From 36f6e088d85c65bf4b4478b6e757c62fde204088 Mon Sep 17 00:00:00 2001 From: Trevor Foster Date: Mon, 30 Sep 2024 13:33:55 -0400 Subject: [PATCH 1/5] feat: add hydra option to create separate admin and public deploys --- helm/charts/hydra/README.md | 3 + .../hydra/templates/deployment-admin.yaml | 247 ++++++++++++++++++ .../hydra/templates/deployment-public.yaml | 246 +++++++++++++++++ helm/charts/hydra/templates/deployment.yaml | 2 + .../charts/hydra/templates/hpa-separated.yaml | 43 +++ helm/charts/hydra/templates/hpa.yaml | 2 + .../charts/hydra/templates/service-admin.yaml | 3 + .../hydra/templates/service-public.yaml | 4 + helm/charts/hydra/values.yaml | 7 + 9 files changed, 557 insertions(+) create mode 100644 helm/charts/hydra/templates/deployment-admin.yaml create mode 100644 helm/charts/hydra/templates/deployment-public.yaml create mode 100644 helm/charts/hydra/templates/hpa-separated.yaml diff --git a/helm/charts/hydra/README.md b/helm/charts/hydra/README.md index 23e6383cb6..8a9593b417 100644 --- a/helm/charts/hydra/README.md +++ b/helm/charts/hydra/README.md @@ -54,6 +54,9 @@ A Helm chart for deploying ORY Hydra in Kubernetes | cronjob.janitor.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | cronjob.janitor.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | cronjob.janitor.tolerations | list | `[]` | Configure node tolerations | +| separateAdminAndPublicDeploys | bool | `false` | When `true` separate deploys will be created for admin and public components. Use `deployment.admin` and `deployment.public` to configure component specific options. | +| deployment.admin | object | `{}` | When separateAdminAndPublicDeploys is enabled, this field acts as overrides only for the `hydra-admin` deployment object. | +| deployment.public | object | `{}` | When separateAdminAndPublicDeploys is enabled, this field acts as overrides only for the `hydra-public` deployment object. | | deployment.annotations | object | `{}` | Set custom deployment level annotations | | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer | | deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR | diff --git a/helm/charts/hydra/templates/deployment-admin.yaml b/helm/charts/hydra/templates/deployment-admin.yaml new file mode 100644 index 0000000000..ec9e2e06c0 --- /dev/null +++ b/helm/charts/hydra/templates/deployment-admin.yaml @@ -0,0 +1,247 @@ +{{- if .Values.separateAdminAndPublicDeploys -}} +{{- include "hydra.automigration.typeVerification" . -}} +{{- $deployValues := merge .Values.deployment.admin (omit .Values.deployment "admin" "public") -}} +{{- $migrationExtraEnv := ternary $deployValues.automigration.extraEnv $deployValues.extraEnv (not (empty $deployValues.automigration.extraEnv )) -}} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hydra.fullname" . }}-admin + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with $deployValues.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: admin + annotations: + {{- with $deployValues.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if not $deployValues.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ $deployValues.revisionHistoryLimit }} + strategy: + {{- toYaml $deployValues.strategy | nindent 4 }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "hydra.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: admin + template: + metadata: + labels: + {{- include "hydra.labels" . | nindent 8 }} + {{- with $deployValues.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: admin + annotations: + {{- include "hydra.annotations.checksum" . | nindent 8 -}} + {{- with $deployValues.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "hydra.name" . }}-config-volume + configMap: + name: {{ include "hydra.fullname" . }} + {{- if $deployValues.extraVolumes }} + {{- toYaml $deployValues.extraVolumes | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "hydra.serviceAccountName" . }} + automountServiceAccountToken: {{ $deployValues.automountServiceAccountToken }} + terminationGracePeriodSeconds: {{ $deployValues.terminationGracePeriodSeconds }} + containers: + - name: {{ .Chart.Name }}-admin + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: {{- toYaml .Values.hydra.command | nindent 12 }} + {{- if .Values.hydra.customArgs }} + args: {{- toYaml .Values.hydra.customArgs | nindent 12 }} + {{- else }} + args: + - serve + - admin + {{- if .Values.hydra.dev }} + - "--dev" + {{- end }} + - --config + - /etc/config/hydra.yaml + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- if $deployValues.extraVolumeMounts }} + {{- toYaml $deployValues.extraVolumeMounts | nindent 12 }} + {{- end }} + ports: + - name: http-admin + containerPort: {{ .Values.hydra.config.serve.admin.port }} + protocol: TCP + livenessProbe: + {{- if $deployValues.customLivenessProbe }} + {{- toYaml $deployValues.customLivenessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/alive + port: {{ .Values.hydra.config.serve.admin.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.livenessProbe | nindent 12 }} + {{- end }} + readinessProbe: + {{- if $deployValues.customReadinessProbe }} + {{- toYaml $deployValues.customReadinessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.hydra.config.serve.admin.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.readinessProbe | nindent 12 }} + {{- end }} + startupProbe: + {{- if $deployValues.customStartupProbe }} + {{- toYaml $deployValues.customStartupProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.hydra.config.serve.admin.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.startupProbe | nindent 12 }} + {{- end }} + env: + {{- $issuer := include "hydra.config.urls.issuer" . -}} + {{- if $issuer }} + - name: URLS_SELF_ISSUER + value: {{ $issuer | quote }} + {{- end }} + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $deployValues.extraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + - name: SECRETS_SYSTEM + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: secretsSystem + - name: SECRETS_COOKIE + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: secretsCookie + {{- if $deployValues.extraEnv }} + {{- tpl (toYaml $deployValues.extraEnv) . | nindent 12 }} + {{- end }} + resources: + {{- toYaml $deployValues.resources | nindent 12 }} + {{- if $deployValues.securityContext }} + securityContext: + {{- toYaml $deployValues.securityContext | nindent 12 }} + {{- end }} + lifecycle: + {{- toYaml $deployValues.lifecycle | nindent 12 }} + {{- if $deployValues.extraContainers }} + {{- tpl $deployValues.extraContainers . | nindent 8 }} + {{- end }} + initContainers: + {{- if $deployValues.extraInitContainers }} + {{- tpl $deployValues.extraInitContainers . | nindent 8 }} + {{- end }} + {{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }} + - name: {{ .Chart.Name }}-automigrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.hydra.automigration.customCommand }} + command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }} + {{- else }} + command: ["hydra"] + {{- end }} + {{- if .Values.hydra.automigration.customArgs }} + args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }} + {{- else }} + args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"] + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- with $deployValues.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- if $migrationExtraEnv }} + {{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }} + {{- end }} + {{- if .Values.hydra.automigration.resources }} + resources: + {{- toYaml .Values.hydra.automigration.resources | nindent 12 }} + {{- end }} + {{- with $deployValues.initContainerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with $deployValues.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/helm/charts/hydra/templates/deployment-public.yaml b/helm/charts/hydra/templates/deployment-public.yaml new file mode 100644 index 0000000000..9bd34fb51b --- /dev/null +++ b/helm/charts/hydra/templates/deployment-public.yaml @@ -0,0 +1,246 @@ +{{- if .Values.separateAdminAndPublicDeploys -}} +{{- $deployValues := merge .Values.deployment.public (omit .Values.deployment "admin" "public") -}} +{{- $migrationExtraEnv := ternary $deployValues.automigration.extraEnv $deployValues.extraEnv (not (empty $deployValues.automigration.extraEnv )) -}} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hydra.fullname" . }}-public + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with $deployValues.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: public + annotations: + {{- with $deployValues.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if not $deployValues.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ $deployValues.revisionHistoryLimit }} + strategy: + {{- toYaml $deployValues.strategy | nindent 4 }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "hydra.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: public + template: + metadata: + labels: + {{- include "hydra.labels" . | nindent 8 }} + {{- with $deployValues.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: public + annotations: + {{- include "hydra.annotations.checksum" . | nindent 8 -}} + {{- with $deployValues.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "hydra.name" . }}-config-volume + configMap: + name: {{ include "hydra.fullname" . }} + {{- if $deployValues.extraVolumes }} + {{- toYaml $deployValues.extraVolumes | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "hydra.serviceAccountName" . }} + automountServiceAccountToken: {{ $deployValues.automountServiceAccountToken }} + terminationGracePeriodSeconds: {{ $deployValues.terminationGracePeriodSeconds }} + containers: + - name: {{ .Chart.Name }}-public + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: {{- toYaml .Values.hydra.command | nindent 12 }} + {{- if .Values.hydra.customArgs }} + args: {{- toYaml .Values.hydra.customArgs | nindent 12 }} + {{- else }} + args: + - serve + - public + {{- if .Values.hydra.dev }} + - "--dev" + {{- end }} + - --config + - /etc/config/hydra.yaml + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- if $deployValues.extraVolumeMounts }} + {{- toYaml $deployValues.extraVolumeMounts | nindent 12 }} + {{- end }} + ports: + - name: http-public + containerPort: {{ .Values.hydra.config.serve.public.port }} + protocol: TCP + livenessProbe: + {{- if $deployValues.customLivenessProbe }} + {{- toYaml $deployValues.customLivenessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/alive + port: {{ .Values.hydra.config.serve.public.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.livenessProbe | nindent 12 }} + {{- end }} + readinessProbe: + {{- if $deployValues.customReadinessProbe }} + {{- toYaml $deployValues.customReadinessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.hydra.config.serve.public.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.readinessProbe | nindent 12 }} + {{- end }} + startupProbe: + {{- if $deployValues.customStartupProbe }} + {{- toYaml $deployValues.customStartupProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.hydra.config.serve.public.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.startupProbe | nindent 12 }} + {{- end }} + env: + {{- $issuer := include "hydra.config.urls.issuer" . -}} + {{- if $issuer }} + - name: URLS_SELF_ISSUER + value: {{ $issuer | quote }} + {{- end }} + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $deployValues.extraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + - name: SECRETS_SYSTEM + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: secretsSystem + - name: SECRETS_COOKIE + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: secretsCookie + {{- if $deployValues.extraEnv }} + {{- tpl (toYaml $deployValues.extraEnv) . | nindent 12 }} + {{- end }} + resources: + {{- toYaml $deployValues.resources | nindent 12 }} + {{- if $deployValues.securityContext }} + securityContext: + {{- toYaml $deployValues.securityContext | nindent 12 }} + {{- end }} + lifecycle: + {{- toYaml $deployValues.lifecycle | nindent 12 }} + {{- if $deployValues.extraContainers }} + {{- tpl $deployValues.extraContainers . | nindent 8 }} + {{- end }} + initContainers: + {{- if $deployValues.extraInitContainers }} + {{- tpl $deployValues.extraInitContainers . | nindent 8 }} + {{- end }} + {{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }} + - name: {{ .Chart.Name }}-automigrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.hydra.automigration.customCommand }} + command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }} + {{- else }} + command: ["hydra"] + {{- end }} + {{- if .Values.hydra.automigration.customArgs }} + args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }} + {{- else }} + args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"] + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- with $deployValues.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- if $migrationExtraEnv }} + {{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }} + {{- end }} + {{- if .Values.hydra.automigration.resources }} + resources: + {{- toYaml .Values.hydra.automigration.resources | nindent 12 }} + {{- end }} + {{- with $deployValues.initContainerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with $deployValues.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/helm/charts/hydra/templates/deployment.yaml b/helm/charts/hydra/templates/deployment.yaml index fa266bd43a..7426edc745 100644 --- a/helm/charts/hydra/templates/deployment.yaml +++ b/helm/charts/hydra/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- if .Values.separateAdminAndPublicDeploys | not -}} {{- include "hydra.automigration.typeVerification" . -}} {{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}} @@ -234,3 +235,4 @@ spec: dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} +{{- end -}} diff --git a/helm/charts/hydra/templates/hpa-separated.yaml b/helm/charts/hydra/templates/hpa-separated.yaml new file mode 100644 index 0000000000..63c27ef648 --- /dev/null +++ b/helm/charts/hydra/templates/hpa-separated.yaml @@ -0,0 +1,43 @@ +{{- if .Values.separateAdminAndPublicDeploys }} +{{- range list "admin" "public" }} +{{- $deployValues := merge (deepCopy (get $.Values.deployment .)) (omit $.Values.deployment "admin" "public") }} +{{- if $deployValues.autoscaling.enabled }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + {{- if $.Release.Namespace }} + namespace: {{ $.Release.Namespace }} + {{- end }} + name: {{ include "hydra.fullname" $ }}-{{.}} + labels: + {{- include "hydra.labels" $ | nindent 4 }} + app.kubernetes.io/component: {{. | quote}} +spec: + {{- with $deployValues.autoscaling.behavior }} + behavior: {{- toYaml . | nindent 4 }} + {{- end }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "hydra.fullname" $ }}-{{.}} + minReplicas: {{ $deployValues.autoscaling.minReplicas }} + maxReplicas: {{ $deployValues.autoscaling.maxReplicas }} + metrics: + {{- with $deployValues.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + target: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.autoscaling.targetCPU}} + - type: Resource + resource: + name: cpu + target: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/charts/hydra/templates/hpa.yaml b/helm/charts/hydra/templates/hpa.yaml index 5c4f5df1b3..7829a3ce36 100644 --- a/helm/charts/hydra/templates/hpa.yaml +++ b/helm/charts/hydra/templates/hpa.yaml @@ -1,3 +1,4 @@ +{{- if .Values.separateAdminAndPublicDeploys | not }} {{- if .Values.deployment.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler @@ -34,3 +35,4 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/charts/hydra/templates/service-admin.yaml b/helm/charts/hydra/templates/service-admin.yaml index 100d9581d2..1da45cb40e 100644 --- a/helm/charts/hydra/templates/service-admin.yaml +++ b/helm/charts/hydra/templates/service-admin.yaml @@ -32,6 +32,9 @@ spec: selector: app.kubernetes.io/name: {{ include "hydra.