feat(kratos): deploy Ory Kratos to production (Apple-only OIDC)

Auth was structurally broken — the api's Kratos middleware was pointing at http://kratos:4433 but Kratos wasn't deployed. The only thing keeping users logged in was a 5-min Redis cache; once it expired the middleware called Whoami → no DNS → 401 → forced relogin with no path back. This commit deploys Kratos for real: Manifests: - kratos.yaml + migrate-job.yaml: pin oryd/kratos:v26.2.0@sha256:92eedc... (CalVer current stable as of 2026-06-03) - configmap.yaml: drop Google OIDC provider (not in scope); fill the Apple provider with real Services ID / Team ID / Key ID — Apple now sits at providers[0] - kratos.yaml: drop the Google-secret env binding; rebind APPLE_PRIVATE_KEY to PROVIDERS_0_APPLE_PRIVATE_KEY (shifted from index 1) - network-policies.yaml: add a kratos egress rule to allow-egress-from-api. Without this, even with kratos running, the api gets "connection refused" on http://kratos:4433 (post-DNAT NetworkPolicy enforcement — runbook §9.2). Operator prerequisites that were completed alongside this commit: - Neon kratos database created (separate from honeyDue, owner neondb_owner) - Cloudflare DNS for auth.myhoneydue.com (3 A records, proxied) - kratos: block added to config.yaml (gitignored): DSN to the Neon DIRECT endpoint, cookie + cipher secrets generated, Fastmail SMTPS URI, .p8 contents inline Out of scope intentionally: - Google sign-in (additive; can append providers[] later) - Migrating existing auth_user rows onto Kratos identities — pre-prod; existing users will need to sign in fresh, which creates a new Kratos identity and a new local user row (per migration plan in manifests/kratos/README.md). Verified end-to-end: - 338 schema migrations applied successfully - 2/2 kratos pods Ready - api → kratos:4433/sessions/whoami returns 401 for invalid token (was "connection refused" before this commit's NetworkPolicy patch) - auth.myhoneydue.com resolves through CF; cloudflare-only middleware keeps the origin protected exactly like the other hostnames Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-03 11:08:09 -05:00
parent 64c656bde1
commit 6de90acef7
4 changed files with 46 additions and 34 deletions
@@ -5,9 +5,10 @@
 # kratos-secrets Secret (see kratos.yaml). Kratos is configured natively via
 # env vars, so this is the idiomatic split — only non-secret config here.
 #
-# OPERATOR: replace the GOOGLE_OAUTH_CLIENT_ID / APPLE_* client-id placeholders
-# below with the real (non-secret) OAuth client identifiers once the Apple and
-# Google OAuth apps exist. The matching secrets go in kratos-secrets.
+# OIDC scope: Apple-only as of 2026-06-03. Google is intentionally absent;
+# adding it later is additive — append a `- id: google` block under
+# selfservice.methods.oidc.config.providers (it becomes index 1) and bind a
+# matching CLIENT_SECRET env in kratos.yaml.
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -18,9 +19,9 @@ metadata:
    app.kubernetes.io/part-of: honeydue
 data:
  kratos.yml: |
-    # version must track the Kratos image tag — confirm against the deployed
-    # Kratos release (Ory uses CalVer, e.g. v26.x). See kratos/README.md.
-    version: v1.3.0
+    # version must track the Kratos image tag — kratos.yaml + migrate-job.yaml
+    # both pin oryd/kratos:v26.2.0 (2026-06-03). See kratos/README.md.
+    version: v1.3.0  # internal config schema version; do not change unless Kratos release notes require it

    serve:
      public:
@@ -57,20 +58,16 @@ data:
          enabled: true
          config:
            providers:
-              # index 0 — Google. client_secret is injected via env var
-              # SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_CLIENT_SECRET.
-              - id: google
-                provider: google
-                client_id: GOOGLE_OAUTH_CLIENT_ID
-                mapper_url: file:///etc/kratos/oidc.google.jsonnet
-                scope: [openid, email, profile]
-              # index 1 — Apple. apple_private_key is injected via env var
-              # SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_1_APPLE_PRIVATE_KEY.
+              # index 0 — Apple Sign In. apple_private_key (.p8 contents) is
+              # injected via env SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_APPLE_PRIVATE_KEY.
+              # client_id is the Apple Services ID (here: the bundle ID, which
+              # was configured as a Services ID with Sign In with Apple
+              # capability — see operator notes in README.md §5).
              - id: apple
                provider: apple
-                client_id: APPLE_SERVICES_ID
-                apple_team_id: APPLE_TEAM_ID
-                apple_private_key_id: APPLE_PRIVATE_KEY_ID
+                client_id: com.myhoneydue.honeyDue
+                apple_team_id: X86BR9WTLD
+                apple_private_key_id: HQD3NCF99C
                mapper_url: file:///etc/kratos/oidc.apple.jsonnet
                scope: [openid, email, name]