# -- Number of ORY Hydra members
replicaCount: 1

image:
  # -- ORY Hydra image
  repository: oryd/hydra
  # -- ORY Hydra version
  tag: v2.2.0
  # -- Image pull policy
  pullPolicy: IfNotPresent

# -- Image pull secrets
imagePullSecrets: []
# Chart name override
nameOverride: ""
# -- Full chart name override
fullnameOverride: ""

# -- Pod priority
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""

## -- Configures the Kubernetes service
service:
  # -- Configures the Kubernetes service for the proxy port.
  public:
    # -- En-/disable the service
    enabled: true
    # -- The service type
    type: ClusterIP
    # -- The load balancer IP
    loadBalancerIP: ""
    # -- The service port
    port: 4444
    # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
    name: http
    # -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
    annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    labels: {}
    #      If you do want to specify additional labels, uncomment the following
    #      lines, adjust them as necessary, and remove the curly braces after 'labels:'.
    #      e.g.  app: hydra
  # -- Configures the Kubernetes service for the api port.
  admin:
    # -- En-/disable the service
    enabled: true
    # -- The service type
    type: ClusterIP
    # -- The load balancer IP
    loadBalancerIP: ""
    # -- The service port
    port: 4445
    # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
    name: http
    # -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
    annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    labels: {}
    #      If you do want to specify additional labels, uncomment the following
    #      lines, adjust them as necessary, and remove the curly braces after 'labels:'.
    #      e.g.  app: hydra
    # -- Path to the metrics endpoint
    metricsPath: /admin/metrics/prometheus

## -- Secret management
secret:
  # -- switch to false to prevent creating the secret
  enabled: true
  # -- Provide custom name of existing secret, or custom name of secret to be created
  nameOverride: ""
  # nameOverride: "myCustomSecret"
  # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
  secretAnnotations:
    # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
    # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
    helm.sh/hook-weight: "0"
    helm.sh/hook: "pre-install, pre-upgrade"
    helm.sh/hook-delete-policy: "before-hook-creation"
    helm.sh/resource-policy: "keep"
  # -- switch to false to prevent checksum annotations being maintained and propogated to the pods
  hashSumEnabled: true

## -- Configure ingress
ingress:
  # -- Configure ingress for the proxy port.
  public:
    # -- En-/Disable the proxy ingress.
    enabled: false
    className: ""
    annotations: {}
    #     kubernetes.io/ingress.class: nginx
    #     kubernetes.io/tls-acme: "true"
    hosts:
      - host: public.hydra.localhost
        paths:
          - path: /
            pathType: ImplementationSpecific
  #    tls: []
  #        hosts:
  #          - proxy.hydra.local
  #      - secretName: hydra-proxy-example-tls

  admin:
    # -- En-/Disable the api ingress.
    enabled: false
    className: ""
    annotations: {}
    #      If you do want to specify annotations, uncomment the following
    #      lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
    #      kubernetes.io/ingress.class: nginx
    #      kubernetes.io/tls-acme: "true"
    hosts:
      - host: admin.hydra.localhost
        paths:
          - path: /
            pathType: ImplementationSpecific
#    tls: []
#      hosts:
#        - api.hydra.local
#      - secretName: hydra-api-example-tls

## -- Configure ORY Hydra itself
hydra:
  # -- Ability to override the entrypoint of hydra container
  # (e.g. to source dynamic secrets or export environment dynamic variables)
  command: ["hydra"]
  # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
  customArgs: []
  # -- The ORY Hydra configuration. For a full list of available settings, check:
  #  https://www.ory.sh/docs/hydra/reference/configuration
  config:
    serve:
      public:
        port: 4444
      admin:
        port: 4445
      tls:
        allow_termination_from:
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/16
    # -- The secrets have to be provided as a string slice, example:
    # system:
    #   - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa"
    #   - "foo bar 123 456 lorem"
    #   - "foo bar 123 456 lorem 1"
    #   - "foo bar 123 456 lorem 2"
    #   - "foo bar 123 456 lorem 3"
    secrets: {}

    # -- Configure the urls used by hydra itself, such as the issuer.
    # Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart
    # self:
    #   issuer: "https://public.hydra.localhost:4444/"
    urls:
      self: {}