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.separateAdminAndPublicDeploys }} + app.kubernetes.io/component: admin + {{- end }} {{- if .Values.serviceMonitor.enabled }} --- apiVersion: monitoring.coreos.com/v1 diff --git a/helm/charts/hydra/templates/service-public.yaml b/helm/charts/hydra/templates/service-public.yaml index 570aad2381..fdef3729d8 100644 --- a/helm/charts/hydra/templates/service-public.yaml +++ b/helm/charts/hydra/templates/service-public.yaml @@ -11,6 +11,7 @@ metadata: {{- with .Values.service.public.labels }} {{- toYaml . | nindent 4 }} {{- end }} + app.kubernetes.io/component: public annotations: {{- with .Values.service.public.annotations }} {{- toYaml . | nindent 4 }} @@ -30,4 +31,7 @@ spec: selector: app.kubernetes.io/name: {{ include "hydra.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.separateAdminAndPublicDeploys }} + app.kubernetes.io/component: public + {{- end }} {{- end }} diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml index 9600c16b7f..e2e1b3d469 100644 --- a/helm/charts/hydra/values.yaml +++ b/helm/charts/hydra/values.yaml @@ -180,8 +180,15 @@ hydra: # -- Enable dev mode, not secure in production environments dev: false +# When `true` separate deploys will be created for admin and public components. Use `deployment.admin` and `deployment.public` to configure component specific options. +separateAdminAndPublicDeploys: false + ## -- Deployment specific config deployment: + # When separateAdminAndPublicDeploys is enabled, the admin/public fields act as overrides for the individual deploys. + admin: {} + public: {} + strategy: type: RollingUpdate rollingUpdate: From 2a56edf7d070517a7c25ff821616a4e9d2071e05 Mon Sep 17 00:00:00 2001 From: Trevor Foster Date: Mon, 9 Dec 2024 00:46:12 -0500 Subject: [PATCH 2/5] Separate distributed chart --- helm/charts/hydra-distributed/.helmignore | 23 + helm/charts/hydra-distributed/Chart.lock | 9 + helm/charts/hydra-distributed/Chart.yaml | 33 + helm/charts/hydra-distributed/README.md | 209 ++++++ .../charts/hydra-maester-0.50.3.tgz | Bin 0 -> 7881 bytes .../charts/ory-commons-0.1.0.tgz | Bin 0 -> 687 bytes helm/charts/hydra-distributed/files/watch.sh | 17 + .../hydra-distributed/templates/NOTES.txt | 97 +++ .../hydra-distributed/templates/_helpers.tpl | 229 ++++++ .../templates/configmap-automigrate.yaml | 18 + .../templates/configmap.yaml | 12 + .../templates/deployment-admin.yaml | 245 +++++++ .../templates/deployment-public.yaml | 244 +++++++ .../templates/deployment-watcher.yaml | 77 ++ .../hydra-distributed/templates/hpa.yaml | 41 ++ .../templates/ingress-admin.yaml | 54 ++ .../templates/ingress-public.yaml | 54 ++ .../templates/janitor-cron-job-rbac.yaml | 17 + .../templates/janitor-cron-job.yaml | 137 ++++ .../templates/job-migration.yaml | 125 ++++ .../hydra-distributed/templates/job-rbac.yaml | 17 + .../hydra-distributed/templates/pdb.yaml | 18 + .../templates/rbac-watcher.yaml | 53 ++ .../hydra-distributed/templates/rbac.yaml | 17 + .../hydra-distributed/templates/secrets.yaml | 21 + .../templates/service-admin.yaml | 72 ++ .../templates/service-public.yaml | 35 + .../templates/tests/test-connection.yaml | 20 + helm/charts/hydra-distributed/values.yaml | 674 ++++++++++++++++++ 29 files changed, 2568 insertions(+) create mode 100644 helm/charts/hydra-distributed/.helmignore create mode 100644 helm/charts/hydra-distributed/Chart.lock create mode 100644 helm/charts/hydra-distributed/Chart.yaml create mode 100644 helm/charts/hydra-distributed/README.md create mode 100644 helm/charts/hydra-distributed/charts/hydra-maester-0.50.3.tgz create mode 100644 helm/charts/hydra-distributed/charts/ory-commons-0.1.0.tgz create mode 100644 helm/charts/hydra-distributed/files/watch.sh create mode 100644 helm/charts/hydra-distributed/templates/NOTES.txt create mode 100644 helm/charts/hydra-distributed/templates/_helpers.tpl create mode 100644 helm/charts/hydra-distributed/templates/configmap-automigrate.yaml create mode 100644 helm/charts/hydra-distributed/templates/configmap.yaml create mode 100644 helm/charts/hydra-distributed/templates/deployment-admin.yaml create mode 100644 helm/charts/hydra-distributed/templates/deployment-public.yaml create mode 100644 helm/charts/hydra-distributed/templates/deployment-watcher.yaml create mode 100644 helm/charts/hydra-distributed/templates/hpa.yaml create mode 100644 helm/charts/hydra-distributed/templates/ingress-admin.yaml create mode 100644 helm/charts/hydra-distributed/templates/ingress-public.yaml create mode 100644 helm/charts/hydra-distributed/templates/janitor-cron-job-rbac.yaml create mode 100644 helm/charts/hydra-distributed/templates/janitor-cron-job.yaml create mode 100644 helm/charts/hydra-distributed/templates/job-migration.yaml create mode 100644 helm/charts/hydra-distributed/templates/job-rbac.yaml create mode 100644 helm/charts/hydra-distributed/templates/pdb.yaml create mode 100644 helm/charts/hydra-distributed/templates/rbac-watcher.yaml create mode 100644 helm/charts/hydra-distributed/templates/rbac.yaml create mode 100644 helm/charts/hydra-distributed/templates/secrets.yaml create mode 100644 helm/charts/hydra-distributed/templates/service-admin.yaml create mode 100644 helm/charts/hydra-distributed/templates/service-public.yaml create mode 100644 helm/charts/hydra-distributed/templates/tests/test-connection.yaml create mode 100644 helm/charts/hydra-distributed/values.yaml diff --git a/helm/charts/hydra-distributed/.helmignore b/helm/charts/hydra-distributed/.helmignore new file mode 100644 index 0000000000..b066297f1e --- /dev/null +++ b/helm/charts/hydra-distributed/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +*.txt \ No newline at end of file diff --git a/helm/charts/hydra-distributed/Chart.lock b/helm/charts/hydra-distributed/Chart.lock new file mode 100644 index 0000000000..dc277bf772 --- /dev/null +++ b/helm/charts/hydra-distributed/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: ory-commons + repository: file://../ory-commons + version: 0.1.0 +- name: hydra-maester + repository: file://../hydra-maester + version: 0.50.3 +digest: sha256:18facc7a0739ed1f51746992bbeced44d84b8e0727b89b33f48dad914f4ecebb +generated: "2024-12-04T11:40:27.919030591Z" diff --git a/helm/charts/hydra-distributed/Chart.yaml b/helm/charts/hydra-distributed/Chart.yaml new file mode 100644 index 0000000000..7e4b48e69e --- /dev/null +++ b/helm/charts/hydra-distributed/Chart.yaml @@ -0,0 +1,33 @@ +apiVersion: v2 +appVersion: "v2.2.0" +description: A Helm chart for deploying ORY Hydra in Kubernetes with a distributed layout. +name: hydra +icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg +version: 0.50.3 +keywords: + - oauth2 + - openid-connect + - openid + - oidc + - op + - api-security + - security +home: https://www.ory.sh/ +sources: + - https://github.com/ory/hydra + - https://github.com/ory/k8s +maintainers: # (optional) + - name: ORY Team + email: hi@ory.sh + url: https://www.ory.sh/ +type: application +dependencies: + - name: ory-commons + version: 0.1.0 + repository: file://../ory-commons + alias: ory + - name: hydra-maester + version: 0.50.3 + condition: maester.enabled + alias: hydra-maester + repository: file://../hydra-maester diff --git a/helm/charts/hydra-distributed/README.md b/helm/charts/hydra-distributed/README.md new file mode 100644 index 0000000000..2048a2a17b --- /dev/null +++ b/helm/charts/hydra-distributed/README.md @@ -0,0 +1,209 @@ +# hydra-distributed + +![Version: 0.49.0](https://img.shields.io/badge/Version-0.49.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square) + +A Helm chart for deploying ORY Hydra in Kubernetes with a distributed layout. Essentially the same as the Hydra chart +but the admin and public components are created as separate deployments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| ORY Team | | | + +## Source Code + +* +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../hydra-maester | hydra-maester(hydra-maester) | 0.49.0 | +| file://../ory-commons | ory(ory-commons) | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| affinity | object | `{}` | | +| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | +| cronjob.janitor.affinity | object | `{}` | Configure node affinity | +| cronjob.janitor.annotations | object | `{}` | Set custom cron job level annotations | +| cronjob.janitor.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | +| cronjob.janitor.customArgs | list | `[]` | Configure the arguments of the entrypoint, overriding the default value | +| cronjob.janitor.customCommand | list | `[]` | Configure a custom entrypoint, overriding the default value | +| cronjob.janitor.extraContainers | string | `""` | If you want to add extra sidecar containers. | +| cronjob.janitor.extraEnv | list | `[]` | Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR | +| cronjob.janitor.extraInitContainers | string | `""` | If you want to add extra init containers. These are processed before the migration init container. | +| cronjob.janitor.extraVolumeMounts | list | `[]` | | +| cronjob.janitor.extraVolumes | list | `[]` | If you want to mount external volume | +| cronjob.janitor.labels | object | `{}` | Set custom cron job level labels | +| cronjob.janitor.nodeSelector | object | `{}` | Configure node labels for pod assignment | +| cronjob.janitor.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | +| cronjob.janitor.podMetadata.annotations | object | `{}` | Extra pod level annotations | +| cronjob.janitor.podMetadata.labels | object | `{}` | Extra pod level labels | +| cronjob.janitor.podSecurityContext | object | `{}` | | +| cronjob.janitor.resources | object | `{"limits":{},"requests":{}}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi | +| cronjob.janitor.schedule | string | `"0 */1 * * *"` | Configure how often the cron job is ran | +| cronjob.janitor.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100}` | Configure the containers' SecurityContext for the janitor cronjob | +| cronjob.janitor.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | +| cronjob.janitor.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | +| cronjob.janitor.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| cronjob.janitor.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| cronjob.janitor.tolerations | list | `[]` | Configure node tolerations | +| deployment.admin | object | `{}` | This field acts as overrides only for the `hydra-admin` deployment object. | +| deployment.public | object | `{}` | This field acts as overrides only for the `hydra-public` deployment object. | +| deployment.annotations | object | `{}` | Set custom deployment level annotations | +| deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer | +| deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR | +| deployment.automountServiceAccountToken | bool | `false` | | +| deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":3,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Configure HPA | +| deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | +| deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object | +| deployment.customReadinessProbe | object | `{}` | Configure a custom readinessProbe. This overwrites the default object | +| deployment.customStartupProbe | object | `{}` | Configure a custom startupProbe. This overwrites the default object | +| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. | +| deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. | +| deployment.extraEnv | list | `[]` | Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR | +| deployment.extraInitContainers | string | `""` | If you want to add extra init containers. These are processed before the migration init container. | +| deployment.extraVolumeMounts | list | `[]` | | +| deployment.extraVolumes | list | `[]` | If you want to mount external volume | +| deployment.initContainerSecurityContext | object | `{}` | | +| deployment.labels | object | `{}` | Set custom deployment level labels | +| deployment.lifecycle | object | `{}` | | +| deployment.livenessProbe | object | `{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10}` | Default probe timers | +| deployment.nodeSelector | object | `{}` | Node labels for pod assignment. | +| deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | +| deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations | +| deployment.podMetadata.labels | object | `{}` | Extra pod level labels | +| deployment.podSecurityContext.fsGroup | int | `65534` | | +| deployment.podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | | +| deployment.podSecurityContext.runAsGroup | int | `65534` | | +| deployment.podSecurityContext.runAsNonRoot | bool | `true` | | +| deployment.podSecurityContext.runAsUser | int | `65534` | | +| deployment.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| deployment.readinessProbe | object | `{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10}` | Default probe timers | +| deployment.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi | +| deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history | +| deployment.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.securityContext.privileged | bool | `false` | | +| deployment.securityContext.readOnlyRootFilesystem | bool | `true` | | +| deployment.securityContext.runAsGroup | int | `65534` | | +| deployment.securityContext.runAsNonRoot | bool | `true` | | +| deployment.securityContext.runAsUser | int | `65534` | | +| deployment.securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | | +| deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| deployment.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | +| deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| deployment.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| deployment.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| deployment.startupProbe | object | `{"failureThreshold":60,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}` | Default probe timers | +| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | | +| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | | +| deployment.strategy.type | string | `"RollingUpdate"` | | +| deployment.terminationGracePeriodSeconds | int | `60` | | +| deployment.tolerations | list | `[]` | Configure node tolerations. | +| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. | +| fullnameOverride | string | `""` | Full chart name override | +| hydra-maester.adminService.name | string | `""` | The service name value may need to be set if you use `fullnameOverride` for the parent chart | +| hydra.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5; - kratos | +| hydra.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) | +| hydra.automigration.enabled | bool | `false` | | +| hydra.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer | +| hydra.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job | +| hydra.command | list | `["hydra"]` | Ability to override the entrypoint of hydra container (e.g. to source dynamic secrets or export environment dynamic variables) | +| hydra.config | object | `{"secrets":{},"serve":{"admin":{"port":4445},"public":{"port":4444},"tls":{"allow_termination_from":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]}},"urls":{"self":{}}}` | The ORY Hydra configuration. For a full list of available settings, check: https://www.ory.sh/docs/hydra/reference/configuration | +| hydra.config.secrets | object | `{}` | The secrets have to be provided as a string slice, example: system: - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa" - "foo bar 123 456 lorem" - "foo bar 123 456 lorem 1" - "foo bar 123 456 lorem 2" - "foo bar 123 456 lorem 3" | +| hydra.