General Consulting Dev

This mono repo creates an SSO and ACL system with the Ory stack and Kubernetes. It uses Nix to set up install kustomize and setup the minikube environment.

Overview

This example uses the kratos-selfservice-ui-node, a fork of mailslurper and a react-admin app for the admin page.

(This is an outline and does not exactly reflect the reality of how the stack works)

Develop

Prerequisites

• nix package manager

Initial Setup

Step 0 Get a Dev Shell

$ nix develop
### ️🔨 Welcome to the Nix devshell ###

Available commands:

## Commands

  , fmt  : format the whole repo
  , ka   : Apply the kubernetes manifests
  , kd   : A Dashboard for the minikube cluster
  , ks   : start minikube cluster
  , npd  : NextJS PDF Dev

(Run ',' to display this menu again)

Step 1 start the cluster

# Start the cluster
$ minikube start

Or, simply:

, ks

Step 2 apply the manifests

# Create all resources
$ cd k8s && ./build.sh | kubectl apply -f -

Or, simply:

, kd

Step 3 DNS Setup

To create a nice dev experience you should map your cluster ip to the DNS referenced within the examples. kubectl get ingress will give you the IP, which should be added to your host file.

The general idea is that we are going to map the various test.info hosts back to our local IP.

$ kubectl get ingress
NAME               CLASS    HOSTS                 ADDRESS           PORTS   AGE
admin-ui-ingress   <none>   ory-admin.test.info   192.168.XXX.XXX   80      119s
fake-smtp-server   <none>   mail.test.info        192.168.XXX.XXX   80      119s
oathkeeper         <none>   ory.test.info         192.168.XXX.XXX   80      119s

# add ingress to the hosts file
$ sudo bash -c 'cat << EOF >> /etc/hosts
# ORY Minikube SSO stack
192.168.XXX.XXX    mail.test.info
192.168.XXX.XXX    ory.test.info
192.168.XXX.XXX    ory-admin.test.info
EOF'

(optional) Step 3 Create secret for fetching containers from ghcr.io

This step is only necessary if your docker installation has not already done a docker login e.g. docker pull ghcr.io/hello-world fails. https://github.com/settings/tokens You can create a token (it must be "classic") in your Personal Access Token settings on github; which only needs the read:packages scope.

kubectl create secret docker-registry dpr-secret --docker-server=https://ghcr.io --docker-username=mygithubusername --docker-password=mygithubreadtoken --docker-email=mygithubemail

Step 4 Create a test user

Open your browser and navigate to http://ory.test.info/panel/welcome and http://mail.test.info.

Go to http://ory.test.info/panel/ and create an account. You can validate your email on http://mail.test.info. When you create an account you have to add the role user or admin. Only the admin role has the right to access the admin react app.

URL	Description
[http://ory.test.info/panel/welcome]	User app for create an account, login, other
[http://ory.test.info/admin/]	Admin react app, you need the role admin to access
http://mail.test.info	Local mail panel, you will receive mail confirmation here

Add keto relationships

After you have created a user, using the identity.id as the subject, you can add relations into ./keto/keto-job/config/relation-tuples/admin-access.json And then update the keto policies.

# waits for Keto to be ready and add policies
$ ./add-keto-policies.sh | kubectl apply -f -

Debugging

• Bring up a dashboard for the cluster with minikube-dashboard or , kd

• Get a db shell with ./_scripts/get_psql.sh