admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
81e454d86d08f3cf8f09a6f0c721363ffca6bbde
honeyDueAPI/deploy-k3s/manifests/kratos
T
History
Trey t 81e454d86d
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details
Add admin-create registration + live email-verified flag 
Registration now goes through POST /api/auth/register, which admin-creates the
Kratos identity (unverified email, NO auto-sent code). Kratos self-service
registration never returns the verification flow id, so the client could never
submit the user's code to the right flow; admin creation lets the client own a
single verification flow instead. Also surface the live Kratos verified flag
and fix Apple audience + team IDs.

- kratos.Client.CreateIdentity via admin API; ErrIdentityExists / ErrInvalidCredentials
- AuthService.Register + AuthHandler.Register + public POST /api/auth/register/
- CurrentUser overrides stale user_profile.verified with the live Kratos flag;
  UserRepository.MarkVerified mirrors it back
- configmap: additional_id_token_audiences allows the .dev bundle id_token
- fix Apple/APNs team id V3PF3M6B6U -> X86BR9WTLD in .env.example + dev init

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 17:46:30 -05:00
..
configmap.yaml
Add admin-create registration + live email-verified flag
2026-06-03 17:46:30 -05:00
ingress.yaml
fix(kratos): drop cloudflare-only middleware on auth ingress
2026-06-03 11:14:35 -05:00
kratos.yaml
feat(kratos): deploy Ory Kratos to production (Apple-only OIDC)
2026-06-03 11:08:09 -05:00
migrate-job.yaml
feat(kratos): deploy Ory Kratos to production (Apple-only OIDC)
2026-06-03 11:08:09 -05:00
README.md
feat(auth): scaffold Ory Kratos identity service — phase 1 (infrastructure)
2026-05-18 16:24:38 -05:00

README.md

Ory Kratos — honeyDue identity service (Phase 1: infrastructure)

This directory deploys Ory Kratos into the honeydue namespace as the identity provider — replacing the hand-rolled auth in internal/services/auth_service.go etc.

Phase 1 is infrastructure only. Once deployed, Kratos runs but nothing uses it yet — the honeyDue Go API still does its own auth. Phase 2 (backend swap) and Phase 3 (KMP/web clients) follow. Migrating onto Kratos can lose all existing user data — honeyDue is pre-production, so no user import is done.

The deploy is gated: 03-deploy.sh applies Kratos only when the kratos-secrets Secret exists, and 02-setup-secrets.sh creates that Secret only when config.yaml has a kratos: block. Until then the existing stack deploys completely unaffected.

Files

File What
configmap.yaml kratos.yml, identity schema, Google/Apple OIDC claim mappers (no secrets)
migrate-job.yaml kratos migrate sql — schema migration, run before the Deployment
kratos.yaml Deployment (×2), Service, NetworkPolicies
ingress.yaml auth.myhoneydue.com → Kratos public API :4433

Operator prerequisites (must be done before deploying)

  1. Kratos version — Ory uses CalVer (v25.x / v26.x). Pick the current stable, then replace REPLACE_WITH_CURRENT_STABLE_TAG in kratos.yaml and migrate-job.yaml with oryd/kratos:vXX.Y@sha256:<digest>, and set the matching version: in configmap.yaml.

  2. Kratos database — create a separate Neon database named kratos (do not share honeyDue's). Capture its connection string as the DSN.

  3. DNS — add auth.myhoneydue.com in Cloudflare (proxied), pointing at the cluster ingress like the other honeyDue hosts. Confirm the cloudflare-origin-cert TLS secret covers auth.myhoneydue.com.

  4. Google OAuth client — Google Cloud Console → create an OAuth 2.0 client. Redirect URI: https://auth.myhoneydue.com/self-service/methods/oidc/callback/google. Put the client ID into configmap.yaml (GOOGLE_OAUTH_CLIENT_ID); the client secret goes in config.yaml.

  5. Apple Sign In — Apple Developer → a Services ID + a Sign in with Apple key. Return URL: https://auth.myhoneydue.com/self-service/methods/oidc/callback/apple. Put the Services ID / Team ID / Key ID into configmap.yaml (APPLE_SERVICES_ID / APPLE_TEAM_ID / APPLE_PRIVATE_KEY_ID); the .p8 private key goes in config.yaml.

  6. config.yaml — add a kratos: block:

    kratos:
  dsn: "postgres://USER:PASS@HOST/kratos?sslmode=require"
  secrets_cookie: "<openssl rand -hex 16>"   # generate ONCE, keep stable
  secrets_cipher: "<openssl rand -hex 16>"   # must be exactly 32 chars
  smtp_connection_uri: "smtps://USER:PASS@smtp.fastmail.com:465/"
  google_client_secret: "<from Google Cloud Console>"
  apple_private_key: |
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----

    secrets_cookie / secrets_cipher must stay stable forever — rotating them invalidates every session and makes encrypted data unreadable.

Deploy

cd honeyDueAPI-go
export KUBECONFIG="$(pwd)/deploy-k3s/kubeconfig"
./deploy-k3s/scripts/02-setup-secrets.sh   # creates kratos-secrets from config.yaml
./deploy-k3s/scripts/03-deploy.sh          # applies kratos manifests, runs migrate, rolls

03-deploy.sh applies configmap.yaml → runs migrate-job.yaml → waits → applies kratos.yaml + ingress.yaml.

Verify

  • kubectl -n honeydue get pods -l app.kubernetes.io/name=kratos — 2/2 Running
  • kubectl -n honeydue logs job/kratos-migrate — migration succeeded
  • curl https://auth.myhoneydue.com/health/ready{"status":"ok"}
  • curl https://auth.myhoneydue.com/self-service/registration/api — returns a flow

Not yet done (later phases)

  • Phase 2 — honeyDue Go backend: swap middleware/auth.go for Kratos session validation, drop the hand-rolled auth code, rebuild the users table keyed on the Kratos identity ID.
  • Phase 3 — KMP mobile + Next.js web clients point at Kratos flows.
  • Admin-panel auth stays on its own JWT (out of scope).
Reference in New Issue View Git Blame Copy Permalink