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand | +| hydra.dev | bool | `false` | Enable dev mode, not secure in production environments | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| image.repository | string | `"oryd/hydra"` | ORY Hydra image | +| image.tag | string | `"v2.2.0"` | ORY Hydra version | +| imagePullSecrets | list | `[]` | Image pull secrets | +| ingress.admin.annotations | object | `{}` | | +| ingress.admin.className | string | `""` | | +| ingress.admin.enabled | bool | `false` | En-/Disable the api ingress. | +| ingress.admin.hosts[0].host | string | `"admin.hydra.localhost"` | | +| ingress.admin.hosts[0].paths[0].path | string | `"/"` | | +| ingress.admin.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.public | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"public.hydra.localhost","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]}` | Configure ingress for the proxy port. | +| ingress.public.enabled | bool | `false` | En-/Disable the proxy ingress. | +| janitor.batchSize | int | `100` | Configure how many records are deleted with each iteration | +| janitor.cleanupGrants | bool | `false` | Configure if the trust relationships must be cleaned up | +| janitor.cleanupRequests | bool | `false` | Configure if the consent and authentication requests must be cleaned up | +| janitor.cleanupTokens | bool | `false` | Configure if the access and refresh tokens must be cleaned up | +| janitor.enabled | bool | `false` | Enable cleanup of stale database rows by periodically running the janitor command | +| janitor.limit | int | `10000` | Configure how many records are retrieved from database for deletion | +| job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | +| job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | +| job.extraContainers | string | `""` | If you want to add extra sidecar containers. | +| job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR | +| job.extraInitContainers | string | `""` | If you want to add extra init containers. extraInitContainers: | - name: ... image: ... | +| job.labels | object | `{}` | Set custom deployment level labels | +| job.lifecycle | string | `""` | If you want to add lifecycle hooks. | +| job.nodeSelector | object | `{}` | Node labels for pod assignment. | +| job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | +| job.podMetadata.annotations | object | `{}` | Extra pod level annotations | +| job.podMetadata.labels | object | `{}` | Extra pod level labels | +| job.resources | object | `{}` | resource requests and limits for the automigration job | +| job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | +| job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | +| job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| job.shareProcessNamespace | bool | `false` | Set sharing process namespace | +| job.spec.backoffLimit | int | `10` | Set job back off limit | +| job.tolerations | list | `[]` | Configure node tolerations. | +| maester.enabled | bool | `true` | | +| nameOverride | string | `""` | | +| pdb.enabled | bool | `false` | | +| pdb.spec.maxUnavailable | string | `""` | | +| pdb.spec.minAvailable | string | `""` | | +| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | +| replicaCount | int | `1` | Number of ORY Hydra members | +| secret.enabled | bool | `true` | switch to false to prevent creating the secret | +| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | +| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | +| secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. | +| service.admin | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","metricsPath":"/admin/metrics/prometheus","name":"http","port":4445,"type":"ClusterIP"}` | Configures the Kubernetes service for the api port. | +| service.admin.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | +| service.admin.enabled | bool | `true` | En-/disable the service | +| service.admin.loadBalancerIP | string | `""` | The load balancer IP | +| service.admin.metricsPath | string | `"/admin/metrics/prometheus"` | Path to the metrics endpoint | +| service.admin.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) | +| service.admin.port | int | `4445` | The service port | +| service.admin.type | string | `"ClusterIP"` | The service type | +| service.public | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","name":"http","port":4444,"type":"ClusterIP"}` | Configures the Kubernetes service for the proxy port. | +| service.public.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | +| service.public.enabled | bool | `true` | En-/disable the service | +| service.public.loadBalancerIP | string | `""` | The load balancer IP | +| service.public.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) | +| service.public.port | int | `4444` | The service port | +| service.public.type | string | `"ClusterIP"` | The service type | +| serviceMonitor.enabled | bool | `false` | switch to true to enable creating the ServiceMonitor | +| serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata | +| serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. | +| serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped | +| serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended | +| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint | +| test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | +| test.labels | object | `{}` | Provide additional labels to the test pod | +| watcher.automountServiceAccountToken | bool | `true` | | +| watcher.enabled | bool | `false` | | +| watcher.image | string | `"oryd/k8s-toolbox:0.0.5"` | | +| watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo | +| watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | +| watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations | +| watcher.podMetadata.labels | object | `{}` | Extra pod level labels | +| watcher.podSecurityContext | object | `{}` | pod securityContext for watcher deployment | +| watcher.resources | object | `{}` | | +| watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history | +| watcher.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}}` | container securityContext for watcher deployment | +| watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm/charts/hydra-distributed/charts/hydra-maester-0.50.3.tgz b/helm/charts/hydra-distributed/charts/hydra-maester-0.50.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..ed2026dc3e6a226c27e0414d5a08d65132ac5af1 GIT binary patch literal 7881 zcmV;)9yZ}0iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBhciXnIXg~8;%$CntP12B({7Sd(%IflV(r%yT;bkY?>)bRu zfk;R~O#&0l#M;_e`KiDD(3j-pYtvl}E>#GK?(KRkec;xvO;F$&BWho6fn z<`hdT0urkd3n_Ck84fwRh~`8tifJJ*j~SJi$|z>pkn!a(VX+uyNOPV3EhLg89+GT6 zOxc`;nlU4BJ`X6$@C0g%8pvgiCxG%iB{5Q%1?LX!QM5OTc7o4M*gwftm;ZB=7FgW2 z0$45o8l+oS!j^8YEWEeJz+R%BDmfz5zpEl~mpg#_m*TV|Nbz&<`?1(g#R z2d!G?LObm|1|ecNJiuY_6&d*3k-*hO3u<0b6B8r42LI=4_-V5 zL=!l9eDDZR9AhCsGC*kxr#R+VYV70!gVGElM==(V5+QK{Q=GDkD8Lj=Q=B|2-%sGx z>%g>nO6WZG>O#g69Kq2HY%L8suJF1bX$lue#tW_RI2Nqns!c}ICCoU>JYYlu5tei~ z0YdKsnN!9Iodc5#%tatH0wr!wS%N1pL#e<)Kr%GPlK?=Y`kXJ}pT2;Cejk7uCnks@ z=>!;GCd0aV?5%ILWB?%1+^P8e5M{~!uB&yV+JL-BQ^;9L;$;B(?pWVU;Ar-Y$zzU% z;*6kKMVKKnJvlDY)Q*`q0>>$z9jd3pZj~SU4Tr2xw z&XUkU2y>2crl+T2;2s{PNQh^8;us79)kqjBUZXfx1tCEaX{JgtLP21DPGYQBS(7W! zk5A3hay0C{9_#@0zt+2)ajD3~xSYW5?(SYyKpMVE38qp2rb*5SmG?m`Sdl8ug||cd z_N`_#jS7sTcS;&GoVP=bSXZ&_=v@FM)Ctr}mRQ6KoM9-05*5oE7NxRo1W(aYp)*k9 zG62TSFEI!Jga%+Hc?a~xlT(OM7-KFWN76{i!UL_iEfp_#A>^rK93LaO(BtB;IwQG; z=ujb4;JDyeu`8Lm86L{#s=_bo)v^?v8RHj-CpbCgOtOg^@<*i(1Circ0RzKIL8aa% zTA-{{s~dp#AN0R1fPX1+6(~)Yz;Vp74ATTClZtx`$R#9rhKf{rszK>5$sol_r^y8o zfCM1bw1^2Sgo7S0m|`16F~uFqQi|Y(E}sepgvJ~rfrT=-Xl(v-DS#Ig7zIqv31>9Z zEOkNT0#YJniXHe8q5B|;c%hJZN+?l+rZwJ@6_7BvK(y8$uUbJ(pAGlUSemj6Lg%i5 zlu%U)CBGFy7s*r`6f32T`0~Cc1jiZEWWW#?JYB++Yn_c|N+o?;k^bAr!cEmYVTWQ1 z0OGuuz<4yu$|o7lwDQ{-Jtg)b$G;a?Y*uYsRVx*qA%vqsre-<7?-x+PDs~bH4*)l8(s)mdjoY*^e|IC#&w{@UTRlDmUYxIl=4Y7=eR^bkPsHz;t zD0xoPC_j=Ei=~h_ zYm#R}s&$hHDUm$p5J$IHpPw_cUComAB zNj%=(xgYQD?GH*>dBze9DVpL`XsxBV2?;^wS_vunr7XdxIK{DKd}0*o)(TxiD}bxC z&DO1`8bm3R$aGgL8zm?+#wIXDyzJwlwKcFoPO=mmyF;id-fbnTwV6g!&`36TEjnpG z@Q`ry=?7p)1?~qX;IU-bA)O%ifN+(0_PS5a#vhodi zT&16}QYH2#s@rORFzVFP#RAipR3J&jj3|400*}};CY9-t6saqwyH&DDsV22Pv7Ia* zf?DV|TJ)R(E6Wioq?$Qh*>0*ORG0^fO65&CIsmMaku9qc38RYSn;}1SgOXj$@fFm5?Yt&RJr3TNxb-GGC}Q*Yr0WYqKtA z$x{o$&3j=8k2UM4<_s&9Ok@e~7_X;zooT_puUOAn?Z(HW9Xl22{hvgL0*m3^gZCODQ@L-1(%Q;67p~i9-wQZ6KC)8%dqFrBh8~z_L2 z%?Kq~k-6D|GLEs zGCkLmoKFf5OHcEd#ZTF>Hjs`{?^2FvHX~H6=)pN6sZl1DG8uaJlA_w<&+SV2Q(krdpTt?7A|_w>1=Hm$N{A7+Xy@d8ia-tfbR zK$Qv}zsvQq);ivR&5WI;_lyEtE>w$QLNN?#oE51W0|=`!dcho-4JWlMg6J3Hd{!l& zpJUERg5grBa2mt@j{Zrq(_%Iw?_dyCz|?|V{We%0a*QMfRJJiI)Y|>`0;Oa|aH3`% zjeivU3mfRVyi{$dz6hA&7!?A8U>WxIH%zZ*1gDA7-+GnmCI=$m&UC3M^61&ADof~G zYq7gga5MvsQ?-&eKyrj!BIXTQIH4}`{Pk@V<`2tIrW7C6l!u^8&Euc~8dqbsdi3A}&b7=2G*4ABnC zZP0F5MHsD+!OLAzWVIH$~%7Z z-QYF*zvJ!EsA2y-810Y0+JB$ovhuHHr#rNosC`8dnN1(NA9Q!Ka$<1TiWbZeNnt?f zIZ8=V?jR`(Q`tIt--mJIP8c+GUKoafAEJWtTnx|0!5N{+#B-SindbyqH@8%#lAbC` zpNQG{Q3UC(=Vr7BE`bu7U@BqPKrr?64vZs>CqbU;&J{NmB>P{KrTqZy)Zx~`Zg<{H z7q%ULZ{F1H-gK{3X%{e6h3AoLdE>ON-0X{od5S2Wc-!Qmnay~x+GBTxQCa8E>zc*^ zoC>o&sQJd~BYlmmtwh{HlfJKM^B(*DtWVi( zbc^j)ey)!8n?V#6oK|>6usIH`o}b%I%^D2PDs0l-Zi4preNDYhM`VrL*3)QSODii? zu*+RS;cxSmGVQOVYTYyuIxz4W*N>tqBnLixn6zF?G=~o#22DuEUSLhDP8D@i$024} zhG;VJ9x3F9O`YYtsjFgPm|@9Dtc>J@KOApAh(^&U8c)6-eLrfIH9D=}>BIN$og+Sh zft~A#D4z{h8U-IdOol_RgS9et@$EbZcltDHefbi>-8xx(gmcDa9b@&Rv^oTqc29+d zILqa-2YX$q(MU^5Yc*ULO&4nJokA??0^86>9imu|bLncNED`3a$U~3lt1EAYKu7di z7Zzni+{5OaX5!?o)wU<)im{_=bEFFe^)}4)>xbQ{VhxbZkgAP-J3^@oGgm4UXCx1G zkkj&EpKz=PY4N-QnyqlGE-Ym#La9oH%1Xq&2(AUzNyl?P=4Hb{Zw1RVTe`w5WC2uD z(Rh0!yc>aHo3&f*`}Mcy&09~g5Nd8PK|TpSA9^ptl+9OHv(w3s#0G+`BWoilrjAx; z#LQ;BZo=*FdyCTbEzDnD0!cx74S5#~frWRe( zXEu60@yj=Dtt(lH?OD%m_yVRN*QgqrrAupf997s^JRle{TQRU;XOy|K`c`){X(K+5aDpMh_bP-@VvCbLt=XXQ4bgH7P>RwcjTr#Db(M;9) zu%@b40QF*|EXZ2aR3|{s(f+yF@ay%Nu0H+GrzpOy31E%>-`j1S|K8i*{<{D7Nv@`X zFEx98<#Pk2?k&ekr_cmiYSVKI-F!Q4l|@@$TDE=pt*waF8+8qRN@hAvdyThDQQeUF zFfCMPPFRX-`Bi`9ot9oqca&PsTSH46YjDMQZ#PA)uV-6D48-uT0H|@ns|y zgV*NFN$Ku@R|BRH+O}s32lt`=Kp){Rgspgv`BYb$W2uU!MCkuI6k7d=b%>PuRpg2N zmAjV-PO-!qR0GE@yzCLEX3Kp|zV4>~KL||-oqw`n2&c9|QJ8RkGa{Yhr45_tnrtOx&YP_Y&;Y!IJ3?COpy$Pt}a5l5}m4!5oZ zOlSJ#{L_eaB~Kqmcxt^|As^QfhZ6R!a=gbdx5w%A!T#$xChP0JXo1sA=PSXt*v7j2 zUwh-dX8xb?{^;xa?^9e`aEzqH+?)tBL$A;9!n7c%(g~2G_zcalh=MJ1Zc`L_&bSmH z7C22|p0cU&(Gfbo4;-gRl5=cwfmF{CO@b|;c&_CV?&KWL$UB^vh1%clM(~`bOJG#j zR474?xjyzC1<|9^H+p|L*aCYB;g`cxNC+1}G$(SX{~GjzX!-{q>c8&6Vm?%V+^smL z!wS$8#b-sX&pwIZUL-E^;9fLEXTiNlW_fV${{>s{3*v+o0*)R%7D1GAru1PDkp!cm zDaYAwe@2~Am;aN;2aldUjy|cI5%>TDD{wn{UX%w3z3ta` z+(~be%_FhU=iiiNF-6H74{hnt6b=cUF`j7=N9hkjE>rw)mLeI7-wVX?UHIFp7tP## zYg$m{L$CNIZ5*`o7_Mohsu9`>YugEeRoM`OEu}V;%^C!k@H1Y*C8(~zCD;rh`d67- z5iWzvP+jJ)`&av=?}AI{jySsnA$6j$OL#k|Cx9Bfh07b~pjwlE3R;+Tgf3mel(AG{ zs1JH;v^Glr)P`=O2CF_(lA3N-2cp`wbVT1J7<#?k-QC^u>zKFAIyQ!}MqhmxLRY;} zPOWxh?Qp7EySmM_DYpz*7ol-!6GkWi?>{I2J*W6}wMKwkz4o9Amm5q50}X7WoC#f^ z{n)#XPTnl1LaV`5F+CMqN?u^o`fX&WXd+R?Z>$=VdPmovwaQiCUcFY}R@7)0-XuF$6JRassokA5NsOA%ywLxKFn9zVOx}OEKd^fe zllLEVLmw;g%L)u@8yfAduSoT>3TWEL8Qqy?IzTm|h$5Q;tWw1~qg5Ao^jG$?lGPPR zBSG1QV5ej)#!D-GY3zeboQVLsmgwK9Xz^IxNR`JEkIY{uFlGvvsP#I4f(2B zx1J_0GICxUh+3++%|PCqPwV@*s}*x&er;qsS`B%PLfts0QnQuS=ai~p8g+HvkA`hd zm@CrPwZZhoxAp^Fon=n9(Du&-O z;W7xqD_y}sA=w;LrI~PIS~Omi(k?Dk=i$`?r&*}R63)lbc-Qwwd6@?(;}?u2zYWXc zLz{3(3~jx;e@6H0N5AU+-+ z0w;{VAQ=`CW%&eXk*4LoZJj&)XqPgAd~P;`YwzrivO&sp==p(ybm-F5gPtRQZoPU! zgn6B(1xINE19Og_(0P#}UVo=k=Cd46pj6^X0B)kTsJLV2=VO%S3p94eYvKjYP<5(? z<(M8EAN{g(+IRs_`$UhAxYFE8_nRtZp7|R3aBzI&!OA(yG52#}yBPSAOB!b`{ni_= z00s(WYnPa$R0bnU0&FwFAd^l|pC`|a(dDxK*Dp2$M6DGbX}_(SfUE;MX7n6$sl9-6 zO8zLJJEvU>oQ`%@^RDwJp|rrp?UJD-aICHUf_f0`M{?jP<863^&RClW-i+mBDrQ+$ zP$HK@EgocANXEr5QLC$=AoCFMctIqNWx??f+d?t_OgioTGOFT{URZl#`tN^$yx%~>H&vEIBn zv8hA4iKQJ={?`<)NX>t&X%+s#Sc(y~D%XB4p}TiF>%Llv8D)IzZ$}}iv^PoMjxY_t z(WAR?m?DzFv0;rX!%D^kA|#beX= zH>n2xrr<0_TCcR(l=%AJ4z*X6(U zB=*B(IE?Py?WItU@E8$(X1{iIWwIQW)txQ6C^AGtj!~lhK-RLTrIha18g_@-XxeI% z8Pg;z1m=(w8d^OD^r~IfQR{?Jn@Qt3-9DlTiIr`svnv{iIH}v_v0hD8c9St;d*&il z-!MLsXo>^|&Mts)piD+4&;-ViVMIlVKd@Q9JZelVsqb4c+O`1BFwV7^&GUu&r`7W?*-;d$Pq^w zmRM&auM~2>^6f^C$VE%}YRdO(-zzK7_DEh=gSH3fR#hm+G{M|VYls4wDH2yoG=c-F z#;g-oIgX9t(c{`Nzv^N=mY%En^x%JMgIi*vI%OQURWCbX>5Qt#>IG*(*-y_U*laLi z8!ls1Yd1sz{nwi|C^juSKd-K?+AxcJlQo0uit?Wv+9%Tp4Q?%7)v;CRNdSiI4e z{&j5m481$j6olQbw}jfa<14NMw6E|W$w()ItmU77merl1V?G*%()t%~EMw?Zp-xuO zH@U1{K&@J219+bT?HPy-R<{6;od?GDsPxFVC9R1$bjdJ4EdrFb=>;g6PQ6&x| zUYZG4Yk21J$7@HSdfp2#=j@!=sqt-yVR4pUO3XjfX!wDGcYse{Cjpz zV6z$EbF605UPxVS6XCwc+M_)iL^kunC7aEzO=|s3-kT8knDJ5&be!-SA+XHe3-6-| zL6rgZZBLa9y(3wXna@b>t)yt50k3<&(;HD#*>#qn>gQ(kgd$%lznjyuq}wWW_0~&) zyMmlgFrCZA1ope;B)F=b1DkrZI{d!s`t9OOyyWCs^Vt8Gy70(+LBtKt#R7A4_dlo4 zpTWQIRG(=$#j-j*(5>RIiPP3@eQk*6n9mr`oXarhmf z+mN5*u%Ks@UC_{cqpAmX&V)3ptI~VT$@NU;<2I<1qn7z>^rets7Mq=re1Cc67j_E4 zo09+XE_{B|L0dOey+hIKO8PoH)y1*M85Q{Y>(CP)Le~IQ%Rkpx{|eCb!8)Y8wQG#1 zUWC}Ewe{V~<-`rvv%Mo+^|yDSTkEOo)iu_38$XC6)c;nK_eq2$wv4mJrlA15o|EJ-<>3$?B7t@_fDZP|S%1_W* zv#MJM>RHE`1y>avUHb`{VUeTtAwcEn6N4+7vcg7+K(zaXsjrOR&F^b#F ztZ!TsH*$5nSl|*@XUO@}1LzH=#O`1Bf@x#y?E&;T^GXdlc%^jRcXz0`EW~9dF2!Yb zxwzYmL37tyms&6VoK^DiXh)L&M7q`XMm`?#Y%_mi3byyIzI4fLWBfVk=XUA75UQ=) zHH0sSR-a3^ebF@f?LxkpV#G23LO7}yOoi#^q*qS0-JYq?^Vb9$B4JW9U;kK#u3kIX!KQle=;kLoVn!3v z_!L)l-ONYqqjc!nsoYRy)8M6S>)o<|(zV>($@N_|SNB*{*J^))8vnryUf@1HwMBkJ zsaR9yrP=oDEwffr*do^l&@UMdM?274w5XN>BwhU%1Tm&P+}t-~=oLkw02Yq+dvL}T`t^XlV) zSE9v98%|@(2J2_qOU&Z9;C!{>HLB3nnRZK3g<>0I@CKwrY8oZ**xm($xSd`A+0^HIvyJdsYNdc$+-UPw*Rb{ nc6^J~DrI>8m&xG$_4;~!y}n-8yZ(Ow00960L}H;S0IUE2{u5Fm literal 0 HcmV?d00001 diff --git a/helm/charts/hydra-distributed/charts/ory-commons-0.1.0.tgz b/helm/charts/hydra-distributed/charts/ory-commons-0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..91570363f55eb7ed5afabb5ac6d62a8466c45661 GIT binary patch literal 687 zcmV;g0#N-QiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI#@Yui2)&9gqm{WXF97Ft>P4}m?Uh3#b>bo8~z_O-1>mNZFr z>xJyI58F%Yg+U({T1s;sB;BhcUD;RXB5kYlNawj$E?8yUdRp;Z_6`ch7@JS0P0twH z@7Z`V>5Zm~@sv##^Vzh=Mw97$)&q9fWBeV3^W65>KgZhtxHkfB#0^>}v|2(rCft}u zlTk()iP1$?7~i-~S6WJpY6Elv8A^i|l0vnvL|gC~!j-My6UrP=mBMP3qw;V{6wh%9 zof}7dWpD{ngqGWiluwaIl#$o|HSYpl{d>%f}6FA>)2|!IB>^KgVA3>-XAAkb;gVC<)&W}3tma7zDus(x9S#vr&wxpIO62R{; zC}~|_o;KZ401{oO_>qn(?!?$x-SKNDD0td9is<3b9Bl+cUo z+iR~al0K}O>k2okYlww)gr>p=P1_!y(C~*1ns(>N(x7g3rYlwOv{A^TbzvY85*-;* zcW=m$hI~zi)aUhBTal9CPtu1QZiOx!e7?AJgc_@x0!c-TJZR}w-w|56NXHnwr#f=P V5l6f|{0aa7|Nq)3{=fhb003cWMz8 $path$file modified" + rollOut "${LABEL_SELECTOR}" + done +done diff --git a/helm/charts/hydra-distributed/templates/NOTES.txt b/helm/charts/hydra-distributed/templates/NOTES.txt new file mode 100644 index 0000000000..473a86dddc --- /dev/null +++ b/helm/charts/hydra-distributed/templates/NOTES.txt @@ -0,0 +1,97 @@ +{{ include "hydra.check.override.consistency" . }} +The ORY Hydra HTTP Public API is available via: +{{- if .Values.ingress.public.enabled }} +{{- range $host := .Values.ingress.public.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.public.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.public.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hydra.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export HYDRA_PUBLIC_URL=http://$NODE_IP:$NODE_PORT + curl $HYDRA_PUBLIC_URL/.well-known/openid-configuration + +If you have the ORY Hydra CLI installed locally, you can run commands +against this endpoint: + + hydra token client \ + --endpoint $HYDRA_PUBLIC_URL \ + # ... + +{{- else if contains "LoadBalancer" .Values.service.public.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "hydra.