This repository hosts the Kubernetes Python Operator for Ory Kratos - an API-first identity and user management system. For more details, visit https://www.ory.sh/docs/kratos/ory-kratos-intro
The Kratos Operator may be deployed using the Juju command line as follows:
juju deploy postgresql-k8s --channel edge --trust
juju deploy kratos
juju integrate kratos postgresql-k8s
To set the smtp connection uri, do:
juju config kratos smtp_connection_uri={smtp_connection_uri}
Below are two examples of the API. Visit Ory to see full API specification.
curl <kratos-service-ip>:4434/identities \
--request POST -sL \
--header "Content-Type: application/json" \
--data '{
"schema_id": "default",
"traits": {
"email": "test@example.org"
}
}'
curl <kratos-service-ip>:4434/admin/identities
You should be able to see the identity created earlier.
This charm requires a relation with postgresql-k8s-operator.
The Kratos Operator offers integration with the traefik-k8s-operator for ingress. Kratos has two APIs which can be exposed through ingress, the public API and the admin API.
If you have a traefik deployed and configured in your kratos model, to provide ingress to the admin API run:
juju integrate traefik-admin kratos:admin-ingress
To provide ingress to the public API run:
juju integrate traefik-public kratos:public-ingress
Kratos can be used as an identity broker. To connect Kratos with an external identity provider you can use the external provider relation. All you need to do is deploy the kratos-external-idp-integrator, configure it and relate it to Kratos:
juju deploy kratos-external-provider-integrator
juju config kratos-external-provider-integrator \
client_id={client_id} \
client_secret={client_secret} \
provider={provider}
juju integrate kratos-external-provider-integrator kratos
Once kratos has registered the provider, you will be able to retrieve the redirect_uri from the integrator by running:
juju run {external_provider_integrator_unit_name} get-redirect-uri --wait
This charm offers integration with hydra-operator.
In order to integrate kratos with hydra, it needs to be able to access hydra's admin API endpoint. To enable that, relate the two charms:
juju integrate kratos hydra
For further guidance on integration on hydra side, visit the hydra-operator repository.
The following instructions assume that you have deployed traefik-admin
and traefik-public
charms and related them to Kratos. Note that the UI charm should run behind a proxy.
This charm offers integration with identity-platform-login-ui-operator. In order to integrate them, run:
juju integrate kratos:ui-endpoint-info identity-platform-login-ui-operator:ui-endpoint-info
juju integrate identity-platform-login-ui-operator:kratos-endpoint-info kratos:kratos-endpoint-info
The kratos charm offers the following actions:
This action can be used to create an admin account:
juju run kratos/0 create-admin-account username=admin123 password=abc123456 email=admin@example.com
NOTE: The email registered for an admin account must not be used for any other user (admin or not).
This action can be used to get information about an existing identity by email or id:
By id:
juju run kratos/0 get-identity identity-id={identity_id}
By email:
juju run kratos/0 get-identity email={email}
This action can be used to delete an existing identity:
An identity_id can be used to specify the identity:
juju run kratos/0 delete-identity identity-id={identity_id}
An email can be used to specify the identity as well:
juju run kratos/0 delete-identity email={email}
This action can be used to trigger a database migration:
juju run kratos/0 run-migration
The image used by this charm is hosted on Docker Hub and maintained by Ory.
Security issues in IAM stack can be reported through LaunchPad. Please do not file GitHub issues about security issues.
Please see the Juju SDK docs for guidelines on enhancements to this charm following best practice guidelines, and CONTRIBUTING.md for developer guidance.
The Charmed Kratos Operator is free software, distributed under the Apache Software License, version 2.0. See LICENSE for more information.