    # -- Enables database migration
  automigration:
    enabled: false
    # -- Configure the way to execute database migration. Possible values: job, initContainer
    # When set to job, the migration will be executed as a job on release or upgrade.
    # When set to initContainer, the migration will be executed when kratos pod is created
    # Defaults to job
    type: job
    # -- Ability to override the entrypoint of the automigration container
    # (e.g. to source dynamic secrets or export environment dynamic variables)
    customCommand: []
    # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
    # eg:
    # - sleep 5;
    #   - kratos
    customArgs: []
    # -- resource requests and limits for the automigration initcontainer
    resources: {}

  # -- Enable dev mode, not secure in production environments
  dev: false

## -- Deployment specific config
deployment:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: "25%"
      maxUnavailable: "25%"

  # -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
  #  This also increases chances charts run on environments with little
  #  resources, such as Minikube. If you do want to specify resources, uncomment the following
  #  lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  #  limits:
  #    cpu: 100m
  #    memory: 128Mi
  #  requests:
  #    cpu: 100m
  #  memory: 128Mi
  resources: {}

  ## -- initContainer securityContext for hydra & migration init
  initContainerSecurityContext: {}

  ## -- pod securityContext for hydra & migration init
  podSecurityContext:
    fsGroupChangePolicy: "OnRootMismatch"
    runAsNonRoot: true
    runAsUser: 65534
    fsGroup: 65534
    runAsGroup: 65534
    seccompProfile:
      type: RuntimeDefault

  ## -- container securityContext for hydra & migration init
  securityContext:
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 65534
    runAsGroup: 65534
    allowPrivilegeEscalation: false
    privileged: false
    seLinuxOptions:
      level: "s0:c123,c456"

  lifecycle: {}

  # -- Set custom deployment level labels
  labels: {}

  # -- Set custom deployment level annotations
  annotations: {}

  # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
  podMetadata:
    # -- Extra pod level labels
    labels: {}
    # -- Extra pod level annotations
    annotations: {}

  # -- Node labels for pod assignment.
  nodeSelector: {}
  # If you do want to specify node labels, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
  #   foo: bar

  # -- Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm
  # `tpl`
  # - name: FOO
  #   value: BAR
  extraEnv: []

  # -- Parameters for the automigration initContainer
  automigration:
    # -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with
    # Helm `tpl`
    # - name: FOO
    #   value: BAR
    extraEnv: []

  # -- Configure node tolerations.
  tolerations: []

  # -- Configure pod topologySpreadConstraints.
  topologySpreadConstraints: []
  # - maxSkew: 1
  #   topologyKey: topology.kubernetes.io/zone
  #   whenUnsatisfiable: DoNotSchedule
  #   labelSelector:
  #     matchLabels:
  #       app.kubernetes.io/name: hydra
  #       app.kubernetes.io/instance: hydra

  # -- Configure pod dnsConfig.
  dnsConfig: {}
  #   options:
  #     - name: "ndots"
  #       value: "1"

  # -- Specify the serviceAccountName value.
  # In some situations it is needed to provides specific permissions to Hydra deployments
  # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
  # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
  # -- Specify the serviceAccountName value.
  # In some situations it is needed to provides specific permissions to Hydra deployments
  # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
  # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
  serviceAccount:
    # -- Specifies whether a service account should be created
    create: true
    # -- Annotations to add to the service account
    annotations: {}
    # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
    name: ""

  # -- If you want to mount external volume
  extraVolumes: []
  # - name: my-volume
  #   secret:
  #     secretName: my-secret
  extraVolumeMounts: []
  # - name: my-volume
  #   mountPath: /etc/secrets/my-secret
  #   readOnly: true

  # For example, mount a secret containing Certificate root CA to verify database
  # TLS connection.
  # extraVolumes:
  #   - name: postgresql-tls
  #     secret:
  #       secretName: postgresql-root-ca
  # extraVolumeMounts:
  #   - name: postgresql-tls
  #     mountPath: "/etc/postgresql-tls"
  #     readOnly: true

  # -- Configure HPA
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 3
    targetCPU: {}
    #   type: Utilization
    #   averageUtilization: 80
    targetMemory: {}
    #   type: Utilization
    #   averageUtilization: 80
    # -- Set custom behavior
    # https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
    behavior: {}

