# Ory Kratos — honeyDue identity service (Phase 1: infrastructure) This directory deploys [Ory Kratos](https://www.ory.sh/kratos/) into the `honeydue` namespace as the identity provider — replacing the hand-rolled auth in `internal/services/auth_service.go` etc. **Phase 1 is infrastructure only.** Once deployed, Kratos runs but nothing uses it yet — the honeyDue Go API still does its own auth. Phase 2 (backend swap) and Phase 3 (KMP/web clients) follow. Migrating onto Kratos can lose all existing user data — honeyDue is pre-production, so no user import is done. The deploy is **gated**: `03-deploy.sh` applies Kratos only when the `kratos-secrets` Secret exists, and `02-setup-secrets.sh` creates that Secret only when `config.yaml` has a `kratos:` block. Until then the existing stack deploys completely unaffected. ## Files | File | What | |---|---| | `configmap.yaml` | `kratos.yml`, identity schema, Google/Apple OIDC claim mappers (no secrets) | | `migrate-job.yaml` | `kratos migrate sql` — schema migration, run before the Deployment | | `kratos.yaml` | Deployment (×2), Service, NetworkPolicies | | `ingress.yaml` | `auth.myhoneydue.com` → Kratos public API :4433 | ## Operator prerequisites (must be done before deploying) 1. **Kratos version** — Ory uses CalVer (`v25.x` / `v26.x`). Pick the current stable, then replace `REPLACE_WITH_CURRENT_STABLE_TAG` in `kratos.yaml` and `migrate-job.yaml` with `oryd/kratos:vXX.Y@sha256:`, and set the matching `version:` in `configmap.yaml`. 2. **Kratos database** — create a separate Neon database named `kratos` (do not share honeyDue's). Capture its connection string as the DSN. 3. **DNS** — add `auth.myhoneydue.com` in Cloudflare (proxied), pointing at the cluster ingress like the other honeyDue hosts. Confirm the `cloudflare-origin-cert` TLS secret covers `auth.myhoneydue.com`. 4. **Google OAuth client** — Google Cloud Console → create an OAuth 2.0 client. Redirect URI: `https://auth.myhoneydue.com/self-service/methods/oidc/callback/google`. Put the **client ID** into `configmap.yaml` (`GOOGLE_OAUTH_CLIENT_ID`); the **client secret** goes in `config.yaml`. 5. **Apple Sign In** — Apple Developer → a Services ID + a Sign in with Apple key. Return URL: `https://auth.myhoneydue.com/self-service/methods/oidc/callback/apple`. Put the **Services ID / Team ID / Key ID** into `configmap.yaml` (`APPLE_SERVICES_ID` / `APPLE_TEAM_ID` / `APPLE_PRIVATE_KEY_ID`); the **.p8 private key** goes in `config.yaml`. 6. **`config.yaml`** — add a `kratos:` block: ```yaml kratos: dsn: "postgres://USER:PASS@HOST/kratos?sslmode=require" secrets_cookie: "" # generate ONCE, keep stable secrets_cipher: "" # must be exactly 32 chars smtp_connection_uri: "smtps://USER:PASS@smtp.fastmail.com:465/" google_client_secret: "" apple_private_key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- ``` `secrets_cookie` / `secrets_cipher` must stay stable forever — rotating them invalidates every session and makes encrypted data unreadable. ## Deploy ```bash cd honeyDueAPI-go export KUBECONFIG="$(pwd)/deploy-k3s/kubeconfig" ./deploy-k3s/scripts/02-setup-secrets.sh # creates kratos-secrets from config.yaml ./deploy-k3s/scripts/03-deploy.sh # applies kratos manifests, runs migrate, rolls ``` `03-deploy.sh` applies `configmap.yaml` → runs `migrate-job.yaml` → waits → applies `kratos.yaml` + `ingress.yaml`. ## Verify - `kubectl -n honeydue get pods -l app.kubernetes.io/name=kratos` — 2/2 Running - `kubectl -n honeydue logs job/kratos-migrate` — migration succeeded - `curl https://auth.myhoneydue.com/health/ready` — `{"status":"ok"}` - `curl https://auth.myhoneydue.com/self-service/registration/api` — returns a flow ## Not yet done (later phases) - **Phase 2** — honeyDue Go backend: swap `middleware/auth.go` for Kratos session validation, drop the hand-rolled auth code, rebuild the `users` table keyed on the Kratos identity ID. - **Phase 3** — KMP mobile + Next.js web clients point at Kratos flows. - Admin-panel auth stays on its own JWT (out of scope).