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "hydra.fullname" . }}-public -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + export HYDRA_PUBLIC_URL=http://$SERVICE_IP:{{ .Values.service.public.port }} + curl $HYDRA_PUBLIC_URL/.well-known/openid-configuration + +If you have the ORY Hydra CLI installed locally, you can run commands +against this endpoint: + + hydra token client \ + --endpoint $HYDRA_PUBLIC_URL \ + # ... + +{{- else if contains "ClusterIP" .Values.service.public.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "hydra.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:{{ .Values.service.public.port }} to use your application" + kubectl port-forward $POD_NAME {{ .Values.service.public.port }}:{{ .Values.hydra.config.serve.public.port }} + export HYDRA_PUBLIC_URL=http://127.0.0.1:{{ .Values.service.public.port }}/ + curl $HYDRA_PUBLIC_URL/.well-known/openid-configuration + +If you have the ORY Hydra CLI installed locally, you can run commands +against this endpoint: + + hydra token client \ + --endpoint $HYDRA_PUBLIC_URL \ + # ... + +{{- end }} + +The ORY Hydra HTTP Admin API is available via: +{{- if .Values.ingress.admin.enabled }} +{{- range $host := .Values.ingress.admin.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.admin.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.admin.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hydra.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export HYDRA_ADMIN_URL=http://$NODE_IP:$NODE_PORT + curl $HYDRA_ADMIN_URL/clients + +If you have the ORY Hydra CLI installed locally, you can run commands +against this endpoint: + + hydra clients list \ + --endpoint $HYDRA_ADMIN_URL + +{{- else if contains "LoadBalancer" .Values.service.admin.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "hydra.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "hydra.fullname" . }}-admin -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + export HYDRA_ADMIN_URL=http://$SERVICE_IP:{{ .Values.service.admin.port }} + curl $HYDRA_ADMIN_URL/clients + +If you have the ORY Hydra CLI installed locally, you can run commands +against this endpoint: + + hydra clients list \ + --endpoint $HYDRA_ADMIN_URL + +{{- else if contains "ClusterIP" .Values.service.admin.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "hydra.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:{{ .Values.service.admin.port }} to use your application" + kubectl port-forward $POD_NAME {{ .Values.service.admin.port }}:{{ .Values.hydra.config.serve.admin.port }} + export HYDRA_ADMIN_URL=http://127.0.0.1:{{ .Values.service.admin.port }}/ + curl $HYDRA_ADMIN_URL/clients + +If you have the ORY Hydra CLI installed locally, you can run commands +against this endpoint: + + hydra clients list \ + --endpoint $HYDRA_ADMIN_URL + +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/_helpers.tpl b/helm/charts/hydra-distributed/templates/_helpers.tpl new file mode 100644 index 0000000000..5b9b24655c --- /dev/null +++ b/helm/charts/hydra-distributed/templates/_helpers.tpl @@ -0,0 +1,229 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "hydra.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "hydra.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hydra.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Ensure there is always a way to track down source of the deployment. +It is unlikely AppVersion will be missing, but we will fallback on the +chart's version in that case. +*/}} +{{- define "hydra.version" -}} +{{- if .Chart.AppVersion }} +{{- .Chart.AppVersion -}} +{{- else -}} +{{- printf "v%s" .Chart.Version -}} +{{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "hydra.labels" -}} +"app.kubernetes.io/name": {{ include "hydra.name" . | quote }} +"app.kubernetes.io/instance": {{ .Release.Name | quote }} +"app.kubernetes.io/version": {{ include "hydra.version" . | quote }} +"app.kubernetes.io/managed-by": {{ .Release.Service | quote }} +"helm.sh/chart": {{ include "hydra.chart" . | quote }} +{{- if $.Values.watcher.enabled }} +{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "hydra.name" .) }} +{{- end }} +{{- end -}} + +{{/* +Generate the dsn value +*/}} +{{- define "hydra.dsn" -}} +{{- if .Values.demo -}} +memory +{{- else if and .Values.secret.nameOverride (not .Values.secret.enabled) -}} +dsn-loaded-from-env +{{- else if not (empty (.Values.hydra.config.dsn)) -}} +{{- .Values.hydra.config.dsn }} +{{- end -}} +{{- end -}} + +{{/* +Generate the name of the secret resource containing secrets +*/}} +{{- define "hydra.secretname" -}} +{{- if .Values.secret.nameOverride -}} +{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{ include "hydra.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Generate the secrets.system value +*/}} +{{- define "hydra.secrets.system" -}} + {{- if (.Values.hydra.config.secrets).system -}} + {{- if kindIs "slice" .Values.hydra.config.secrets.system -}} + {{- if gt (len .Values.hydra.config.secrets.system) 1 -}} + "{{- join "\",\"" .Values.hydra.config.secrets.system -}}" + {{- else -}} + {{- join "" .Values.hydra.config.secrets.system -}} + {{- end -}} + {{- else -}} + {{- fail "Expected hydra.config.secrets.system to be a list of strings" -}} + {{- end -}} + {{- else if .Values.demo -}} + a-very-insecure-secret-for-checking-out-the-demo + {{- end -}} +{{- end -}} + +{{/* +Generate the secrets.cookie value +*/}} +{{- define "hydra.secrets.cookie" -}} + {{- if (.Values.hydra.config.secrets).cookie -}} + {{- if kindIs "slice" .Values.hydra.config.secrets.cookie -}} + {{- if gt (len .Values.hydra.config.secrets.cookie) 1 -}} + "{{- join "\",\"" .Values.hydra.config.secrets.cookie -}}" + {{- else -}} + {{- join "" .Values.hydra.config.secrets.cookie -}} + {{- end -}} + {{- else -}} + {{- fail "Expected hydra.config.secrets.cookie to be a list of strings" -}} + {{- end -}} + {{- else -}} + {{- include "hydra.secrets.system" . }} + {{- end -}} +{{- end -}} + +{{/* +Generate the configmap data, redacting secrets +*/}} +{{- define "hydra.configmap" -}} +{{- $config := omit .Values.hydra.config "dsn" "secrets" -}} +{{- tpl (toYaml $config) . -}} +{{- end -}} + +{{/* +Generate the urls.issuer value +*/}} +{{- define "hydra.config.urls.issuer" -}} +{{- if .Values.hydra.config.urls.self.issuer -}} +{{- .Values.hydra.config.urls.self.issuer }} +{{- else if .Values.ingress.public.enabled -}} +{{- $host := index .Values.ingress.public.hosts 0 -}} +http{{ if $.Values.ingress.public.tls }}s{{ end }}://{{ $host.host }} +{{- else if contains "ClusterIP" .Values.service.public.type -}} +http://127.0.0.1:{{ .Values.service.public.port }}/ +{{- end -}} +{{- end -}} + +{{/* +Check overrides consistency +*/}} +{{- define "hydra.check.override.consistency" -}} +{{- if and .Values.maester.enabled .Values.fullnameOverride -}} +{{- if not .Values.maester.hydraFullnameOverride -}} +{{ fail "hydra fullname has been overridden, but the new value has not been provided to maester. Set maester.hydraFullnameOverride" }} +{{- else if not (eq .Values.maester.hydraFullnameOverride .Values.fullnameOverride) -}} +{{ fail (tpl "hydra fullname has been overridden, but a different value was provided to maester. {{ .Values.maester.hydraFullnameOverride }} different of {{ .Values.fullnameOverride }}" . ) }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "hydra.utils.joinListWithComma" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "hydra.serviceAccountName" -}} +{{- if .Values.deployment.serviceAccount.create }} +{{- default (include "hydra.fullname" .) .Values.deployment.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.deployment.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the service account for the Job to use +*/}} +{{- define "hydra.job.serviceAccountName" -}} +{{- if .Values.job.serviceAccount.create }} +{{- printf "%s-job" (default (include "hydra.fullname" .) .Values.job.serviceAccount.name) }} +{{- else }} +{{- include "hydra.serviceAccountName" . }} +{{- end }} +{{- end }} + +{{/* +Create the name of the service account for the Job to use +*/}} +{{- define "hydra.cronjob.janitor.serviceAccountName" -}} +{{- if .Values.cronjob.janitor.serviceAccount.create }} +{{- printf "%s-cronjob-janitor" (default (include "hydra.fullname" .) .Values.cronjob.janitor.serviceAccount.name) }} +{{- else }} +{{- include "hydra.serviceAccountName" . }} +{{- end }} +{{- end }} + +{{/* +Checksum annotations generated from configmaps and secrets +*/}} +{{- define "hydra.annotations.checksum" -}} +{{- if .Values.configmap.hashSumEnabled }} +checksum/hydra-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- end }} +{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }} +checksum/hydra-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} +{{- end }} +{{- end }} + +{{/* +Check the migration type value and fail if unexpected +*/}} +{{- define "hydra.automigration.typeVerification" -}} +{{- if and .Values.hydra.automigration.enabled .Values.hydra.automigration.type }} + {{- if and (ne .Values.hydra.automigration.type "initContainer") (ne .Values.hydra.automigration.type "job") }} + {{- fail "hydra.automigration.type must be either 'initContainer' or 'job'" -}} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Common labels for the janitor cron job +*/}} +{{- define "hydra.janitor.labels" -}} +"app.kubernetes.io/name": {{ printf "%s-janitor" (include "hydra.name" .) | quote }} +"app.kubernetes.io/instance": {{ .Release.Name | quote }} +"app.kubernetes.io/version": {{ include "hydra.version" . | quote }} +"app.kubernetes.io/managed-by": {{ .Release.Service | quote }} +"app.kubernetes.io/component": janitor +"helm.sh/chart": {{ include "hydra.chart" . | quote }} +{{- end -}} diff --git a/helm/charts/hydra-distributed/templates/configmap-automigrate.yaml b/helm/charts/hydra-distributed/templates/configmap-automigrate.yaml new file mode 100644 index 0000000000..6dbcc8854b --- /dev/null +++ b/helm/charts/hydra-distributed/templates/configmap-automigrate.yaml @@ -0,0 +1,18 @@ +{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "hydra.fullname" . }}-migrate + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" +data: + "hydra.yaml": | + {{- include "hydra.configmap" . | nindent 4 }} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/configmap.yaml b/helm/charts/hydra-distributed/templates/configmap.yaml new file mode 100644 index 0000000000..0f84335ecb --- /dev/null +++ b/helm/charts/hydra-distributed/templates/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "hydra.fullname" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} +data: + "hydra.yaml": | + {{- include "hydra.configmap" . | nindent 4 }} diff --git a/helm/charts/hydra-distributed/templates/deployment-admin.yaml b/helm/charts/hydra-distributed/templates/deployment-admin.yaml new file mode 100644 index 0000000000..b6c120b92e --- /dev/null +++ b/helm/charts/hydra-distributed/templates/deployment-admin.yaml @@ -0,0 +1,245 @@ +{{- include "hydra.automigration.typeVerification" . -}} +{{- $deployValues := merge .Values.deployment.admin (omit .Values.deployment "admin" "public") -}} +{{- $migrationExtraEnv := ternary $deployValues.automigration.extraEnv $deployValues.extraEnv (not (empty $deployValues.automigration.extraEnv )) -}} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hydra.fullname" . }}-admin + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with $deployValues.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: admin + annotations: + {{- with $deployValues.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if not $deployValues.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ $deployValues.revisionHistoryLimit }} + strategy: + {{- toYaml $deployValues.strategy | nindent 4 }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "hydra.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: admin + template: + metadata: + labels: + {{- include "hydra.labels" . | nindent 8 }} + {{- with $deployValues.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: admin + annotations: + {{- include "hydra.annotations.checksum" . | nindent 8 -}} + {{- with $deployValues.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "hydra.name" . }}-config-volume + configMap: + name: {{ include "hydra.fullname" . }} + {{- if $deployValues.extraVolumes }} + {{- toYaml $deployValues.extraVolumes | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "hydra.serviceAccountName" . }} + automountServiceAccountToken: {{ $deployValues.automountServiceAccountToken }} + terminationGracePeriodSeconds: {{ $deployValues.terminationGracePeriodSeconds }} + containers: + - name: {{ .Chart.Name }}-admin + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: {{- toYaml .Values.hydra.command | nindent 12 }} + {{- if .Values.hydra.customArgs }} + args: {{- toYaml .Values.hydra.customArgs | nindent 12 }} + {{- else }} + args: + - serve + - admin + {{- if .Values.hydra.dev }} + - "--dev" + {{- end }} + - --config + - /etc/config/hydra.yaml + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- if $deployValues.extraVolumeMounts }} + {{- toYaml $deployValues.extraVolumeMounts | nindent 12 }} + {{- end }} + ports: + - name: http-admin + containerPort: {{ .Values.hydra.config.serve.admin.port }} + protocol: TCP + livenessProbe: + {{- if $deployValues.customLivenessProbe }} + {{- toYaml $deployValues.customLivenessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/alive + port: {{ .Values.hydra.config.serve.admin.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.livenessProbe | nindent 12 }} + {{- end }} + readinessProbe: + {{- if $deployValues.customReadinessProbe }} + {{- toYaml $deployValues.customReadinessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.hydra.config.serve.admin.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.readinessProbe | nindent 12 }} + {{- end }} + startupProbe: + {{- if $deployValues.customStartupProbe }} + {{- toYaml $deployValues.customStartupProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.hydra.config.serve.admin.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.startupProbe | nindent 12 }} + {{- end }} + env: + {{- $issuer := include "hydra.config.urls.issuer" . -}} + {{- if $issuer }} + - name: URLS_SELF_ISSUER + value: {{ $issuer | quote }} + {{- end }} + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $deployValues.extraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + - name: SECRETS_SYSTEM + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: secretsSystem + - name: SECRETS_COOKIE + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: secretsCookie + {{- if $deployValues.extraEnv }} + {{- tpl (toYaml $deployValues.extraEnv) . | nindent 12 }} + {{- end }} + resources: + {{- toYaml $deployValues.resources | nindent 12 }} + {{- if $deployValues.securityContext }} + securityContext: + {{- toYaml $deployValues.securityContext | nindent 12 }} + {{- end }} + lifecycle: + {{- toYaml $deployValues.lifecycle | nindent 12 }} + {{- if $deployValues.extraContainers }} + {{- tpl $deployValues.extraContainers . | nindent 8 }} + {{- end }} + initContainers: + {{- if $deployValues.extraInitContainers }} + {{- tpl $deployValues.extraInitContainers . | nindent 8 }} + {{- end }} + {{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }} + - name: {{ .Chart.Name }}-automigrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.hydra.automigration.customCommand }} + command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }} + {{- else }} + command: ["hydra"] + {{- end }} + {{- if .Values.hydra.automigration.customArgs }} + args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }} + {{- else }} + args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"] + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- with $deployValues.