  # -- Default probe timers
  readinessProbe:
    initialDelaySeconds: 5
    periodSeconds: 10
    failureThreshold: 5
  # -- Default probe timers
  startupProbe:
    failureThreshold: 5
    successThreshold: 1
    periodSeconds: 1
    timeoutSeconds: 1
    initialDelaySeconds: 0

  automountServiceAccountToken: false

  terminationGracePeriodSeconds: 60

  # -- If you want to add extra init containers. These are processed before the migration init container.
  extraInitContainers: ""
  # extraInitContainers: |
  #  - name: ...
  #    image: ...

  # -- If you want to add extra sidecar containers.
  extraContainers: ""
  # extraContainers: |
  #  - name: ...
  #    image: ...

  # -- Configure a custom livenessProbe. This overwrites the default object
  customLivenessProbe: {}
  # -- Configure a custom readinessProbe. This overwrites the default object
  customReadinessProbe: {}
  # -- Configure a custom startupProbe. This overwrites the default object
  customStartupProbe: {}
  # -- Number of revisions kept in history
  revisionHistoryLimit: 5

## -- Values for initialization job
job:
  # -- If you do want to specify annotations, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
  annotations:
    helm.sh/hook-weight: "1"
    helm.sh/hook: "pre-install, pre-upgrade"
    helm.sh/hook-delete-policy: "before-hook-creation"
  # kubernetes.io/ingress.class: nginx
  # kubernetes.io/tls-acme: "true"

  # -- Set custom deployment level labels
  labels: {}

  # -- If you want to add extra sidecar containers.
  extraContainers: ""
  # extraContainers: |
  #  - name: ...
  #    image: ...

  # -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format
  # is expected. Value is processed with Helm `tpl`
  # - name: FOO
  #   value: BAR
  extraEnv: []

  # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
  podMetadata:
    # -- Extra pod level labels
    labels: {}
    # -- Extra pod level annotations
    annotations: {}

  # -- If you want to add extra init containers.
  # extraInitContainers: |
  #  - name: ...
  #    image: ...
  extraInitContainers: ""

  # -- Node labels for pod assignment.
  nodeSelector: {}
  # If you do want to specify node labels, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
  #   foo: bar

  # -- resource requests and limits for the automigration job
  resources: {}

  # -- Configure node tolerations.
  tolerations: []

  # -- If you want to add lifecycle hooks.
  lifecycle: ""
  # lifecycle: |
  #   preStop:
  #     exec:
  #       command: [...]

  # -- Set automounting of the SA token
  automountServiceAccountToken: true

  # -- Set sharing process namespace
  shareProcessNamespace: false

  # -- Specify the serviceAccountName value.
  # In some situations it is needed to provides specific permissions to Hydra deployments
  # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
  # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
  serviceAccount:
    # -- Specifies whether a service account should be created
    create: true
    # -- Annotations to add to the service account
    annotations:
      helm.sh/hook-weight: "0"
      helm.sh/hook: "pre-install, pre-upgrade"
      helm.sh/hook-delete-policy: "before-hook-creation"
    # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
    name: ""

  spec:
    # -- Set job back off limit
    backoffLimit: 10

## -- Configure node affinity
affinity: {}

## -- Configures controller setup
maester:
  enabled: true

## -- Values for the hydra admin service arguments to hydra-maester
hydra-maester:
  adminService:
    # -- The service name value may need to be set if you use `fullnameOverride` for the parent chart
    name: ""
    # -- You only need to set this port if you change the value for `service.admin.port` in the parent chart
    # port:

## -- Sidecar watcher configuration
watcher:
  enabled: false
  image: oryd/k8s-toolbox:v0.0.7
  # -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo
  mountFile: ""
  # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
  podMetadata:
    # -- Extra pod level labels
    labels: {}
    # -- Extra pod level annotations
    annotations: {}
  # -- Label key used for managing applications
  watchLabelKey: "ory.sh/watcher"
  # -- Number of revisions kept in history
  revisionHistoryLimit: 5

  # -- pod securityContext for watcher deployment
  podSecurityContext: {}
  resources: {}
  automountServiceAccountToken: true

