Ory Kratos Helm Chart
The Ory Kratos Helm Chart helps you deploy Ory Kratos on Kubernetes using Helm.
Installation
Add the helm repository
$ helm repo add ory https://k8s.ory.sh/helm/charts
$ helm repo update
To install Ory Kratos, the following values must be set (documentation):
kratos.config.secrets.defaultkratos.config.dsnkratos.config.selfservice.default_browser_return_urlkratos.config.courier.smtp.connection_urikratos.config.identity.schemas
You can create a values.yaml file to set the required values, like so:
kratos:
config:
dsn: postgres://foo:bar@pg-sqlproxy-gcloud-sqlproxy:5432/db
secrets:
default:
- dolore occaecat nostrud Ut
- sit et commodoaute ut voluptate consectetur Duis
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/identity.default.schema.json
courier:
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
selfservice:
default_browser_return_url: http://127.0.0.1:4455/
automigration:
enabled: true
identitySchemas:
"identity.default.schema.json": |
{
"$id": "https://schemas.ory.sh/presets/kratos/identity.email.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"recovery": {
"via": "email"
},
"verification": {
"via": "email"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
Install Ory Kratos by running this command:
$ helm install \
...
-f values.yaml \
ory/kratos
Ory Kratos Configuration
You can pass your
Ory Kratos configuration file
by creating a yaml file with key kratos.config
# kratos-config.yaml
kratos:
config:
# e.g.:
log:
level: trace
# ...
and passing that as a value override to helm:
$ helm install -f ./path/to/kratos-config.yaml ory/kratos
Helm Chart Configuration
For the full list of chart values, please refer to the Ory Kratos Helm Chart README, or the values.yaml directly
Additionally, the following extra settings are available:
kratos.automigration(bool): If enabled, aninitContainerrunningkratos migrate sqlwill be created.kratos.development(bool): If enabled, kratos will run with--devargument.secret.enabled(bool): Iftrue(default), a Kubernetes Secret is created (containsdsn,secretsCookieandsecretsDefault). Also generatessecretsCookieandsecretsDefaultunless already set.secret.nameOverride(string): Lets you override the name of the secret to be usedingress.admin.enabled(bool): If enabled, an ingress is created on admin endpointingress.public.enabled(bool): If enabled, an ingress is created on public endpoint Check values.yaml for more configuration options.
Custom Secrets
secret:
# -- switch to false to prevent creating the secret
enabled: false
# -- Provide custom name of existing secret, or custom name of secret to be created
nameOverride: "my-custom-secret"
Remember: In this case, you are responsible for supplying the required values, which need to be in the same format that the created secret uses. For more details please take a look here.
Identity Schemas
There are three options to provide identity schemas:
Note: You are free to name <schema-id> and <schema-name> whatever you want.
- Write json to
kratos.identitySchemas:
kratos:
identitySchemas:
<schema-name>.schema.json: |-
{
"$id": "..."
}
config:
identity:
schemas:
- id: <schema-id>
# match the name of the identitySchema
url: file:///etc/config/<schema-name>.schema.json
- Encode json schema in base64
kratos:
config:
identity:
schemas:
- id: <schema-id>
url: base64://<base64-encoded-json>
- Pass file using
--set-fileHelm CLI argument:
# values.yaml
kratos:
identitySchemas:
<schema-name>.schema.json: |-
config:
identity:
schemas:
- id: <schema-id>
# match the name of the identitySchema
url: file:///etc/config/<schema-name>.schema.json
Install Kratos using the following command:
helm install kratos ory/kratos \
-f values.yaml \
--set-file <your_key>=/path/to/<your-file>.json
Upgrade
From 0.18.0
Since this version we support only kubernetes >= v1.18 for the ingress definition.
If you enabled ingresses you need to migrate values from:
ingress:
public:
hosts:
- host: kratos.public.local.com
paths: ["/"]
admin:
hosts:
- host: kratos.admin.local.com
paths: ["/"]
to
ingress:
public:
className: ""
hosts:
- host: kratos.public.local.com
paths:
- path: /
pathType: ImplementationSpecific
admin:
className: ""
hosts:
- host: kratos.admin.local.com
paths:
- path: /
pathType: ImplementationSpecific
where changes are on:
- introduce the
classNameto specify the ingress class documentation that need to be used - change
pathsdefinition from an array of strings to an array of objects, where each object include thepathand thepathType(see path matching documentation)
Referencing other values in values file
Some values in values.yaml may contain references to other values ``. It is useful when you deploy multiple charts to multiple environments and you want to avoid creating multiple environment value files in each chart. Instead of it you may create for each chart only one value file that references values in environment specific files (that is used for all your charts) and install each chart by specifying two value files: chart value file + environment value file.
helm install kratos ory/kratos -f values-wrapper.yaml -f ../my-env-values.yaml
You can see example of referencing values here