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- if $migrationExtraEnv }} + {{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }} + {{- end }} + {{- if .Values.hydra.automigration.resources }} + resources: + {{- toYaml .Values.hydra.automigration.resources | nindent 12 }} + {{- end }} + {{- with $deployValues.initContainerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with $deployValues.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/charts/hydra-distributed/templates/deployment-public.yaml b/helm/charts/hydra-distributed/templates/deployment-public.yaml new file mode 100644 index 0000000000..d952911110 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/deployment-public.yaml @@ -0,0 +1,244 @@ +{{- $deployValues := merge .Values.deployment.public (omit .Values.deployment "admin" "public") -}} +{{- $migrationExtraEnv := ternary $deployValues.automigration.extraEnv $deployValues.extraEnv (not (empty $deployValues.automigration.extraEnv )) -}} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hydra.fullname" . }}-public + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with $deployValues.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: public + annotations: + {{- with $deployValues.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if not $deployValues.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ $deployValues.revisionHistoryLimit }} + strategy: + {{- toYaml $deployValues.strategy | nindent 4 }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "hydra.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: public + template: + metadata: + labels: + {{- include "hydra.labels" . | nindent 8 }} + {{- with $deployValues.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: public + annotations: + {{- include "hydra.annotations.checksum" . | nindent 8 -}} + {{- with $deployValues.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "hydra.name" . }}-config-volume + configMap: + name: {{ include "hydra.fullname" . }} + {{- if $deployValues.extraVolumes }} + {{- toYaml $deployValues.extraVolumes | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "hydra.serviceAccountName" . }} + automountServiceAccountToken: {{ $deployValues.automountServiceAccountToken }} + terminationGracePeriodSeconds: {{ $deployValues.terminationGracePeriodSeconds }} + containers: + - name: {{ .Chart.Name }}-public + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: {{- toYaml .Values.hydra.command | nindent 12 }} + {{- if .Values.hydra.customArgs }} + args: {{- toYaml .Values.hydra.customArgs | nindent 12 }} + {{- else }} + args: + - serve + - public + {{- if .Values.hydra.dev }} + - "--dev" + {{- end }} + - --config + - /etc/config/hydra.yaml + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- if $deployValues.extraVolumeMounts }} + {{- toYaml $deployValues.extraVolumeMounts | nindent 12 }} + {{- end }} + ports: + - name: http-public + containerPort: {{ .Values.hydra.config.serve.public.port }} + protocol: TCP + livenessProbe: + {{- if $deployValues.customLivenessProbe }} + {{- toYaml $deployValues.customLivenessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/alive + port: {{ .Values.hydra.config.serve.public.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.livenessProbe | nindent 12 }} + {{- end }} + readinessProbe: + {{- if $deployValues.customReadinessProbe }} + {{- toYaml $deployValues.customReadinessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.hydra.config.serve.public.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.readinessProbe | nindent 12 }} + {{- end }} + startupProbe: + {{- if $deployValues.customStartupProbe }} + {{- toYaml $deployValues.customStartupProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.hydra.config.serve.public.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $deployValues.startupProbe | nindent 12 }} + {{- end }} + env: + {{- $issuer := include "hydra.config.urls.issuer" . -}} + {{- if $issuer }} + - name: URLS_SELF_ISSUER + value: {{ $issuer | quote }} + {{- end }} + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $deployValues.extraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + - name: SECRETS_SYSTEM + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: secretsSystem + - name: SECRETS_COOKIE + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: secretsCookie + {{- if $deployValues.extraEnv }} + {{- tpl (toYaml $deployValues.extraEnv) . | nindent 12 }} + {{- end }} + resources: + {{- toYaml $deployValues.resources | nindent 12 }} + {{- if $deployValues.securityContext }} + securityContext: + {{- toYaml $deployValues.securityContext | nindent 12 }} + {{- end }} + lifecycle: + {{- toYaml $deployValues.lifecycle | nindent 12 }} + {{- if $deployValues.extraContainers }} + {{- tpl $deployValues.extraContainers . | nindent 8 }} + {{- end }} + initContainers: + {{- if $deployValues.extraInitContainers }} + {{- tpl $deployValues.extraInitContainers . | nindent 8 }} + {{- end }} + {{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }} + - name: {{ .Chart.Name }}-automigrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.hydra.automigration.customCommand }} + command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }} + {{- else }} + command: ["hydra"] + {{- end }} + {{- if .Values.hydra.automigration.customArgs }} + args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }} + {{- else }} + args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"] + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- with $deployValues.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- if $migrationExtraEnv }} + {{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }} + {{- end }} + {{- if .Values.hydra.automigration.resources }} + resources: + {{- toYaml .Values.hydra.automigration.resources | nindent 12 }} + {{- end }} + {{- with $deployValues.initContainerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with $deployValues.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/charts/hydra-distributed/templates/deployment-watcher.yaml b/helm/charts/hydra-distributed/templates/deployment-watcher.yaml new file mode 100644 index 0000000000..a0393806f2 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/deployment-watcher.yaml @@ -0,0 +1,77 @@ +{{- if .Values.watcher.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hydra.fullname" . }}-watcher + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.watcher.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- with .Values.watcher.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }} + serviceAccountName: {{ include "hydra.serviceAccountName" . }}-watcher + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + containers: + - name: watcher + {{- with .Values.watcher.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: {{ .Values.watcher.image }} + command: + - /bin/bash + - -c + - | + {{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }} + env: + - name: NAMESPACE + value: {{ .Release.Namespace | quote }} + - name: WATCH_FILE + value: {{ .Values.watcher.mountFile | quote }} + - name: LABEL_SELECTOR + value: '{{ $.Values.watcher.watchLabelKey }}={{ include "hydra.name" . }}' + resources: + {{- toYaml .Values.watcher.resources | nindent 12 }} + volumeMounts: + {{- with .Values.deployment.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.watcher.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.deployment.extraVolumes }} + {{- toYaml .Values.deployment.extraVolumes | nindent 8 }} + {{- end }} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/hpa.yaml b/helm/charts/hydra-distributed/templates/hpa.yaml new file mode 100644 index 0000000000..c84d251297 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/hpa.yaml @@ -0,0 +1,41 @@ +{{- range list "admin" "public" }} +{{- $deployValues := merge (deepCopy (get $.Values.deployment .)) (omit $.Values.deployment "admin" "public") }} +{{- if $deployValues.autoscaling.enabled }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + {{- if $.Release.Namespace }} + namespace: {{ $.Release.Namespace }} + {{- end }} + name: {{ include "hydra.fullname" $ }}-{{.}} + labels: + {{- include "hydra.labels" $ | nindent 4 }} + app.kubernetes.io/component: {{. | quote}} +spec: + {{- with $deployValues.autoscaling.behavior }} + behavior: {{- toYaml . | nindent 4 }} + {{- end }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "hydra.fullname" $ }}-{{.}} + minReplicas: {{ $deployValues.autoscaling.minReplicas }} + maxReplicas: {{ $deployValues.autoscaling.maxReplicas }} + metrics: + {{- with $deployValues.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + target: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $deployValues.autoscaling.targetCPU}} + - type: Resource + resource: + name: cpu + target: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/ingress-admin.yaml b/helm/charts/hydra-distributed/templates/ingress-admin.yaml new file mode 100644 index 0000000000..129ea28cce --- /dev/null +++ b/helm/charts/hydra-distributed/templates/ingress-admin.yaml @@ -0,0 +1,54 @@ +{{- if .Values.ingress.admin.enabled -}} +{{- $fullName := include "hydra.fullname" . -}} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-admin + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.ingress.admin.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.admin.className }} + {{- if .Values.ingress.admin.tls }} + tls: + {{- range .Values.ingress.admin.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.admin.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if .pathType }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-admin + port: + name: {{ $.Values.service.admin.name }} + {{- else }} + serviceName: {{ $fullName }}-admin + servicePort: {{ $.Values.service.admin.name }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/ingress-public.yaml b/helm/charts/hydra-distributed/templates/ingress-public.yaml new file mode 100644 index 0000000000..45d3f2a0e8 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/ingress-public.yaml @@ -0,0 +1,54 @@ +{{- if or .Values.ingress.public.enabled .Values.demo -}} +{{- $fullName := include "hydra.fullname" . -}} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-public + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.ingress.public.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.public.className }} + {{- if .Values.ingress.public.tls }} + tls: + {{- range .Values.ingress.public.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.public.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if .pathType }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-public + port: + name: {{ $.Values.service.public.name }} + {{- else }} + serviceName: {{ $fullName }}-public + servicePort: {{ $.Values.service.public.name }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/janitor-cron-job-rbac.yaml b/helm/charts/hydra-distributed/templates/janitor-cron-job-rbac.yaml new file mode 100644 index 0000000000..8a1d92d097 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/janitor-cron-job-rbac.yaml @@ -0,0 +1,17 @@ +{{- if .Values.cronjob.janitor.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hydra.cronjob.janitor.serviceAccountName" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.cronjob.janitor.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: false +{{- end -}} \ No newline at end of file diff --git a/helm/charts/hydra-distributed/templates/janitor-cron-job.yaml b/helm/charts/hydra-distributed/templates/janitor-cron-job.yaml new file mode 100644 index 0000000000..aa52036fd7 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/janitor-cron-job.yaml @@ -0,0 +1,137 @@ +{{- if .Values.janitor.enabled -}} +{{- $janitorExtraEnv := ternary .Values.cronjob.janitor.extraEnv .Values.deployment.extraEnv (not (empty .Values.cronjob.janitor.extraEnv )) -}} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "hydra.fullname" . }}-janitor + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.janitor.labels" . | nindent 4 }} + {{- with .Values.cronjob.janitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.cronjob.janitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + concurrencyPolicy: Forbid + schedule: {{ .Values.cronjob.janitor.schedule | quote }} + jobTemplate: + spec: + template: + metadata: + labels: + {{- include "hydra.janitor.labels" . | nindent 12 }} + {{- with .Values.cronjob.janitor.labels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cronjob.janitor.podMetadata.labels }} + {{- toYaml . | nindent 12 }} + {{- end }} + annotations: + {{- include "hydra.annotations.checksum" . | nindent 12 -}} + {{- with .Values.cronjob.janitor.annotations }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.cronjob.janitor.podMetadata.annotations }} + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + restartPolicy: OnFailure + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 12 }} + {{- end }} + serviceAccountName: {{ include "hydra.cronjob.janitor.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.cronjob.janitor.automountServiceAccountToken }} + volumes: + - name: {{ include "hydra.name" . }}-config-volume + configMap: + name: {{ include "hydra.fullname" . }} + {{- if .Values.cronjob.janitor.extraVolumes }} + {{- toYaml .Values.cronjob.janitor.extraVolumes | nindent 12 }} + {{- end }} + containers: + - name: janitor + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.cronjob.janitor.securityContext }} + securityContext: + {{- toYaml . | nindent 16 }} + {{- end }} + {{- if .Values.cronjob.janitor.customCommand }} + command: {{- toYaml .Values.cronjob.janitor.customCommand | nindent 14 }} + {{- else }} + command: ["hydra"] + {{- end }} + {{- if .Values.cronjob.janitor.customArgs }} + args: {{- toYaml .Values.cronjob.janitor.customArgs | nindent 14 }} + {{- else }} + args: + - janitor + {{- if .Values.janitor.cleanupGrants }} + - --grants + {{- end }} + {{- if .Values.janitor.cleanupRequests }} + - --requests + {{- end }} + {{- if .Values.janitor.cleanupTokens }} + - --tokens + {{- end }} + - --batch-size + - {{ .Values.janitor.batchSize | quote }} + - --limit + - {{ .Values.janitor.limit | quote }} + - --config + - /etc/config/hydra.yaml + {{- end }} + env: + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $janitorExtraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- with $janitorExtraEnv }} + {{- toYaml . | nindent 16 }} + {{- end }} + resources: + {{- toYaml .Values.cronjob.janitor.resources | nindent 16 }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- if .Values.cronjob.janitor.extraVolumeMounts }} + {{- toYaml .Values.cronjob.janitor.extraVolumeMounts | nindent 16 }} + {{- end }} + {{- if .Values.cronjob.janitor.extraContainers }} + {{- tpl .Values.cronjob.janitor.extraContainers . | nindent 12 }} + {{- end }} + {{- if .Values.cronjob.janitor.extraInitContainers }} + initContainers: + {{- tpl .Values.cronjob.janitor.extraInitContainers . | nindent 10 }} + {{- end }} + {{- with .Values.cronjob.janitor.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cronjob.janitor.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cronjob.janitor.tolerations }} + tolerations: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cronjob.janitor.affinity }} + affinity: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/job-migration.yaml b/helm/charts/hydra-distributed/templates/job-migration.yaml new file mode 100644 index 0000000000..56cf3e812d --- /dev/null +++ b/helm/charts/hydra-distributed/templates/job-migration.yaml @@ -0,0 +1,125 @@ +{{- include "hydra.automigration.typeVerification" . -}} +{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }} +{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}} +{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}} +{{- $resources := ternary .Values.job.resources .Values.hydra.automigration.resources (not (empty .Values.job.resources)) -}} + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "hydra.fullname" . }}-automigrate + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.job.