admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): scaffold Ory Kratos identity service — phase 1 (infrastructure)
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details

Browse Source 
First phase of replacing the hand-rolled auth (internal/services/auth_service.go
et al.) with Ory Kratos. This commit is infrastructure only — Kratos will run
but nothing consumes it yet; the Go API still does its own auth until phase 2.

Adds deploy-k3s/manifests/kratos/:
- configmap.yaml  — kratos.yml, identity schema, Google/Apple OIDC claim
                     mappers (no secrets in the ConfigMap)
- migrate-job.yaml — `kratos migrate sql`, run before the Deployment
- kratos.yaml     — Deployment (x2), Service, NetworkPolicies
- ingress.yaml    — auth.myhoneydue.com -> Kratos public API :4433
- README.md       — operator prerequisites + deploy runbook

Wiring:
- 02-setup-secrets.sh creates kratos-secrets, gated on a config.yaml `kratos:`
  block (DSN, cookie/cipher, SMTP URI, OIDC client secret, Apple key).
- 03-deploy.sh applies the Kratos manifests + runs the migrate Job, gated on
  the kratos-secrets Secret existing.

Both gates mean the existing stack deploys completely unaffected until the
operator completes the prerequisites (Neon `kratos` DB, auth.myhoneydue.com
DNS, Apple/Google OAuth apps, Kratos image version). Pre-production, so no
user-data migration — see manifests/kratos/README.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-05-18 16:24:38 -05:00
parent c845771946
commit b66151ddd9
7 changed files with 636 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy-k3s/scripts/02-setup-secrets.sh
+29
View File
@@ -164,6 +164,35 @@ else
warn "Admin panel will NOT have basic auth protection."
fi
# --- Create Kratos secrets (Ory Kratos identity service) ---
# Created only when config.yaml has a kratos.dsn. Until then 03-deploy.sh skips
# the Kratos deploy entirely, so the existing stack is unaffected.
KRATOS_DSN="$(cfg kratos.dsn 2>/dev/null || true)"
if [[ -n "${KRATOS_DSN}" ]]; then
log "Creating kratos-secrets..."
KR_COOKIE="$(cfg kratos.secrets_cookie 2>/dev/null || true)"
KR_CIPHER="$(cfg kratos.secrets_cipher 2>/dev/null || true)"
KR_SMTP="$(cfg kratos.smtp_connection_uri 2>/dev/null || true)"
KR_GOOGLE="$(cfg kratos.google_client_secret 2>/dev/null || true)"
KR_APPLE="$(cfg kratos.apple_private_key 2>/dev/null || true)"
[[ -n "${KR_COOKIE}" && -n "${KR_CIPHER}" ]] \
|| die "kratos.secrets_cookie / secrets_cipher must be set (generate once: openssl rand -hex 16)"
[[ ${#KR_CIPHER} -eq 32 ]] \
|| die "kratos.secrets_cipher must be exactly 32 characters (openssl rand -hex 16)"
kubectl create secret generic kratos-secrets \
--namespace="${NAMESPACE}" \
--from-literal="dsn=${KRATOS_DSN}" \
--from-literal="secrets_cookie=${KR_COOKIE}" \
--from-literal="secrets_cipher=${KR_CIPHER}" \
--from-literal="smtp_connection_uri=${KR_SMTP}" \
--from-literal="google_client_secret=${KR_GOOGLE}" \
--from-literal="apple_private_key=${KR_APPLE}" \
--dry-run=client -o yaml | kubectl apply -f -
else
warn "config.yaml has no kratos.dsn — skipping kratos-secrets (Kratos not yet configured)."
fi
# --- Done ---
log ""
deploy-k3s/scripts/03-deploy.sh
+24
View File
@@ -264,6 +264,27 @@ if [[ -d "${MANIFESTS}/observability" ]]; then
fi
fi
# --- Ory Kratos (identity service) ---
# Applied only when kratos-secrets exists — i.e. the operator has completed the
# Kratos prerequisites in deploy-k3s/manifests/kratos/README.md. Otherwise
# skipped, so the existing stack deploys unaffected.
if kubectl -n "${NAMESPACE}" get secret kratos-secrets >/dev/null 2>&1; then
log "Deploying Ory Kratos..."
kubectl apply -f "${MANIFESTS}/kratos/configmap.yaml"
# The migrate Job is immutable — delete any prior run, then apply + wait.
kubectl delete job kratos-migrate -n "${NAMESPACE}" --ignore-not-found --wait=true >/dev/null
kubectl apply -f "${MANIFESTS}/kratos/migrate-job.yaml"
if ! kubectl wait --namespace="${NAMESPACE}" --for=condition=complete --timeout=5m job/kratos-migrate; then
warn "Kratos migration Job failed — logs:"
kubectl logs -n "${NAMESPACE}" job/kratos-migrate --tail=100 || true
die "aborting: Kratos schema migration failed"
fi
kubectl apply -f "${MANIFESTS}/kratos/kratos.yaml"
kubectl apply -f "${MANIFESTS}/kratos/ingress.yaml"
else
log "kratos-secrets not present — skipping Kratos deploy (see manifests/kratos/README.md)."
fi
# --- Wait for rollouts ---
log "Waiting for rollouts..."
@@ -281,6 +302,9 @@ fi
if kubectl -n "${NAMESPACE}" get daemonset alloy-logs >/dev/null 2>&1; then
kubectl rollout status daemonset/alloy-logs -n "${NAMESPACE}" --timeout=120s
fi
if kubectl -n "${NAMESPACE}" get deployment kratos >/dev/null 2>&1; then
kubectl rollout status deployment/kratos -n "${NAMESPACE}" --timeout=180s
fi
# --- Done ---