Skip to content
Snippets Groups Projects
Select Git revision
  • main default
  • 139-remove-part-of-the-helm-chart-that-is-moved-to-the-dashboard-helmchart
  • 122-admin-logins-should-gain-admin-privileges
  • 116-allow-password-change-without-ssl-public-endpoint-in-startup-job
  • 114-create-development-scripts-for-reverse-proxy-solution
  • 110-enable-hydra-maester
  • 82-pylint-job-broken-2
  • 93-0.2.11
  • master protected
  • update-hydra
  • spike-use-kratos-as-identity-manager
  • merge_master_into_0.2
  • 56-fix-link-in-the-readme
  • 0.2
  • 40-replace-flask-oauth-with-oauthlib-in-test-login_logout
  • 45-update-user-panel-to-fix-jobs
  • 41-make-oauth2-client-data-persistent
  • force-https
  • 42-ldap-support
  • 33-wordpress-sso-admin-login-doesn-t-work
  • 0.8.0
  • 0.7.7
  • 0.7.6
  • 0.7.4
  • 0.7.1
  • 0.5.2
  • 0.5.0
  • 0.4.3
  • 0.4.2
  • 0.4.1
  • 0.4.0
  • 0.2.11
  • 0.2.10
  • 0.2.9
  • 0.2.8
  • 0.2.7
  • 0.2.6
  • 0.2.5
  • 0.2.4
  • 0.2.3
40 results
Blame History Permalink
local_dev_remote_kratos.md 11.68 KiB

Local dev with Kratos

The main role for this repo is provide Single-Sign-On. The architecture to make this happen has a lot of moving components. A quick overview:

  • Hydra: Hydra is an Identity Provider, or IdP for short. It means connected applications connect to Hydra to start a session with a user. Hydra provides the application with the username and other roles/claims for the application. This is done using the OIDC protocol. Hydra is developed by Ory and has security as one of their top priorities. Also it is fully OpenSource.

  • Login application: If hydra hits a new session/user, it has to know if this user has access. To do so, the user has to login. Hydra does not support this, so it will redirect to a login application. This is developed by the Stackspin team (Greenhost) and part of this repository. It is a Python Flask application. Because the security decisions made by kratos (see below), a lot of the interaction is done in the web-browser, rather then server-side. This means the login application has an UI component which relies heavily on JavaScript. As this is a relatively small application, it is based on traditional Bootstrap + Jquery. This elements the requirement for yet an other build environment.

  • Kratos: This is Identity Manager and contains all the user profiles and secrets (passwords). Kratos is designed to work mostly between web-browser and kratos directly, however, it only provides an API and not UI itself. Kratos provides a Admin API, which is only used from the server-side flask app to create/delete users.

  • Postgres: All three components need to store data. This is done in a postgres database server. There is once instance, with three databases. As all databases are very small this will not lead to resource limitation problems.

Installation

The current login panel is not yet installed available in released versions of Stackspin. However, this does not prevent us from developing already on the login panel. Experience with helm and kubernetes is expected when you follow this manual.

On your provisioning machine, make sure to checkout:

git@open.greenhost.net:stackspin/single-sign-on.git

Be sure to check out the latest main branch. Or select a more modern branch if you want to test / install (optional) improvements of login panel.

Once this is all fetched, installation can be done with the following steps:

  1. Suspend the automatic updating: As we are gonna use a non-release version, the flux application management system will rollback changes to follow the released versions. However, during development we want to prevent this. We can suspend the service with:
flux suspend source chart stackspin-single-sign-on
  1. Make a backup of the current keys and configuration values. We needs those when we install the new version of the single-sign-on helmchart:
helm get values single-sign-on -n stackspin > /to/a/path/my_cluster_values.yaml

Keep this file on a safe place. It contains important passwords and also we need to add extra settings to this file once we switch to local development for the login panel.

  1. Install all helm dependencies

Before we install the dependencies, you can remove the charts folder, just to be sure there are no other conflicting helm charts in that folder which can lead to unexpected results

rm -rf charts
helm dep update
  1. Configure variables

Currently there are default passwords configured for postgresql in values.yaml.

It is not advices to change values.yaml directly, but use your my-cluster-values.yaml to make overrides of the defaults.

You can change the default passwords before installation. Please make sure it in sync with the dsn settings for Hydra and Kratos. Note that the databases are only created once, and passwords are set at creation time. If you want to change the passwords later, you have to do this manually in the Postgres database and use your variables file to modify the settings for kratos/hydra.

The database passwords are set here:

postgresql:
  initdbScripts:
    setup.sql: |
      CREATE USER hydra WITH PASSWORD 'hydra';
      CREATE USER kratos WITH PASSWORD 'kratos';
      CREATE USER stackspin WITH PASSWORD 'stackspin';
      CREATE DATABASE kratos WITH OWNER kratos;
      CREATE DATABASE hydra WITH OWNER hydra;
      CREATE DATABASE stackspin WITH OWNER stackspin;

Please make sure it is in sync with the password for kratos and hydra in you my-cluster-values.yaml file

kratos:
  kratos:
    config:
      dsn: postgres://kratos:ChangeThisPassword@single-sign-on-postgresql:5432/kratos

hydra:
  hydra:
    config:
      dsn: postgres://hydra:hydra@single-sign-on-postgresql:5432/hydra

For local development, we have to configure the endpoint of the application to be pointing to our development system. In this example, we use localhost on http.