  # -- container securityContext for watcher deployment
  securityContext:
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 100
    allowPrivilegeEscalation: false
    privileged: false

## -- Janitor cron job configuration
janitor:
  # -- Enable cleanup of stale database rows by periodically running the janitor command
  enabled: false

  # -- Configure if the trust relationships must be cleaned up
  cleanupGrants: false

  # -- Configure if the consent and authentication requests must be cleaned up
  cleanupRequests: false

  # -- Configure if the access and refresh tokens must be cleaned up
  cleanupTokens: false

  # -- Configure how many records are deleted with each iteration
  batchSize: 100

  # -- Configure how many records are retrieved from database for deletion
  limit: 10000

## -- CronJob configuration
cronjob:
  janitor:
    # -- Configure how often the cron job is ran
    schedule: "0 */1 * * *"
    # -- Configure a custom entrypoint, overriding the default value
    customCommand: []

    # -- Configure the arguments of the entrypoint, overriding the default value
    customArgs: []

    # -- Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes
    # format is expected. Value is processed with Helm `tpl`
    # - name: FOO
    #   value: BAR
    extraEnv: []

    # -- If you want to add extra init containers. These are processed before the migration init container.
    extraInitContainers: ""
    # extraInitContainers: |
    #  - name: ...
    #    image: ...

    # -- If you want to add extra sidecar containers.
    extraContainers: ""
    # extraContainers: |
    #  - name: ...
    #    image: ...

    # -- If you want to mount external volume
    extraVolumes: []
    # - name: my-volume
    #   secret:
    #     secretName: my-secret
    extraVolumeMounts: []
    # - name: my-volume
    #   mountPath: /etc/secrets/my-secret
    #   readOnly: true

    # -- Set custom cron job level labels
    labels: {}

    # -- Set custom cron job level annotations
    annotations: {}

    # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
    podMetadata:
      # -- Extra pod level labels
      labels: {}

      # -- Extra pod level annotations
      annotations: {}

    # -- Configure node labels for pod assignment
    nodeSelector: {}

    # -- Configure node tolerations
    tolerations: []

    # -- Configure node affinity
    affinity: {}

    # -- Set automounting of the SA token
    automountServiceAccountToken: true

    # -- Specify the serviceAccountName value.
    # In some situations it is needed to provides specific permissions to Hydra deployments
    # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
    # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
    serviceAccount:
      # -- Specifies whether a service account should be created
      create: true
      # -- Annotations to add to the service account
      annotations:
        helm.sh/hook-weight: "0"
        helm.sh/hook: "pre-install, pre-upgrade"
        helm.sh/hook-delete-policy: "before-hook-creation"
      # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
      name: ""

    # -- Configure the containers' SecurityContext for the janitor cronjob
    securityContext:
      capabilities:
        drop:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 100
      allowPrivilegeEscalation: false
      privileged: false

    ## -- pod securityContext for the janitor cronjob
    podSecurityContext: {}

    # -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
    #  This also increases chances charts run on environments with little
    #  resources, such as Minikube. If you do want to specify resources, uncomment the following
    #  lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    #  limits:
    #    cpu: 100m
    #    memory: 128Mi
    #  requests:
    #    cpu: 100m
    #  memory: 128Mi
    resources:
      limits: {}
      requests: {}

## -- PodDistributionBudget configuration
pdb:
  enabled: false
  spec:
    minAvailable: ""
    maxUnavailable: ""

## -- Parameters for the Prometheus ServiceMonitor objects.
# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html
serviceMonitor:
  # -- switch to true to enable creating the ServiceMonitor
  enabled: false
  # -- HTTP scheme to use for scraping.
  scheme: http
  # -- Interval at which metrics should be scraped
  scrapeInterval: 60s
  # -- Timeout after which the scrape is ended
  scrapeTimeout: 30s
  # -- Provide additionnal labels to the ServiceMonitor ressource metadata
  labels: {}
  # -- TLS configuration to use when scraping the endpoint
  tlsConfig: {}

configmap:
  # -- switch to false to prevent checksum annotations being maintained and propogated to the pods
  hashSumEnabled: true

test:
  # -- Provide additional labels to the test pod
  labels: {}
  # -- use a busybox image from another repository
  busybox:
    repository: busybox
    tag: 1