow-origin" : "https://${var.frontend_service_domain}"
109+
"nginx.ingress.kubernetes.io/cors-allow-origin" : "${local.frontend_scheme}://${var.frontend_service_domain}"
109110
}
110111
}
111112
}
@@ -131,7 +132,7 @@ locals {
131132
handlers = {
132133
redirect = {
133134
config = {
134-
to = "https://${var.frontend_service_domain}/auth/login"
135+
to = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/login"
135136
}
136137
}
137138
}
@@ -205,6 +206,7 @@ data "template_file" "oathkeeper_kratos_proxy_rules" {
205206
backend_service_domain = var.backend_service_domain
206207
public_selfserve_endpoint = "/.ory/kratos/public"
207208
admin_selfserve_endpoint = "/.ory/kratos"
209+
auth_namespace = var.auth_namespace
208210
}
209211
}
210212

@@ -220,6 +222,8 @@ resource "null_resource" "oathkeeper_kratos_proxy_rules" {
220222
}
221223

222224
module "oathkeeper_config" {
225+
count = var.disable_oathkeeper ? 0 : 1
226+
223227
source = "cloudposse/config/yaml"
224228
version = "0.7.0"
225229

@@ -229,6 +233,7 @@ module "oathkeeper_config" {
229233
}
230234

231235
resource "helm_release" "oathkeeper" {
236+
count = var.disable_oathkeeper ? 0 : 1
232237

233238
name = "oathkeeper-${var.name}"
234239
repository = "https://k8s.ory.sh/helm/charts"
@@ -238,7 +243,7 @@ resource "helm_release" "oathkeeper" {
238243
depends_on = [kubernetes_namespace.user_auth]
239244

240245
values = [
241-
jsonencode(module.oathkeeper_config.map_configs)
246+
jsonencode(module.oathkeeper_config[0].map_configs)
242247
]
243248

244249
# Clean up and set the JWKS content. This will become a secret mounted into the pod

modules/user_auth/variables.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,3 +93,15 @@ variable "kratos_default_redirect_ui_path" {
9393
type = string
9494
default = "/dashboard"
9595
}
96+
97+
variable "disable_oathkeeper" {
98+
description = "To not provision Oathkeeper, this is useful when you want multiple Kratos setup, while only 1 Oathkeeper proxy to route to them, for example sharing Oathkeeper between a Dev and Staging Kratos"
99+
type = bool
100+
default = false
101+
}
102+
103+
variable "frontend_use_https" {
104+
description = "Whether frontend URLs should be https, unless your developing locally you should leave the default as is."
105+
type = bool
106+
default = true
107+
}

0 commit comments

Comments
 (0)