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.job.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + template: + metadata: + annotations: + {{- with .Values.job.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.job.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "hydra.fullname" . }}-automigrate + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.job.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.job.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "hydra.job.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }} + containers: + - name: {{ .Chart.Name }}-automigrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.hydra.automigration.customCommand }} + command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 10 }} + {{- else }} + command: ["hydra"] + {{- end }} + {{- if .Values.hydra.automigration.customArgs }} + args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 10 }} + {{- else }} + args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"] + {{- end }} + env: + {{- if not (empty ( include "hydra.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "hydra.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- with $migrationExtraEnv }} + {{- toYaml . | nindent 10 }} + {{- end }} + lifecycle: + {{- if .Values.job.lifecycle }} + {{- tpl .Values.job.lifecycle . | nindent 10 }} + {{- end }} + {{- with .Values.deployment.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with $resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - name: {{ include "hydra.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- if .Values.deployment.extraVolumeMounts }} + {{- toYaml .Values.deployment.extraVolumeMounts | nindent 10 }} + {{- end }} + {{- if .Values.job.extraContainers }} + {{- tpl .Values.job.extraContainers . | nindent 6 }} + {{- end }} + {{- if .Values.job.extraInitContainers }} + initContainers: + {{- tpl .Values.job.extraInitContainers . | nindent 8 }} + {{- end }} + restartPolicy: Never + {{- with .Values.deployment.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + shareProcessNamespace: {{ .Values.job.shareProcessNamespace }} + volumes: + - name: {{ include "hydra.name" . }}-config-volume + configMap: + name: {{ include "hydra.fullname" . }}-migrate + {{- if .Values.deployment.extraVolumes }} + {{- toYaml .Values.deployment.extraVolumes | nindent 8 }} + {{- end }} + {{- with $nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.job.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + backoffLimit: {{ .Values.job.spec.backoffLimit }} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/job-rbac.yaml b/helm/charts/hydra-distributed/templates/job-rbac.yaml new file mode 100644 index 0000000000..96998d8ca0 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/job-rbac.yaml @@ -0,0 +1,17 @@ +{{- if .Values.job.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hydra.job.serviceAccountName" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.job.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: false +{{- end -}} \ No newline at end of file diff --git a/helm/charts/hydra-distributed/templates/pdb.yaml b/helm/charts/hydra-distributed/templates/pdb.yaml new file mode 100644 index 0000000000..32c5df5314 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.pdb.enabled -}} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "hydra.fullname" . }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "hydra.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.pdb.spec.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with .Values.pdb.spec.minAvailable }} + minAvailable: {{ . }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/helm/charts/hydra-distributed/templates/rbac-watcher.yaml b/helm/charts/hydra-distributed/templates/rbac-watcher.yaml new file mode 100644 index 0000000000..d684993082 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/rbac-watcher.yaml @@ -0,0 +1,53 @@ +{{- if .Values.watcher.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hydra.serviceAccountName" . }}-watcher + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher + app.kubernetes.io/instance: {{ .Release.Name }} +automountServiceAccountToken: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "hydra.fullname" . }}-watcher + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: + - list + - watch + - get + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: + - get + - list + - patch + - update + - watch + resourceNames: + - {{ include "hydra.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "hydra.fullname" . }}-watcher + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "hydra.fullname" . }}-watcher +subjects: + - kind: ServiceAccount + name: {{ include "hydra.fullname" . }}-watcher + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/rbac.yaml b/helm/charts/hydra-distributed/templates/rbac.yaml new file mode 100644 index 0000000000..3194899785 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/rbac.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hydra.serviceAccountName" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.deployment.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: false +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/secrets.yaml b/helm/charts/hydra-distributed/templates/secrets.yaml new file mode 100644 index 0000000000..4220c649db --- /dev/null +++ b/helm/charts/hydra-distributed/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{- if .Values.secret.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "hydra.secretname" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + annotations: + {{- with .Values.secret.secretAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: + # Generate a random secret if the user doesn't give one. User given password has priority + secretsSystem: {{ ( include "hydra.secrets.system" . | default ( randAlphaNum 32 )) | required "Value secrets.system can not be empty!" | b64enc | quote }} + secretsCookie: {{ ( include "hydra.secrets.cookie" . | default ( randAlphaNum 32 )) | required "Value secrets.cookie can not be empty!" | b64enc | quote }} + dsn: {{ include "hydra.dsn" . | b64enc | quote }} +{{- end -}} diff --git a/helm/charts/hydra-distributed/templates/service-admin.yaml b/helm/charts/hydra-distributed/templates/service-admin.yaml new file mode 100644 index 0000000000..c14d19f1ae --- /dev/null +++ b/helm/charts/hydra-distributed/templates/service-admin.yaml @@ -0,0 +1,72 @@ +{{- if .Values.service.admin.enabled -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "hydra.fullname" . }}-admin + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.service.admin.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: admin + annotations: + {{- with .Values.service.admin.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.admin.type }} + {{- if eq .Values.service.admin.type "LoadBalancer" }} + {{- with .Values.service.admin.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.service.admin.port }} + targetPort: http-admin + protocol: TCP + name: {{ .Values.service.admin.name }} + selector: + app.kubernetes.io/name: {{ include "hydra.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: admin +{{- if .Values.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "hydra.fullname" . }}-admin + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/component: admin + {{- include "hydra.labels" . | nindent 4 }} +{{- with .Values.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} +{{- end }} + {{- with .Values.service.admin.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - path: {{ .Values.service.admin.metricsPath }} + port: {{ .Values.service.admin.name }} + scheme: {{ .Values.serviceMonitor.scheme }} + interval: {{ .Values.serviceMonitor.scrapeInterval }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + {{- with .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "hydra.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: admin +{{- end -}} +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/service-public.yaml b/helm/charts/hydra-distributed/templates/service-public.yaml new file mode 100644 index 0000000000..ffd96e48ab --- /dev/null +++ b/helm/charts/hydra-distributed/templates/service-public.yaml @@ -0,0 +1,35 @@ +{{- if .Values.service.public.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "hydra.fullname" . }}-public + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.service.public.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: public + annotations: + {{- with .Values.service.public.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.public.type }} + {{- if eq .Values.service.public.type "LoadBalancer" }} + {{- with .Values.service.public.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.service.public.port }} + targetPort: http-public + protocol: TCP + name: {{ .Values.service.public.name }} + selector: + app.kubernetes.io/name: {{ include "hydra.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: public +{{- end }} diff --git a/helm/charts/hydra-distributed/templates/tests/test-connection.yaml b/helm/charts/hydra-distributed/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..db08330a69 --- /dev/null +++ b/helm/charts/hydra-distributed/templates/tests/test-connection.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "hydra.fullname" . }}-test-connection" + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.test.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: healthcheck-ready + image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}" + command: ['wget'] + args: ['{{ include "hydra.fullname" . }}-admin:{{ .Values.service.admin.port }}/health/ready'] + restartPolicy: Never diff --git a/helm/charts/hydra-distributed/values.yaml b/helm/charts/hydra-distributed/values.yaml new file mode 100644 index 0000000000..658a168098 --- /dev/null +++ b/helm/charts/hydra-distributed/values.yaml @@ -0,0 +1,674 @@ +# -- Number of ORY Hydra members +replicaCount: 1 + +image: + # -- ORY Hydra image + repository: oryd/hydra + # -- ORY Hydra version + tag: v2.2.0 + # -- Image pull policy + pullPolicy: IfNotPresent + +# -- Image pull secrets +imagePullSecrets: [] +# Chart name override +nameOverride: "" +# -- Full chart name override +fullnameOverride: "" + +# -- Pod priority +# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +priorityClassName: "" + +## -- Configures the Kubernetes service +service: + # -- Configures the Kubernetes service for the proxy port. + public: + # -- En-/disable the service + enabled: true + # -- The service type + type: ClusterIP + # -- The load balancer IP + loadBalancerIP: "" + # -- The service port + port: 4444 + # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) + name: http + # -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + # If you do want to specify additional labels, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'labels:'. + # e.g. app: hydra + # -- Configures the Kubernetes service for the api port. + admin: + # -- En-/disable the service + enabled: true + # -- The service type + type: ClusterIP + # -- The load balancer IP + loadBalancerIP: "" + # -- The service port + port: 4445 + # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) + name: http + # -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + # If you do want to specify additional labels, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'labels:'. + # e.g. app: hydra + # -- Path to the metrics endpoint + metricsPath: /admin/metrics/prometheus + +## -- Secret management +secret: + # -- switch to false to prevent creating the secret + enabled: true + # -- Provide custom name of existing secret, or custom name of secret to be created + nameOverride: "" + # nameOverride: "myCustomSecret" + # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. + secretAnnotations: + # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade + # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards. + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + helm.sh/resource-policy: "keep" + # -- switch to false to prevent checksum annotations being maintained and propogated to the pods + hashSumEnabled: true + +## -- Configure ingress +ingress: + # -- Configure ingress for the proxy port. + public: + # -- En-/Disable the proxy ingress. + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: public.hydra.localhost + paths: + - path: / + pathType: ImplementationSpecific + # tls: [] + # hosts: + # - proxy.hydra.local + # - secretName: hydra-proxy-example-tls + + admin: + # -- En-/Disable the api ingress. + enabled: false + className: "" + annotations: {} + # If you do want to specify annotations, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: admin.hydra.localhost + paths: + - path: / + pathType: ImplementationSpecific +# tls: [] +# hosts: +# - api.hydra.local +# - secretName: hydra-api-example-tls + +## -- Configure ORY Hydra itself +hydra: + # -- Ability to override the entrypoint of hydra container + # (e.g. to source dynamic secrets or export environment dynamic variables) + command: ["hydra"] + # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand + customArgs: [] + # -- The ORY Hydra configuration. For a full list of available settings, check: + # https://www.ory.sh/docs/hydra/reference/configuration + config: + serve: + public: + port: 4444 + admin: + port: 4445 + tls: + allow_termination_from: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + # -- The secrets have to be provided as a string slice, example: + # system: + # - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa" + # - "foo bar 123 456 lorem" + # - "foo bar 123 456 lorem 1" + # - "foo bar 123 456 lorem 2" + # - "foo bar 123 456 lorem 3" + secrets: {} + + urls: + self: {} + + # -- Enables database migration + automigration: + enabled: false + # -- Configure the way to execute database migration. Possible values: job, initContainer + # When set to job, the migration will be executed as a job on release or upgrade. + # When set to initContainer, the migration will be executed when kratos pod is created + # Defaults to job + type: job + # -- Ability to override the entrypoint of the automigration container + # (e.g. to source dynamic secrets or export environment dynamic variables) + customCommand: [] + # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand + # eg: + # - sleep 5; + # - kratos + customArgs: [] + # -- resource requests and limits for the automigration initcontainer + resources: {} + + # -- Enable dev mode, not secure in production environments + dev: false + +## -- Deployment specific config +deployment: + # The admin/public fields act as overrides for the individual deploys. + admin: {} + public: {} + + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: "25%" + maxUnavailable: "25%" + + # -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user. + # This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + resources: {} + + ## -- initContainer securityContext for hydra & migration init + initContainerSecurityContext: {} + + ## -- pod securityContext for hydra & migration init + podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + + ## -- container securityContext for hydra & migration init + securityContext: + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + privileged: false + seLinuxOptions: + level: "s0:c123,c456" + + lifecycle: {} + + # -- Set custom deployment level labels + labels: {} + + # -- Set custom deployment level annotations + annotations: {} + + # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects + podMetadata: + # -- Extra pod level labels + labels: {} + # -- Extra pod level annotations + annotations: {} + + # -- Node labels for pod assignment. + nodeSelector: {} + # If you do want to specify node labels, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'. + # foo: bar + + # -- Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm + # `tpl` + # - name: FOO + # value: BAR + extraEnv: [] + + # -- Parameters for the automigration initContainer + automigration: + # -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with + # Helm `tpl` + # - name: FOO + # value: BAR + extraEnv: [] + + # -- Configure node tolerations. + tolerations: [] + + # -- Configure pod topologySpreadConstraints. + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: hydra + # app.kubernetes.io/instance: hydra + + # -- Configure pod dnsConfig. + dnsConfig: {} + # options: + # - name: "ndots" + # value: "1" + + # -- Specify the serviceAccountName value. + # In some situations it is needed to provides specific permissions to Hydra deployments + # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. + # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. + # -- Specify the serviceAccountName value. + # In some situations it is needed to provides specific permissions to Hydra deployments + # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. + # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "" + + # -- If you want to mount external volume + extraVolumes: [] + # - name: my-volume + # secret: + # secretName: my-secret + extraVolumeMounts: [] + # - name: my-volume + # mountPath: /etc/secrets/my-secret + # readOnly: true + + # For example, mount a secret containing Certificate root CA to verify database + # TLS connection. + # extraVolumes: + # - name: postgresql-tls + # secret: + # secretName: postgresql-root-ca + # extraVolumeMounts: + # - name: postgresql-tls + # mountPath: "/etc/postgresql-tls" + # readOnly: true + + # -- Configure HPA + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPU: {} + # type: Utilization + # averageUtilization: 80 + targetMemory: {} + # type: Utilization + # averageUtilization: 80 + # -- Set custom behavior + # https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + behavior: {} + + # -- Default probe timers + livenessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + # -- Default probe timers + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + # -- Default probe timers + startupProbe: + failureThreshold: 60 + successThreshold: 1 + periodSeconds: 1 + timeoutSeconds: 1 + + automountServiceAccountToken: false + + terminationGracePeriodSeconds: 60 + + # -- If you want to add extra init containers. These are processed before the migration init container. + extraInitContainers: "" + # extraInitContainers: | + # - name: ... + # image: ... + + # -- If you want to add extra sidecar containers. + extraContainers: "" + # extraContainers: | + # - name: ... + # image: ... + + # -- Configure a custom livenessProbe. This overwrites the default object + customLivenessProbe: {} + # -- Configure a custom readinessProbe. This overwrites the default object + customReadinessProbe: {} + # -- Configure a custom startupProbe. This overwrites the default object + customStartupProbe: {} + # -- Number of revisions kept in history + revisionHistoryLimit: 5 + +## -- Values for initialization job +job: + # -- If you do want to specify annotations, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. + annotations: + helm.sh/hook-weight: "1" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # -- Set custom deployment level labels + labels: {} + + # -- If you want to add extra sidecar containers. + extraContainers: "" + # extraContainers: | + # - name: ... + # image: ... + + # -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format + # is expected. Value is processed with Helm `tpl` + # - name: FOO + # value: BAR + extraEnv: [] + + # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects + podMetadata: + # -- Extra pod level labels + labels: {} + # -- Extra pod level annotations + annotations: {} + + # -- If you want to add extra init containers. + # extraInitContainers: | + # - name: ... + # image: ... + extraInitContainers: "" + + # -- Node labels for pod assignment. + nodeSelector: {} + # If you do want to specify node labels, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'. + # foo: bar + + # -- resource requests and limits for the automigration job + resources: {} + + # -- Configure node tolerations. + tolerations: [] + + # -- If you want to add lifecycle hooks. + lifecycle: "" + # lifecycle: | + # preStop: + # exec: + # command: [...] + + # -- Set automounting of the SA token + automountServiceAccountToken: true + + # -- Set sharing process namespace + shareProcessNamespace: false + + # -- Specify the serviceAccountName value. + # In some situations it is needed to provides specific permissions to Hydra deployments + # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. + # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "" + + spec: + # -- Set job back off limit + backoffLimit: 10 + +## -- Configure node affinity +affinity: {} + +## -- Configures controller setup +maester: + enabled: true + +## -- Values for the hydra admin service arguments to hydra-maester +hydra-maester: + adminService: + # -- The service name value may need to be set if you use `fullnameOverride` for the parent chart + name: "" + # -- You only need to set this port if you change the value for `service.admin.port` in the parent chart + # port: + +## -- Sidecar watcher configuration +watcher: + enabled: false + image: oryd/k8s-toolbox:0.0.5 + # -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo + mountFile: "" + # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects + podMetadata: + # -- Extra pod level labels + labels: {} + # -- Extra pod level annotations + annotations: {} + # -- Label key used for managing applications + watchLabelKey: "ory.sh/watcher" + # -- Number of revisions kept in history + revisionHistoryLimit: 5 + + # -- pod securityContext for watcher deployment + podSecurityContext: {} + resources: {} + automountServiceAccountToken: true + + # -- container securityContext for watcher deployment + securityContext: + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + allowPrivilegeEscalation: false + privileged: false + +## -- Janitor cron job configuration +janitor: + # -- Enable cleanup of stale database rows by periodically running the janitor command + enabled: false + + # -- Configure if the trust relationships must be cleaned up + cleanupGrants: false + + # -- Configure if the consent and authentication requests must be cleaned up + cleanupRequests: false + + # -- Configure if the access and refresh tokens must be cleaned up + cleanupTokens: false + + # -- Configure how many records are deleted with each iteration + batchSize: 100 + + # -- Configure how many records are retrieved from database for deletion + limit: 10000 + +## -- CronJob configuration +cronjob: + janitor: + # -- Configure how often the cron job is ran + schedule: "0 */1 * * *" + # -- Configure a custom entrypoint, overriding the default value + customCommand: [] + + # -- Configure the arguments of the entrypoint, overriding the default value + customArgs: [] + + # -- Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes + # format is expected. Value is processed with Helm `tpl` + # - name: FOO + # value: BAR + extraEnv: [] + + # -- If you want to add extra init containers. These are processed before the migration init container. + extraInitContainers: "" + # extraInitContainers: | + # - name: ... + # image: ... + + # -- If you want to add extra sidecar containers. + extraContainers: "" + # extraContainers: | + # - name: ... + # image: ... + + # -- If you want to mount external volume + extraVolumes: [] + # - name: my-volume + # secret: + # secretName: my-secret + extraVolumeMounts: [] + # - name: my-volume + # mountPath: /etc/secrets/my-secret + # readOnly: true + + # -- Set custom cron job level labels + labels: {} + + # -- Set custom cron job level annotations + annotations: {} + + # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects + podMetadata: + # -- Extra pod level labels + labels: {} + + # -- Extra pod level annotations + annotations: {} + + # -- Configure node labels for pod assignment + nodeSelector: {} + + # -- Configure node tolerations + tolerations: [] + + # -- Configure node affinity + affinity: {} + + # -- Set automounting of the SA token + automountServiceAccountToken: true + + # -- Specify the serviceAccountName value. + # In some situations it is needed to provides specific permissions to Hydra deployments + # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. + # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "" + + # -- Configure the containers' SecurityContext for the janitor cronjob + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + allowPrivilegeEscalation: false + privileged: false + + ## -- pod securityContext for the janitor cronjob + podSecurityContext: {} + + # -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user. + # This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + resources: + limits: {} + requests: {} + +## -- PodDistributionBudget configuration +pdb: + enabled: false + spec: + minAvailable: "" + maxUnavailable: "" + +## -- Parameters for the Prometheus ServiceMonitor objects. +# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html +serviceMonitor: + # -- switch to true to enable creating the ServiceMonitor + enabled: false + # -- HTTP scheme to use for scraping. + scheme: http + # -- Interval at which metrics should be scraped + scrapeInterval: 60s + # -- Timeout after which the scrape is ended + scrapeTimeout: 30s + # -- Provide additionnal labels to the ServiceMonitor ressource metadata + labels: {} + # -- TLS configuration to use when scraping the endpoint + tlsConfig: {} + +configmap: + # -- switch to false to prevent checksum annotations being maintained and propogated to the pods + hashSumEnabled: true + +test: + # -- Provide additional labels to the test pod + labels: {} + # -- use a busybox image from another repository + busybox: + repository: busybox + tag: 1 From 3b54ded7ba69c519afd98d63512e8ea44047c87e Mon Sep 17 00:00:00 2001 From: Trevor Foster Date: Mon, 9 Dec 2024 00:48:10 -0500 Subject: [PATCH 3/5] Revert changes to hydra chart --- helm/charts/hydra/README.md | 3 --- helm/charts/hydra/templates/deployment.yaml | 2 -- helm/charts/hydra/templates/hpa.yaml | 2 -- helm/charts/hydra/templates/service-admin.yaml | 3 --- helm/charts/hydra/templates/service-public.yaml | 4 ---- helm/charts/hydra/values.yaml | 7 ------- 6 files changed, 21 deletions(-) diff --git a/helm/charts/hydra/README.md b/helm/charts/hydra/README.md index 8a9593b417..23e6383cb6 100644 --- a/helm/charts/hydra/README.md +++ b/helm/charts/hydra/README.md @@ -54,9 +54,6 @@ A Helm chart for deploying ORY Hydra in Kubernetes | cronjob.janitor.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | cronjob.janitor.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | cronjob.janitor.tolerations | list | `[]` | Configure node tolerations | -| separateAdminAndPublicDeploys | bool | `false` | When `true` separate deploys will be created for admin and public components. Use `deployment.admin` and `deployment.public` to configure component specific options. | -| deployment.admin | object | `{}` | When separateAdminAndPublicDeploys is enabled, this field acts as overrides only for the `hydra-admin` deployment object. | -| deployment.public | object | `{}` | When separateAdminAndPublicDeploys is enabled, this field acts as overrides only for the `hydra-public` deployment object. | | deployment.annotations | object | `{}` | Set custom deployment level annotations | | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer | | deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR | diff --git a/helm/charts/hydra/templates/deployment.yaml b/helm/charts/hydra/templates/deployment.yaml index 7426edc745..fa266bd43a 100644 --- a/helm/charts/hydra/templates/deployment.yaml +++ b/helm/charts/hydra/templates/deployment.yaml @@ -1,4 +1,3 @@ -{{- if .Values.separateAdminAndPublicDeploys | not -}} {{- include "hydra.automigration.typeVerification" . -}} {{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}} @@ -235,4 +234,3 @@ spec: dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} -{{- end -}} diff --git a/helm/charts/hydra/templates/hpa.yaml b/helm/charts/hydra/templates/hpa.yaml index 7829a3ce36..5c4f5df1b3 100644 --- a/helm/charts/hydra/templates/hpa.yaml +++ b/helm/charts/hydra/templates/hpa.yaml @@ -1,4 +1,3 @@ -{{- if .Values.separateAdminAndPublicDeploys | not }} {{- if .Values.deployment.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler @@ -35,4 +34,3 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file diff --git a/helm/charts/hydra/templates/service-admin.yaml b/helm/charts/hydra/templates/service-admin.yaml index 1da45cb40e..100d9581d2 100644 --- a/helm/charts/hydra/templates/service-admin.yaml +++ b/helm/charts/hydra/templates/service-admin.yaml @@ -32,9 +32,6 @@ spec: selector: app.kubernetes.io/name: {{ include "hydra.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.separateAdminAndPublicDeploys }} - app.kubernetes.io/component: admin - {{- end }} {{- if .Values.serviceMonitor.enabled }} --- apiVersion: monitoring.coreos.com/v1 diff --git a/helm/charts/hydra/templates/service-public.yaml b/helm/charts/hydra/templates/service-public.yaml index fdef3729d8..570aad2381 100644 --- a/helm/charts/hydra/templates/service-public.yaml +++ b/helm/charts/hydra/templates/service-public.yaml @@ -11,7 +11,6 @@ metadata: {{- with .Values.service.public.labels }} {{- toYaml . | nindent 4 }} {{- end }} - app.kubernetes.io/component: public annotations: {{- with .Values.service.public.annotations }} {{- toYaml . | nindent 4 }} @@ -31,7 +30,4 @@ spec: selector: app.kubernetes.io/name: {{ include "hydra.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.separateAdminAndPublicDeploys }} - app.kubernetes.io/component: public - {{- end }} {{- end }} diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml index e2e1b3d469..9600c16b7f 100644 --- a/helm/charts/hydra/values.yaml +++ b/helm/charts/hydra/values.yaml @@ -180,15 +180,8 @@ hydra: # -- Enable dev mode, not secure in production environments dev: false -# When `true` separate deploys will be created for admin and public components. Use `deployment.admin` and `deployment.public` to configure component specific options. -separateAdminAndPublicDeploys: false - ## -- Deployment specific config deployment: - # When separateAdminAndPublicDeploys is enabled, the admin/public fields act as overrides for the individual deploys. - admin: {} - public: {} - strategy: type: RollingUpdate rollingUpdate: From a6a60a8c0d37f14c5fac4df27b5061dc9ddd14aa Mon Sep 17 00:00:00 2001 From: Trevor Foster Date: Mon, 9 Dec 2024 00:49:42 -0500 Subject: [PATCH 4/5] Remove templates added to hydra chart --- .../hydra/templates/deployment-admin.yaml | 247 ------------------ .../hydra/templates/deployment-public.yaml | 246 ----------------- .../charts/hydra/templates/hpa-separated.yaml | 43 --- 3 files changed, 536 deletions(-) delete mode 100644 helm/charts/hydra/templates/deployment-admin.yaml delete mode 100644 helm/charts/hydra/templates/deployment-public.yaml delete mode 100644 helm/charts/hydra/templates/hpa-separated.yaml diff --git a/helm/charts/hydra/templates/deployment-admin.yaml b/helm/charts/hydra/templates/deployment-admin.yaml deleted file mode 100644 index ec9e2e06c0..0000000000 --- a/helm/charts/hydra/templates/deployment-admin.yaml +++ /dev/null @@ -1,247 +0,0 @@ -{{- if .Values.separateAdminAndPublicDeploys -}} -{{- include "hydra.automigration.typeVerification" . -}} -{{- $deployValues := merge .Values.deployment.admin (omit .Values.deployment "admin" "public") -}} -{{- $migrationExtraEnv := ternary $deployValues.automigration.extraEnv $deployValues.extraEnv (not (empty $deployValues.automigration.extraEnv )) -}} - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "hydra.fullname" . }}-admin - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - {{- include "hydra.labels" . | nindent 4 }} - {{- with $deployValues.