Because of CORS and strict configuration, all needs to end up on the same system. With modern browser, it even have to run on the same port (at least with firefox). As we want to mimic the real life setup as much as possible as well, we will do this by running a local proxy. In production this will be handled by kubernetes ingress configuration.

First we will tell kratos and hydra where to find the right endpoints. An overview of all relevant end-points:

The endpoints used by the browser are:

  • localhost/api -> kratos public API
  • localhost/login -> login flask app

The endpoint used by the login app/API are:

  • localhost:8000 -> kratos Admin API
  • localhost/api -> kratos Public API
  • localhost:4445 -> hydra Admin API
  • localhost:5432 -> PostgreSQL

To reflect those public endpoints in your cluster, we have to override the default URLs from values.yaml in our my-cluster-values.yaml file. Also we set the SMTP settings as well, as for a proper development experience it is required to be able to send out e-mails.

Configuration of the login app API endpoints is discussed in the next chapter.


kratos:
  kratos:
    config:
      courier:
        smtp:
         # Kratos enforces the use of STARTTLS. Be sure your SMTP provider
         # supports that (if not, it is time to swtich providers)
         connection_uri: smtp://stackspin@example.com:MyPassword@smtp.greenhost.nl:25/
         from_address: no-reply@example.com

      # For development, we forward all to our local server (or your dev server
      # if that is remote)
      serve:
        public:
          base_url: http://localhost/api/

      selfservice:
        default_browser_return_url: http://localhost/login/login

        flows:
          recovery:
            ui_url: http://localhost/login/recovery

          login:
            ui_url: http://localhost/login/login

          settings:
            ui_url: http://localhost/login/settings

          registration:
            ui_url: http://localhost/login/registration


hydra:
  hydra:
    config:
      urls:
        # For development we redirect to localhost (or your dev server)
        login: http://localhost/login/auth
        consent: http://localhost/login/consent
        logout: http://localhost/login/logout
  1. Install the single-sign-on helmchart

So all is configured for local development, and we are good to go to configure our modified setup on our cluster:

cd helmchart/single-sign-on
helm upgrade -f /to/a/path/my_cluster_values.yaml single-sign-on . -n stackspin --debug

Development

  1. Setup port redirects

To be able to work on the Login panel, we have to configure our development system to access all the remote services and endpoints.

A helper script is available in this directory to setup and redirect the relevant ports locally. It will open ports 8000, 8080, 4445, 5432 to get access to all APIs:

./set-ssh-tunnel.sh `stackspin.example.com`

(the tunnel goes to the kubernetes node, so not to your provisioning machine.

  1. Configure a local proxy

Because of strict CORS headers, we have to map the public kratos API and login app which we will run locally, with a local proxy.

This can be done with any proxy server, for example with NGINX. Be sure you have NGINX installed and listing on port 80 locally (sudo apt-get install nginx) should be enough.

Now configure NGINX with this configuration in /etc/nginx/sites-enabled/default


server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    # Flask app
    location /login/ {
        proxy_pass http://127.0.0.1:5000/;
        proxy_redirect     default;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    }

    # Kratos Public
    location /api/  {
        proxy_pass http://127.0.0.1:8080/;
        proxy_redirect     default;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    }
}

Reload your NGINX:

sudo systemctl reload nginx.service
  1. Run FLASK app

Now it is time to start our flask app. Of course you can use a virtualenv, but it is not needed if your system has a modern package manager and as the app is designed to be compatible with those systems defaults, we can use OS based flask and python. Other requirements are still installed with PIP

Lets install the requirements:

cd projectroot/login
sudo apt-get install python3-flask python3-pip
pip3 install -r requirements.txt

Then verify if you are happy with the settings in the source_env file:

cat source_env

export FLASK_RUN_HOST=0.0.0.0
export FLASK_RUN_PORT=5000
export HYDRA_ADMIN_URL=http://localhost:4445
export KRATOS_PUBLIC_URL=http://localhost/api
export KRATOS_ADMIN_URL=http://localhost:8000
export PUBLIC_URL=http://localhost/login

export DATABASE_URL="postgresql://stackspin:stackspin@localhost/stackspin"
export APP_SETTINGS="config.DevelopmentConfig"

Normally you only need to change the database password if you did not use the default.

Assuming you did not populate the database yet, once can populate this:

. source_env
flask db upgrade

If that all looks fine, it is time to add you first user:

flask user add myemail@example.com

And now it is time to start the app:

./run.sh

If this starts smoothly, you should be ready to go.

Test you setup

Hydra and kratos are now configured to redirect to localhost when they receive a request. So to test the setup, you simple can go to one of your application (for example nextcloud), what we expect when you click the login button is the following:

At this point, we started the flow with trying to reach nextcloud. Because we did a password recovery in between, this information is lost. If you go again to nextcloud manually, you should now be logged in automatically.

If you retry this, but now with a password (for example in a privacy window or by removing you cookies), you should be redirect automatically after login.