# -- Number of ORY Hydra members replicaCount: 1 image: # -- ORY Hydra image repository: oryd/hydra # -- ORY Hydra version tag: v2.2.0 # -- Image pull policy pullPolicy: IfNotPresent # -- Image pull secrets imagePullSecrets: [] # Chart name override nameOverride: "" # -- Full chart name override fullnameOverride: "" # -- Pod priority # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ priorityClassName: "" ## -- Configures the Kubernetes service service: # -- Configures the Kubernetes service for the proxy port. public: # -- En-/disable the service enabled: true # -- The service type type: ClusterIP # -- The load balancer IP loadBalancerIP: "" # -- The service port port: 4444 # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) name: http # -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" labels: {} # If you do want to specify additional labels, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'labels:'. # e.g. app: hydra # -- Configures the Kubernetes service for the api port. admin: # -- En-/disable the service enabled: true # -- The service type type: ClusterIP # -- The load balancer IP loadBalancerIP: "" # -- The service port port: 4445 # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) name: http # -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" labels: {} # If you do want to specify additional labels, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'labels:'. # e.g. app: hydra # -- Path to the metrics endpoint metricsPath: /admin/metrics/prometheus ## -- Secret management secret: # -- switch to false to prevent creating the secret enabled: true # -- Provide custom name of existing secret, or custom name of secret to be created nameOverride: "" # nameOverride: "myCustomSecret" # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. secretAnnotations: # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards. helm.sh/hook-weight: "0" helm.sh/hook: "pre-install, pre-upgrade" helm.sh/hook-delete-policy: "before-hook-creation" helm.sh/resource-policy: "keep" # -- switch to false to prevent checksum annotations being maintained and propogated to the pods hashSumEnabled: true ## -- Configure ingress ingress: # -- Configure ingress for the proxy port. public: # -- En-/Disable the proxy ingress. enabled: false className: "" annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - host: public.hydra.localhost paths: - path: / pathType: ImplementationSpecific # tls: [] # hosts: # - proxy.hydra.local # - secretName: hydra-proxy-example-tls admin: # -- En-/Disable the api ingress. enabled: false className: "" annotations: {} # If you do want to specify annotations, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - host: admin.hydra.localhost paths: - path: / pathType: ImplementationSpecific # tls: [] # hosts: # - api.hydra.local # - secretName: hydra-api-example-tls ## -- Configure ORY Hydra itself hydra: # -- Ability to override the entrypoint of hydra container # (e.g. to source dynamic secrets or export environment dynamic variables) command: ["hydra"] # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand customArgs: [] # -- The ORY Hydra configuration. For a full list of available settings, check: # https://www.ory.sh/docs/hydra/reference/configuration config: serve: public: port: 4444 admin: port: 4445 tls: allow_termination_from: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 # -- The secrets have to be provided as a string slice, example: # system: # - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa" # - "foo bar 123 456 lorem" # - "foo bar 123 456 lorem 1" # - "foo bar 123 456 lorem 2" # - "foo bar 123 456 lorem 3" secrets: {} # -- Configure the urls used by hydra itself, such as the issuer. # Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart # self: # issuer: "https://public.hydra.localhost:4444/" urls: self: {} # -- Enables database migration automigration: enabled: false # -- Configure the way to execute database migration. Possible values: job, initContainer # When set to job, the migration will be executed as a job on release or upgrade. # When set to initContainer, the migration will be executed when kratos pod is created # Defaults to job type: job # -- Ability to override the entrypoint of the automigration container # (e.g. to source dynamic secrets or export environment dynamic variables) customCommand: [] # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand # eg: # - sleep 5; # - kratos customArgs: [] # -- resource requests and limits for the automigration initcontainer resources: {} # -- Enable dev mode, not secure in production environments dev: false ## -- Deployment specific config deployment: strategy: type: RollingUpdate rollingUpdate: maxSurge: "25%" maxUnavailable: "25%" # -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user. # This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi resources: {} ## -- initContainer securityContext for hydra & migration init initContainerSecurityContext: {} ## -- pod securityContext for hydra & migration init podSecurityContext: fsGroupChangePolicy: "OnRootMismatch" runAsNonRoot: true runAsUser: 65534 fsGroup: 65534 runAsGroup: 65534 seccompProfile: type: RuntimeDefault ## -- container securityContext for hydra & migration init securityContext: capabilities: drop: - ALL seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 allowPrivilegeEscalation: false privileged: false seLinuxOptions: level: "s0:c123,c456" lifecycle: {} # -- Set custom deployment level labels labels: {} # -- Set custom deployment level annotations annotations: {} # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects podMetadata: # -- Extra pod level labels labels: {} # -- Extra pod level annotations annotations: {} # -- Node labels for pod assignment. nodeSelector: {} # If you do want to specify node labels, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'. # foo: bar # -- Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm # `tpl` # - name: FOO # value: BAR extraEnv: [] # -- Parameters for the automigration initContainer automigration: # -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with # Helm `tpl` # - name: FOO # value: BAR extraEnv: [] # -- Configure node tolerations. tolerations: [] # -- Configure pod topologySpreadConstraints. topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: DoNotSchedule # labelSelector: # matchLabels: # app.kubernetes.io/name: hydra # app.kubernetes.io/instance: hydra # -- Configure pod dnsConfig. dnsConfig: {} # options: # - name: "ndots" # value: "1" # -- Specify the serviceAccountName value. # In some situations it is needed to provides specific permissions to Hydra deployments # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. # -- Specify the serviceAccountName value. # In some situations it is needed to provides specific permissions to Hydra deployments # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. serviceAccount: # -- Specifies whether a service account should be created create: true # -- Annotations to add to the service account annotations: {} # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: "" # -- If you want to mount external volume extraVolumes: [] # - name: my-volume # secret: # secretName: my-secret extraVolumeMounts: [] # - name: my-volume # mountPath: /etc/secrets/my-secret # readOnly: true # For example, mount a secret containing Certificate root CA to verify database # TLS connection. # extraVolumes: # - name: postgresql-tls # secret: # secretName: postgresql-root-ca # extraVolumeMounts: # - name: postgresql-tls # mountPath: "/etc/postgresql-tls" # readOnly: true # -- Configure HPA autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPU: {} # type: Utilization # averageUtilization: 80 targetMemory: {} # type: Utilization # averageUtilization: 80 # -- Set custom behavior # https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior behavior: {} # -- Default probe timers readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 failureThreshold: 5 # -- Default probe timers startupProbe: failureThreshold: 5 successThreshold: 1 periodSeconds: 1 timeoutSeconds: 1 initialDelaySeconds: 0 automountServiceAccountToken: false terminationGracePeriodSeconds: 60 # -- If you want to add extra init containers. These are processed before the migration init container. extraInitContainers: "" # extraInitContainers: | # - name: ... # image: ... # -- If you want to add extra sidecar containers. extraContainers: "" # extraContainers: | # - name: ... # image: ... # -- Configure a custom livenessProbe. This overwrites the default object customLivenessProbe: {} # -- Configure a custom readinessProbe. This overwrites the default object customReadinessProbe: {} # -- Configure a custom startupProbe. This overwrites the default object customStartupProbe: {} # -- Number of revisions kept in history revisionHistoryLimit: 5 ## -- Values for initialization job job: # -- If you do want to specify annotations, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. annotations: helm.sh/hook-weight: "1" helm.sh/hook: "pre-install, pre-upgrade" helm.sh/hook-delete-policy: "before-hook-creation" # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # -- Set custom deployment level labels labels: {} # -- If you want to add extra sidecar containers. extraContainers: "" # extraContainers: | # - name: ... # image: ... # -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format # is expected. Value is processed with Helm `tpl` # - name: FOO # value: BAR extraEnv: [] # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects podMetadata: # -- Extra pod level labels labels: {} # -- Extra pod level annotations annotations: {} # -- If you want to add extra init containers. # extraInitContainers: | # - name: ... # image: ... extraInitContainers: "" # -- Node labels for pod assignment. nodeSelector: {} # If you do want to specify node labels, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'. # foo: bar # -- resource requests and limits for the automigration job resources: {} # -- Configure node tolerations. tolerations: [] # -- If you want to add lifecycle hooks. lifecycle: "" # lifecycle: | # preStop: # exec: # command: [...] # -- Set automounting of the SA token automountServiceAccountToken: true # -- Set sharing process namespace shareProcessNamespace: false # -- Specify the serviceAccountName value. # In some situations it is needed to provides specific permissions to Hydra deployments # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. serviceAccount: # -- Specifies whether a service account should be created create: true # -- Annotations to add to the service account annotations: helm.sh/hook-weight: "0" helm.sh/hook: "pre-install, pre-upgrade" helm.sh/hook-delete-policy: "before-hook-creation" # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: "" spec: # -- Set job back off limit backoffLimit: 10 ## -- Configure node affinity affinity: {} ## -- Configures controller setup maester: enabled: true ## -- Values for the hydra admin service arguments to hydra-maester hydra-maester: adminService: # -- The service name value may need to be set if you use `fullnameOverride` for the parent chart name: "" # -- You only need to set this port if you change the value for `service.admin.port` in the parent chart # port: ## -- Sidecar watcher configuration watcher: enabled: false image: oryd/k8s-toolbox:v0.0.7 # -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo mountFile: "" # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects podMetadata: # -- Extra pod level labels labels: {} # -- Extra pod level annotations annotations: {} # -- Label key used for managing applications watchLabelKey: "ory.sh/watcher" # -- Number of revisions kept in history revisionHistoryLimit: 5 # -- pod securityContext for watcher deployment podSecurityContext: {} resources: {} automountServiceAccountToken: true # -- container securityContext for watcher deployment securityContext: capabilities: drop: - ALL seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 100 allowPrivilegeEscalation: false privileged: false ## -- Janitor cron job configuration janitor: # -- Enable cleanup of stale database rows by periodically running the janitor command enabled: false # -- Configure if the trust relationships must be cleaned up cleanupGrants: false # -- Configure if the consent and authentication requests must be cleaned up cleanupRequests: false # -- Configure if the access and refresh tokens must be cleaned up cleanupTokens: false # -- Configure how many records are deleted with each iteration batchSize: 100 # -- Configure how many records are retrieved from database for deletion limit: 10000 ## -- CronJob configuration cronjob: janitor: # -- Configure how often the cron job is ran schedule: "0 */1 * * *" # -- Configure a custom entrypoint, overriding the default value customCommand: [] # -- Configure the arguments of the entrypoint, overriding the default value customArgs: [] # -- Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes # format is expected. Value is processed with Helm `tpl` # - name: FOO # value: BAR extraEnv: [] # -- If you want to add extra init containers. These are processed before the migration init container. extraInitContainers: "" # extraInitContainers: | # - name: ... # image: ... # -- If you want to add extra sidecar containers. extraContainers: "" # extraContainers: | # - name: ... # image: ... # -- If you want to mount external volume extraVolumes: [] # - name: my-volume # secret: # secretName: my-secret extraVolumeMounts: [] # - name: my-volume # mountPath: /etc/secrets/my-secret # readOnly: true # -- Set custom cron job level labels labels: {} # -- Set custom cron job level annotations annotations: {} # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects podMetadata: # -- Extra pod level labels labels: {} # -- Extra pod level annotations annotations: {} # -- Configure node labels for pod assignment nodeSelector: {} # -- Configure node tolerations tolerations: [] # -- Configure node affinity affinity: {} # -- Set automounting of the SA token automountServiceAccountToken: true # -- Specify the serviceAccountName value. # In some situations it is needed to provides specific permissions to Hydra deployments # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. serviceAccount: # -- Specifies whether a service account should be created create: true # -- Annotations to add to the service account annotations: helm.sh/hook-weight: "0" helm.sh/hook: "pre-install, pre-upgrade" helm.sh/hook-delete-policy: "before-hook-creation" # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: "" # -- Configure the containers' SecurityContext for the janitor cronjob securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 100 allowPrivilegeEscalation: false privileged: false ## -- pod securityContext for the janitor cronjob podSecurityContext: {} # -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user. # This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi resources: limits: {} requests: {} ## -- PodDistributionBudget configuration pdb: enabled: false spec: minAvailable: "" maxUnavailable: "" ## -- Parameters for the Prometheus ServiceMonitor objects. # Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html serviceMonitor: # -- switch to true to enable creating the ServiceMonitor enabled: false # -- HTTP scheme to use for scraping. scheme: http # -- Interval at which metrics should be scraped scrapeInterval: 60s # -- Timeout after which the scrape is ended scrapeTimeout: 30s # -- Provide additionnal labels to the ServiceMonitor ressource metadata labels: {} # -- TLS configuration to use when scraping the endpoint tlsConfig: {} configmap: # -- switch to false to prevent checksum annotations being maintained and propogated to the pods hashSumEnabled: true test: # -- Provide additional labels to the test pod labels: {} # -- use a busybox image from another repository busybox: repository: busybox tag: 1