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/component: admin - annotations: - {{- with $deployValues.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if not $deployValues.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} -{{- end }} - revisionHistoryLimit: {{ $deployValues.revisionHistoryLimit }} - strategy: - {{- toYaml $deployValues.strategy | nindent 4 }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "hydra.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: admin - template: - metadata: - labels: - {{- include "hydra.labels" . | nindent 8 }} - {{- with $deployValues.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.podMetadata.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - app.kubernetes.io/component: admin - annotations: - {{- include "hydra.annotations.checksum" . | nindent 8 -}} - {{- with $deployValues.annotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.podMetadata.annotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: {{ include "hydra.name" . }}-config-volume - configMap: - name: {{ include "hydra.fullname" . }} - {{- if $deployValues.extraVolumes }} - {{- toYaml $deployValues.extraVolumes | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "hydra.serviceAccountName" . }} - automountServiceAccountToken: {{ $deployValues.automountServiceAccountToken }} - terminationGracePeriodSeconds: {{ $deployValues.terminationGracePeriodSeconds }} - containers: - - name: {{ .Chart.Name }}-admin - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: {{- toYaml .Values.hydra.command | nindent 12 }} - {{- if .Values.hydra.customArgs }} - args: {{- toYaml .Values.hydra.customArgs | nindent 12 }} - {{- else }} - args: - - serve - - admin - {{- if .Values.hydra.dev }} - - "--dev" - {{- end }} - - --config - - /etc/config/hydra.yaml - {{- end }} - volumeMounts: - - name: {{ include "hydra.name" . }}-config-volume - mountPath: /etc/config - readOnly: true - {{- if $deployValues.extraVolumeMounts }} - {{- toYaml $deployValues.extraVolumeMounts | nindent 12 }} - {{- end }} - ports: - - name: http-admin - containerPort: {{ .Values.hydra.config.serve.admin.port }} - protocol: TCP - livenessProbe: - {{- if $deployValues.customLivenessProbe }} - {{- toYaml $deployValues.customLivenessProbe | nindent 12 }} - {{- else }} - httpGet: - path: /health/alive - port: {{ .Values.hydra.config.serve.admin.port }} - httpHeaders: - - name: Host - value: '127.0.0.1' - {{- toYaml $deployValues.livenessProbe | nindent 12 }} - {{- end }} - readinessProbe: - {{- if $deployValues.customReadinessProbe }} - {{- toYaml $deployValues.customReadinessProbe | nindent 12 }} - {{- else }} - httpGet: - path: /health/ready - port: {{ .Values.hydra.config.serve.admin.port }} - httpHeaders: - - name: Host - value: '127.0.0.1' - {{- toYaml $deployValues.readinessProbe | nindent 12 }} - {{- end }} - startupProbe: - {{- if $deployValues.customStartupProbe }} - {{- toYaml $deployValues.customStartupProbe | nindent 12 }} - {{- else }} - httpGet: - path: /health/ready - port: {{ .Values.hydra.config.serve.admin.port }} - httpHeaders: - - name: Host - value: '127.0.0.1' - {{- toYaml $deployValues.startupProbe | nindent 12 }} - {{- end }} - env: - {{- $issuer := include "hydra.config.urls.issuer" . -}} - {{- if $issuer }} - - name: URLS_SELF_ISSUER - value: {{ $issuer | quote }} - {{- end }} - {{- if not (empty ( include "hydra.dsn" . )) }} - {{- if not (include "ory.extraEnvContainsEnvName" (list $deployValues.extraEnv "DSN")) }} - - name: DSN - valueFrom: - secretKeyRef: - name: {{ include "hydra.secretname" . }} - key: dsn - {{- end }} - {{- end }} - - name: SECRETS_SYSTEM - valueFrom: - secretKeyRef: - name: {{ include "hydra.secretname" . }} - key: secretsSystem - - name: SECRETS_COOKIE - valueFrom: - secretKeyRef: - name: {{ include "hydra.secretname" . }} - key: secretsCookie - {{- if $deployValues.extraEnv }} - {{- tpl (toYaml $deployValues.extraEnv) . | nindent 12 }} - {{- end }} - resources: - {{- toYaml $deployValues.resources | nindent 12 }} - {{- if $deployValues.securityContext }} - securityContext: - {{- toYaml $deployValues.securityContext | nindent 12 }} - {{- end }} - lifecycle: - {{- toYaml $deployValues.lifecycle | nindent 12 }} - {{- if $deployValues.extraContainers }} - {{- tpl $deployValues.extraContainers . | nindent 8 }} - {{- end }} - initContainers: - {{- if $deployValues.extraInitContainers }} - {{- tpl $deployValues.extraInitContainers . | nindent 8 }} - {{- end }} - {{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }} - - name: {{ .Chart.Name }}-automigrate - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.hydra.automigration.customCommand }} - command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }} - {{- else }} - command: ["hydra"] - {{- end }} - {{- if .Values.hydra.automigration.customArgs }} - args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }} - {{- else }} - args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"] - {{- end }} - volumeMounts: - - name: {{ include "hydra.name" . }}-config-volume - mountPath: /etc/config - readOnly: true - {{- with $deployValues.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - env: - {{- if not (empty ( include "hydra.dsn" . )) }} - {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} - - name: DSN - valueFrom: - secretKeyRef: - name: {{ include "hydra.secretname" . }} - key: dsn - {{- end }} - {{- end }} - {{- if $migrationExtraEnv }} - {{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }} - {{- end }} - {{- if .Values.hydra.automigration.resources }} - resources: - {{- toYaml .Values.hydra.automigration.resources | nindent 12 }} - {{- end }} - {{- with $deployValues.initContainerSecurityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- with $deployValues.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.dnsConfig }} - dnsConfig: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end -}} diff --git a/helm/charts/hydra/templates/deployment-public.yaml b/helm/charts/hydra/templates/deployment-public.yaml deleted file mode 100644 index 9bd34fb51b..0000000000 --- a/helm/charts/hydra/templates/deployment-public.yaml +++ /dev/null @@ -1,246 +0,0 @@ -{{- if .Values.separateAdminAndPublicDeploys -}} -{{- $deployValues := merge .Values.deployment.public (omit .Values.deployment "admin" "public") -}} -{{- $migrationExtraEnv := ternary $deployValues.automigration.extraEnv $deployValues.extraEnv (not (empty $deployValues.automigration.extraEnv )) -}} - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "hydra.fullname" . }}-public - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - {{- include "hydra.labels" . | nindent 4 }} - {{- with $deployValues.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/component: public - annotations: - {{- with $deployValues.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if not $deployValues.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} -{{- end }} - revisionHistoryLimit: {{ $deployValues.revisionHistoryLimit }} - strategy: - {{- toYaml $deployValues.strategy | nindent 4 }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "hydra.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: public - template: - metadata: - labels: - {{- include "hydra.labels" . | nindent 8 }} - {{- with $deployValues.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.podMetadata.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - app.kubernetes.io/component: public - annotations: - {{- include "hydra.annotations.checksum" . | nindent 8 -}} - {{- with $deployValues.annotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.podMetadata.annotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: {{ include "hydra.name" . }}-config-volume - configMap: - name: {{ include "hydra.fullname" . }} - {{- if $deployValues.extraVolumes }} - {{- toYaml $deployValues.extraVolumes | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "hydra.serviceAccountName" . }} - automountServiceAccountToken: {{ $deployValues.automountServiceAccountToken }} - terminationGracePeriodSeconds: {{ $deployValues.terminationGracePeriodSeconds }} - containers: - - name: {{ .Chart.Name }}-public - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: {{- toYaml .Values.hydra.command | nindent 12 }} - {{- if .Values.hydra.customArgs }} - args: {{- toYaml .Values.hydra.customArgs | nindent 12 }} - {{- else }} - args: - - serve - - public - {{- if .Values.hydra.dev }} - - "--dev" - {{- end }} - - --config - - /etc/config/hydra.yaml - {{- end }} - volumeMounts: - - name: {{ include "hydra.name" . }}-config-volume - mountPath: /etc/config - readOnly: true - {{- if $deployValues.extraVolumeMounts }} - {{- toYaml $deployValues.extraVolumeMounts | nindent 12 }} - {{- end }} - ports: - - name: http-public - containerPort: {{ .Values.hydra.config.serve.public.port }} - protocol: TCP - livenessProbe: - {{- if $deployValues.customLivenessProbe }} - {{- toYaml $deployValues.customLivenessProbe | nindent 12 }} - {{- else }} - httpGet: - path: /health/alive - port: {{ .Values.hydra.config.serve.public.port }} - httpHeaders: - - name: Host - value: '127.0.0.1' - {{- toYaml $deployValues.livenessProbe | nindent 12 }} - {{- end }} - readinessProbe: - {{- if $deployValues.customReadinessProbe }} - {{- toYaml $deployValues.customReadinessProbe | nindent 12 }} - {{- else }} - httpGet: - path: /health/ready - port: {{ .Values.hydra.config.serve.public.port }} - httpHeaders: - - name: Host - value: '127.0.0.1' - {{- toYaml $deployValues.readinessProbe | nindent 12 }} - {{- end }} - startupProbe: - {{- if $deployValues.customStartupProbe }} - {{- toYaml $deployValues.customStartupProbe | nindent 12 }} - {{- else }} - httpGet: - path: /health/ready - port: {{ .Values.hydra.config.serve.public.port }} - httpHeaders: - - name: Host - value: '127.0.0.1' - {{- toYaml $deployValues.startupProbe | nindent 12 }} - {{- end }} - env: - {{- $issuer := include "hydra.config.urls.issuer" . -}} - {{- if $issuer }} - - name: URLS_SELF_ISSUER - value: {{ $issuer | quote }} - {{- end }} - {{- if not (empty ( include "hydra.dsn" . )) }} - {{- if not (include "ory.extraEnvContainsEnvName" (list $deployValues.extraEnv "DSN")) }} - - name: DSN - valueFrom: - secretKeyRef: - name: {{ include "hydra.secretname" . }} - key: dsn - {{- end }} - {{- end }} - - name: SECRETS_SYSTEM - valueFrom: - secretKeyRef: - name: {{ include "hydra.secretname" . }} - key: secretsSystem - - name: SECRETS_COOKIE - valueFrom: - secretKeyRef: - name: {{ include "hydra.secretname" . }} - key: secretsCookie - {{- if $deployValues.extraEnv }} - {{- tpl (toYaml $deployValues.extraEnv) . | nindent 12 }} - {{- end }} - resources: - {{- toYaml $deployValues.resources | nindent 12 }} - {{- if $deployValues.securityContext }} - securityContext: - {{- toYaml $deployValues.securityContext | nindent 12 }} - {{- end }} - lifecycle: - {{- toYaml $deployValues.lifecycle | nindent 12 }} - {{- if $deployValues.extraContainers }} - {{- tpl $deployValues.extraContainers . | nindent 8 }} - {{- end }} - initContainers: - {{- if $deployValues.extraInitContainers }} - {{- tpl $deployValues.extraInitContainers . | nindent 8 }} - {{- end }} - {{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }} - - name: {{ .Chart.Name }}-automigrate - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.hydra.automigration.customCommand }} - command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }} - {{- else }} - command: ["hydra"] - {{- end }} - {{- if .Values.hydra.automigration.customArgs }} - args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }} - {{- else }} - args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"] - {{- end }} - volumeMounts: - - name: {{ include "hydra.name" . }}-config-volume - mountPath: /etc/config - readOnly: true - {{- with $deployValues.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - env: - {{- if not (empty ( include "hydra.dsn" . )) }} - {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} - - name: DSN - valueFrom: - secretKeyRef: - name: {{ include "hydra.secretname" . }} - key: dsn - {{- end }} - {{- end }} - {{- if $migrationExtraEnv }} - {{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }} - {{- end }} - {{- if .Values.hydra.automigration.resources }} - resources: - {{- toYaml .Values.hydra.automigration.resources | nindent 12 }} - {{- end }} - {{- with $deployValues.initContainerSecurityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- with $deployValues.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.dnsConfig }} - dnsConfig: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end -}} diff --git a/helm/charts/hydra/templates/hpa-separated.yaml b/helm/charts/hydra/templates/hpa-separated.yaml deleted file mode 100644 index 63c27ef648..0000000000 --- a/helm/charts/hydra/templates/hpa-separated.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.separateAdminAndPublicDeploys }} -{{- range list "admin" "public" }} -{{- $deployValues := merge (deepCopy (get $.Values.deployment .)) (omit $.Values.deployment "admin" "public") }} -{{- if $deployValues.autoscaling.enabled }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - {{- if $.Release.Namespace }} - namespace: {{ $.Release.Namespace }} - {{- end }} - name: {{ include "hydra.fullname" $ }}-{{.}} - labels: - {{- include "hydra.labels" $ | nindent 4 }} - app.kubernetes.io/component: {{. | quote}} -spec: - {{- with $deployValues.autoscaling.behavior }} - behavior: {{- toYaml . | nindent 4 }} - {{- end }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "hydra.fullname" $ }}-{{.}} - minReplicas: {{ $deployValues.autoscaling.minReplicas }} - maxReplicas: {{ $deployValues.autoscaling.maxReplicas }} - metrics: - {{- with $deployValues.autoscaling.targetMemory }} - - type: Resource - resource: - name: memory - target: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $deployValues.autoscaling.targetCPU}} - - type: Resource - resource: - name: cpu - target: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file From 17b15d50c0f30130fbc60b68caedf3b1902d83d2 Mon Sep 17 00:00:00 2001 From: Trevor Foster Date: Mon, 9 Dec 2024 00:52:10 -0500 Subject: [PATCH 5/5] Fix format --- helm/charts/hydra-distributed/Chart.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/helm/charts/hydra-distributed/Chart.yaml b/helm/charts/hydra-distributed/Chart.yaml index 7e4b48e69e..fcdeca3fac 100644 --- a/helm/charts/hydra-distributed/Chart.yaml +++ b/helm/charts/hydra-distributed/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 appVersion: "v2.2.0" -description: A Helm chart for deploying ORY Hydra in Kubernetes with a distributed layout. +description: + A Helm chart for deploying ORY Hydra in Kubernetes with a distributed layout. name: hydra icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg version: 0.50.3