feat: basic kubernetes manifests and quickstart overlay including pos…

…tgres pod

README.md

@@ -9,23 +9,42 @@
 ## About Hanko
 Hanko is the open-source alternative for passwordless authentication, powered by a combination of magic links and WebAuthn-based biometrics, aka passkeys.
 
-Passwordless logins have been promised to us for quite some time. But it's only recently that the ecosystem of devices, browsers, and operating systems is finally ready. With most devices now supporting WebAuthn out of the box and shipping with biometric sensors like Touch ID, Face ID, and Windows Hello, it's enabling a truly fascinating login experience that will replace passwords for good.
+Passwordless logins have been promised to us for quite some time. But it's only recently that the ecosystem of devices, browsers, and operating systems is finally ready. 
+With most devices now supporting WebAuthn out of the box and shipping with biometric sensors like Touch ID, Face ID, and Windows Hello, it's enabling a truly fascinating login experience that will replace passwords for good.
 
-That's where Hanko comes in. Hanko enables a polished, end-to-end passwordless user experience on the web. Self-hosted or as a lean SaaS hosted by us (coming soon). API-first, small footprint, for developers.
+That's where Hanko comes in. Hanko enables a polished, end-to-end passwordless user experience on the web. Self-hosted or as a lean SaaS hosted by us (coming soon). 
+API-first, small footprint, for developers.
 
 **Try it now and never look back.**
 
 Integrate Hanko in your web apps in just 5 minutes – with a single line of code.
 
-With Hanko, your users will be able to login to your web app with biometrics instead of passwords. On devices that do not support WebAuthn, or for the first-time login on a new device, a magic link (we call them passlinks) is automatically sent. If possible, the user is then guided to enroll their biometrics.
+With Hanko, your users will be able to login to your web app with biometrics instead of passwords. 
+On devices that do not support WebAuthn, or for the first-time login on a new device, a magic link (we call them passlinks) is automatically sent. 
+If possible, the user is then guided to enroll their biometrics.
 
-For us, this project is the sum of six years of experience implementing FIDO and WebAuthn-based authentication in many different applications and platforms. And we are happy to share this with you.
+For us, this project is the sum of six years of experience implementing FIDO and WebAuthn-based authentication in many different applications and platforms. 
+And we are happy to share this with you.
 
 ## Community
 Join our [Slack community](https://www.hanko.io/community) if you have any questions about Hanko or just want to chat about authentication, identity, or life in general.
 
 # Quickstart
-TODO
-
+To try out hanko you can use either docker-compose or kubernetes manifests. For either way you have to first clone this repository with:
+```
+git clone https://github.com/teamhanko/hanko.git
+```
+
+## With docker-compose
+Just run:
+```
+docker-compose -f deploy/docker-compose/quickstart.yaml -p "hanko-quickstart" up --force-recreate
+```
+TODO describe setup.
+## With kubernetes
+```
+kubectl apply -k deploy/k8s/overlays/quickstart
+```
+TODO describe setup.
 # Develop
 TODO

deploy/docker-compose/quickstart.yaml

@@ -28,7 +28,7 @@ services:
     networks:
       - intranet
   postgresd:
-    image: postgres:12
+    image: postgres:12-alpine
     ports:
       - "5432:5432"
     environment:

deploy/k8s/base/deployment.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hanko
+  namespace: hanko
+  labels:
+    app: hanko
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hanko
+  template:
+    metadata:
+      labels:
+        app: hanko
+    spec:
+      containers:
+        - name: hanko
+          image: ghcr.io/teamhanko/hanko:main
+          imagePullPolicy: IfNotPresent
+          args:
+            - serve
+          ports:
+            - containerPort: 8000
+              name: public
+            - containerPort: 8001
+              name: private
+          volumeMounts:
+            - mountPath: /etc/config
+              name: hanko-config
+      initContainers:
+        - name: hanko-migrate
+          image: ghcr.io/teamhanko/hanko:main
+          imagePullPolicy: IfNotPresent
+          args:
+            - migrate
+            - up
+          volumeMounts:
+            - mountPath: /etc/config
+              name: hanko-config
+      volumes:
+        - name: hanko-config
+          configMap:
+            name: hanko-config

deploy/k8s/base/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+  - deployment.yaml
+  - services.yaml

deploy/k8s/base/services.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: hanko
+  namespace: hanko
+spec:
+  selector:
+    app: hanko
+  ports:
+    - port: 80
+      targetPort: public
+      protocol: TCP
+      name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hanko-private
+  namespace: hanko
+spec:
+  selector:
+    app: hanko
+  ports:
+    - port: 80
+      targetPort: private
+      protocol: TCP
+      name: http

deploy/k8s/overlays/quickstart/hanko-config.yaml

@@ -0,0 +1,4 @@
+database:
+  user: hanko
+  password: hanko
+  host: postgres.hanko

deploy/k8s/overlays/quickstart/ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: hanko
+  name: hanko
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  tls:
+    - hosts:
+        - hanko.test
+      secretName: hanko-tls
+  rules:
+    - host: hanko.test
+      http:
+        paths:
+          - path: /api
+            pathType: Prefix
+            backend:
+              service:
+                name: hanko
+                port:
+                  name: http

deploy/k8s/overlays/quickstart/kustomization.yaml

@@ -0,0 +1,10 @@
+namespace: hanko
+resources:
+  - namespace.yaml
+  - ingress.yaml
+  - ../../base
+  - ../../postgres
+configMapGenerator:
+  - files:
+      - hanko-config.yaml
+    name: hanko-config

deploy/k8s/overlays/quickstart/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hanko

deploy/k8s/postgres/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgres
+  namespace: hanko
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:12-alpine
+          ports:
+            - containerPort: 5432
+              name: postgres-hanko
+          env:
+            - name: POSTGRES_DB
+              value: hanko
+            - name: POSTGRES_USER
+              value: hanko
+            - name: POSTGRES_PASSWORD
+              value: hanko
+          volumeMounts:
+            - mountPath: /docker-entrypoint-initdb.d
+              name: initdb
+            - mountPath: /var/lib/postgresql/data
+              name: postgres-pv-claim
+      volumes:
+        - name: initdb
+          configMap:
+            name: initdb
+        - name: postgres-pv-claim
+          persistentVolumeClaim:
+            claimName: postgres-pv-claim
+  selector:
+    matchLabels:
+      app: postgres

deploy/k8s/postgres/initdbscript.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+CREATE DATABASE hanko;
+GRANT ALL PRIVILEGES ON DATABASE hanko TO $POSTGRES_USER;
+EOSQL

deploy/k8s/postgres/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+  - deployment.yaml
+  - service.yaml
+  - persistent-volume.yaml
+configMapGenerator:
+  - name: initdb
+    files:
+      - initdbscript.sh

deploy/k8s/postgres/persistent-volume.yaml

@@ -0,0 +1,31 @@
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: postgres-pv
+  namespace: hanko
+  labels:
+    type: local
+spec:
+  storageClassName: standard
+  capacity:
+    storage: 100M
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/mnt/data"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app: postgres
+  name: postgres-pv-claim
+  namespace: hanko
+spec:
+  storageClassName: standard
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100M

deploy/k8s/postgres/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: hanko
+spec:
+  ports:
+    - port: 5432
+  selector:
+    app: postgres