From 455f496de1b0769fa0b2232851d7fa3169fe1675 Mon Sep 17 00:00:00 2001 From: David Cheung Date: Wed, 8 Sep 2021 17:55:24 -0400 Subject: [PATCH 1/2] improvement: support user-auth local dev kratos kratos redirect URLs are driven by config and are static, this will allow spining up another instance of user_auth(kratos) without oathkeeper, and allow the cookies to be sent cross-site 127.0.0.1:3000 -> backend on the cloud (for dev-env) allow modifying scheme allowing dev-instance of kratos with localhost --- modules/user_auth/README.md | 2 ++ .../oathkeeper_kratos_proxy_rules.yaml.tpl | 8 ++--- modules/user_auth/main.tf | 31 +++++++++++-------- modules/user_auth/variables.tf | 12 +++++++ 4 files changed, 36 insertions(+), 17 deletions(-) diff --git a/modules/user_auth/README.md b/modules/user_auth/README.md index 02bbcc0..4801c0a 100644 --- a/modules/user_auth/README.md +++ b/modules/user_auth/README.md @@ -35,6 +35,8 @@ No requirements. | backend\_service\_domain | Domain of the backend service | `string` | n/a | yes | | cookie\_signing\_secret\_key | Default secret key for signing cookies | `string` | n/a | yes | | create\_namespace | Whether to create the auth namespace(defaults to true), otherwise just references the namespace | `bool` | `true` | no | +| disable\_frontend\_https | Whether frontend URLs should be https, unless your developing locally you should leave the default as is. | `bool` | `false` | no | +| disable\_oathkeeper | To not provision Oathkeeper, this is useful when you want multiple Kratos setup, while only 1 Oathkeeper proxy to route to them, for example sharing Oathkeeper between a Dev and Staging Kratos | `bool` | `false` | no | | external\_secret\_backend | The backend external-secrets will pull secret data from to create a corresponding secret in kubernetes. If empty, external-secrets will not be used. You'll need to make sure the secret is created manually. | `string` | `"secretsManager"` | no | | external\_secret\_name | Name of a secret in an external secrets backend that contains the content to pull into a kubernetes secret for Kratos to use | `string` | n/a | yes | | frontend\_service\_domain | Domain of the frontend | `string` | n/a | yes | diff --git a/modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl b/modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl index 6f8dfdc..926c478 100644 --- a/modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl +++ b/modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl @@ -6,10 +6,10 @@ apiVersion: oathkeeper.ory.sh/v1alpha1 kind: Rule metadata: name: kratos-${name}-public - namespace: user-auth + namespace: ${auth_namespace} spec: upstream: - url: http://kratos-${name}-public.user-auth + url: http://kratos-${name}-public.${auth_namespace} stripPath: ${public_selfserve_endpoint} preserveHost: true match: @@ -36,10 +36,10 @@ apiVersion: oathkeeper.ory.sh/v1alpha1 kind: Rule metadata: name: kratos-${name}-form-data - namespace: user-auth + namespace: ${auth_namespace} spec: upstream: - url: http://kratos-${name}-admin.user-auth + url: http://kratos-${name}-admin.${auth_namespace} stripPath: ${admin_selfserve_endpoint} preserveHost: true match: diff --git a/modules/user_auth/main.tf b/modules/user_auth/main.tf index 53b0217..22ac2b4 100644 --- a/modules/user_auth/main.tf +++ b/modules/user_auth/main.tf @@ -14,7 +14,8 @@ locals { } } - default_flow_return_url = "https://${var.frontend_service_domain}${var.kratos_default_redirect_ui_path}" + frontend_scheme = var.disable_frontend_https ? "http" : "https" + default_flow_return_url = "${local.frontend_scheme}://${var.frontend_service_domain}${var.kratos_default_redirect_ui_path}" kratos_values_override = { secret = { nameOverride = var.kratos_secret_name @@ -32,38 +33,38 @@ locals { selfservice = { whitelisted_return_urls = var.whitelisted_return_urls - default_browser_return_url = "https://${var.frontend_service_domain}/" + default_browser_return_url = "${local.frontend_scheme}://${var.frontend_service_domain}/" flows = { settings = { - ui_url = "https://${var.frontend_service_domain}/auth/settings" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/settings" after = { default_browser_return_url = local.default_flow_return_url } } verification = { - ui_url = "https://${var.frontend_service_domain}/auth/verify" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/verify" after = { default_browser_return_url = local.default_flow_return_url } } recovery = { - ui_url = "https://${var.frontend_service_domain}/auth/recovery" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/recovery" after = { default_browser_return_url = local.default_flow_return_url } } login = { - ui_url = "https://${var.frontend_service_domain}/auth/login" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/login" after = { default_browser_return_url = local.default_flow_return_url } } registration = { - ui_url = "https://${var.frontend_service_domain}/auth/registration" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/registration" after = { default_browser_return_url = local.default_flow_return_url password = { @@ -76,7 +77,7 @@ locals { } error = { - ui_url = "https://${var.frontend_service_domain}/auth/errors" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/errors" } } @@ -95,17 +96,17 @@ locals { # https://github.com/ory/k8s/blob/master/helm/charts/oathkeeper/templates/ingress-proxy.yaml proxy = { hosts = [{ - host = var.backend_service_domain + host = var.backend_service_domain paths = ["/"] }] tls = [{ - hosts = [var.backend_service_domain] + hosts = [var.backend_service_domain] secretName = "oathkeeper-proxy-tls-secret" }] annotations = { - "nginx.ingress.kubernetes.io/cors-allow-origin" : "https://${var.frontend_service_domain}" + "nginx.ingress.kubernetes.io/cors-allow-origin" : "${local.frontend_scheme}://${var.frontend_service_domain}" } } } @@ -131,7 +132,7 @@ locals { handlers = { redirect = { config = { - to = "https://${var.frontend_service_domain}/auth/login" + to = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/login" } } } @@ -205,6 +206,7 @@ data "template_file" "oathkeeper_kratos_proxy_rules" { backend_service_domain = var.backend_service_domain public_selfserve_endpoint = "/.ory/kratos/public" admin_selfserve_endpoint = "/.ory/kratos" + auth_namespace = var.auth_namespace } } @@ -220,6 +222,8 @@ resource "null_resource" "oathkeeper_kratos_proxy_rules" { } module "oathkeeper_config" { + count = var.disable_oathkeeper ? 0 : 1 + source = "cloudposse/config/yaml" version = "0.7.0" @@ -229,6 +233,7 @@ module "oathkeeper_config" { } resource "helm_release" "oathkeeper" { + count = var.disable_oathkeeper ? 0 : 1 name = "oathkeeper-${var.name}" repository = "https://k8s.ory.sh/helm/charts" @@ -238,7 +243,7 @@ resource "helm_release" "oathkeeper" { depends_on = [kubernetes_namespace.user_auth] values = [ - jsonencode(module.oathkeeper_config.map_configs) + jsonencode(module.oathkeeper_config[0].map_configs) ] # Clean up and set the JWKS content. This will become a secret mounted into the pod diff --git a/modules/user_auth/variables.tf b/modules/user_auth/variables.tf index d5561a9..c179466 100644 --- a/modules/user_auth/variables.tf +++ b/modules/user_auth/variables.tf @@ -93,3 +93,15 @@ variable "kratos_default_redirect_ui_path" { type = string default = "/dashboard" } + +variable "disable_oathkeeper" { + description = "To not provision Oathkeeper, this is useful when you want multiple Kratos setup, while only 1 Oathkeeper proxy to route to them, for example sharing Oathkeeper between a Dev and Staging Kratos" + type = bool + default = false +} + +variable "disable_frontend_https" { + description = "Whether frontend URLs should be https, unless your developing locally you should leave the default as is." + type = bool + default = false +} From 80ab88ec5c1e673d2c28ca8393d9258d9a509f93 Mon Sep 17 00:00:00 2001 From: David Cheung Date: Thu, 9 Sep 2021 16:40:42 -0400 Subject: [PATCH 2/2] fixup! improvement: support user-auth local dev kratos --- modules/user_auth/README.md | 2 +- modules/user_auth/main.tf | 2 +- modules/user_auth/variables.tf | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/user_auth/README.md b/modules/user_auth/README.md index 4801c0a..a23cff2 100644 --- a/modules/user_auth/README.md +++ b/modules/user_auth/README.md @@ -35,11 +35,11 @@ No requirements. | backend\_service\_domain | Domain of the backend service | `string` | n/a | yes | | cookie\_signing\_secret\_key | Default secret key for signing cookies | `string` | n/a | yes | | create\_namespace | Whether to create the auth namespace(defaults to true), otherwise just references the namespace | `bool` | `true` | no | -| disable\_frontend\_https | Whether frontend URLs should be https, unless your developing locally you should leave the default as is. | `bool` | `false` | no | | disable\_oathkeeper | To not provision Oathkeeper, this is useful when you want multiple Kratos setup, while only 1 Oathkeeper proxy to route to them, for example sharing Oathkeeper between a Dev and Staging Kratos | `bool` | `false` | no | | external\_secret\_backend | The backend external-secrets will pull secret data from to create a corresponding secret in kubernetes. If empty, external-secrets will not be used. You'll need to make sure the secret is created manually. | `string` | `"secretsManager"` | no | | external\_secret\_name | Name of a secret in an external secrets backend that contains the content to pull into a kubernetes secret for Kratos to use | `string` | n/a | yes | | frontend\_service\_domain | Domain of the frontend | `string` | n/a | yes | +| frontend\_use\_https | Whether frontend URLs should be https, unless your developing locally you should leave the default as is. | `bool` | `true` | no | | jwks\_content | The content of a JWKS file for Oathkeeper | `string` | n/a | yes | | k8s\_local\_exec\_context | Custom resource (Oathkeeper Rules are created using local-exec with kubectl), if not specified it will target your current context from kubeconfig | `string` | `""` | no | | kratos\_default\_redirect\_ui\_path | Setting the default path after self-service flows(login/signup/verify/settings), kratos will redirect you to frontend | `string` | `"/dashboard"` | no | diff --git a/modules/user_auth/main.tf b/modules/user_auth/main.tf index 22ac2b4..d7c68d4 100644 --- a/modules/user_auth/main.tf +++ b/modules/user_auth/main.tf @@ -14,7 +14,7 @@ locals { } } - frontend_scheme = var.disable_frontend_https ? "http" : "https" + frontend_scheme = var.frontend_use_https ? "https" : "http" default_flow_return_url = "${local.frontend_scheme}://${var.frontend_service_domain}${var.kratos_default_redirect_ui_path}" kratos_values_override = { secret = { diff --git a/modules/user_auth/variables.tf b/modules/user_auth/variables.tf index c179466..6175495 100644 --- a/modules/user_auth/variables.tf +++ b/modules/user_auth/variables.tf @@ -100,8 +100,8 @@ variable "disable_oathkeeper" { default = false } -variable "disable_frontend_https" { +variable "frontend_use_https" { description = "Whether frontend URLs should be https, unless your developing locally you should leave the default as is." type = bool - default = false + default = true }