Merge pull request #257 from RADAR-base/hydra-chart

[hydra] add ORY hydra charts

Makefile

@@ -75,6 +75,13 @@ update-kratos-selfservice-ui-node:
 	@helm pull -d external --untar $(patsubst update-%,%,$@)/$(patsubst update-%,%,$@)
 	@echo ""
 
+update-hydra:
+	@echo "Updating Hydra"
+	@rm -rf external/$(patsubst update-%,%,$@)
+	@helm repo add $(patsubst update-%,%,$@) https://k8s.ory.sh/helm/charts
+	@helm pull -d external --untar $(patsubst update-%,%,$@)/$(patsubst update-%,%,$@)
+	@echo ""
+
 update-minio:
 	@echo "Updating minio"
 	@helm repo add bitnami https://charts.bitnami.com/bitnami

external/hydra/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+*.txt

external/hydra/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: ory-commons
+  repository: file://../ory-commons
+  version: 0.1.0
+- name: hydra-maester
+  repository: file://../hydra-maester
+  version: 0.48.0
+digest: sha256:31f8d8f176a808b0c5fc0253420f104835a610860563881e93826ffca0f6d7fe
+generated: "2024-09-16T07:14:39.008797013Z"

external/hydra/Chart.yaml

@@ -0,0 +1,33 @@
+apiVersion: v2
+appVersion: "v2.2.0"
+description: A Helm chart for deploying ORY Hydra in Kubernetes
+name: hydra
+icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
+version: 0.48.0
+keywords:
+  - oauth2
+  - openid-connect
+  - openid
+  - oidc
+  - op
+  - api-security
+  - security
+home: https://www.ory.sh/
+sources:
+  - https://github.com/ory/hydra
+  - https://github.com/ory/k8s
+maintainers: # (optional)
+  - name: ORY Team
+    email: [email protected]
+    url: https://www.ory.sh/
+type: application
+dependencies:
+  - name: ory-commons
+    version: 0.1.0
+    repository: file://../ory-commons
+    alias: ory
+  - name: hydra-maester
+    version: 0.48.0
+    condition: maester.enabled
+    alias: hydra-maester
+    repository: file://../hydra-maester

external/hydra/files/watch.sh

@@ -0,0 +1,17 @@
+set -Eeuo pipefail
+set -x
+
+function rollOut() {
+  DEPLOY=$(kubectl get deploy -n "${NAMESPACE}" -l "${1}" -o name)
+  kubectl set env -n $NAMESPACE ${DEPLOY} sync=$(date "+%Y%m%d-%H%M%S")
+  kubectl rollout status -n $NAMESPACE ${DEPLOY}
+}
+
+while true; do
+    # After change in the CM the symlink is recreated, so we need to restart the monitor
+    inotifywait --event DELETE_SELF "${WATCH_FILE}" |
+        while read path _ file; do
+           echo "---> $path$file modified"
+           rollOut "${LABEL_SELECTOR}"
+        done
+done

external/hydra/templates/NOTES.txt

@@ -0,0 +1,97 @@
+{{ include "hydra.check.override.consistency" . }}
+The ORY Hydra HTTP Public API is available via:
+{{- if .Values.ingress.public.enabled }}
+{{- range $host := .Values.ingress.public.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.public.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.public.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hydra.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  export HYDRA_PUBLIC_URL=http://$NODE_IP:$NODE_PORT
+  curl $HYDRA_PUBLIC_URL/.well-known/openid-configuration
+
+If you have the ORY Hydra CLI installed locally, you can run commands
+against this endpoint:
+
+  hydra token client \
+    --endpoint $HYDRA_PUBLIC_URL \
+    # ...
+
+{{- else if contains "LoadBalancer" .Values.service.public.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "hydra.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "hydra.fullname" . }}-public -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  export HYDRA_PUBLIC_URL=http://$SERVICE_IP:{{ .Values.service.public.port }}
+  curl $HYDRA_PUBLIC_URL/.well-known/openid-configuration
+
+If you have the ORY Hydra CLI installed locally, you can run commands
+against this endpoint:
+
+  hydra token client \
+    --endpoint $HYDRA_PUBLIC_URL \
+    # ...
+
+{{- else if contains "ClusterIP" .Values.service.public.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "hydra.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:{{ .Values.service.public.port }} to use your application"
+  kubectl port-forward $POD_NAME {{ .Values.service.public.port }}:{{ .Values.hydra.config.serve.public.port }}
+  export HYDRA_PUBLIC_URL=http://127.0.0.1:{{ .Values.service.public.port }}/
+  curl $HYDRA_PUBLIC_URL/.well-known/openid-configuration
+
+If you have the ORY Hydra CLI installed locally, you can run commands
+against this endpoint:
+
+  hydra token client \
+    --endpoint $HYDRA_PUBLIC_URL \
+    # ...
+
+{{- end }}
+
+The ORY Hydra HTTP Admin API is available via:
+{{- if .Values.ingress.admin.enabled }}
+{{- range $host := .Values.ingress.admin.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.admin.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.admin.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hydra.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  export HYDRA_ADMIN_URL=http://$NODE_IP:$NODE_PORT
+  curl $HYDRA_ADMIN_URL/clients
+
+If you have the ORY Hydra CLI installed locally, you can run commands
+against this endpoint:
+
+  hydra clients list \
+    --endpoint $HYDRA_ADMIN_URL
+
+{{- else if contains "LoadBalancer" .Values.service.admin.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "hydra.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "hydra.fullname" . }}-admin -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  export HYDRA_ADMIN_URL=http://$SERVICE_IP:{{ .Values.service.admin.port }}
+  curl $HYDRA_ADMIN_URL/clients
+
+If you have the ORY Hydra CLI installed locally, you can run commands
+against this endpoint:
+
+  hydra clients list \
+    --endpoint $HYDRA_ADMIN_URL
+
+{{- else if contains "ClusterIP" .Values.service.admin.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "hydra.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:{{ .Values.service.admin.port }} to use your application"
+  kubectl port-forward $POD_NAME {{ .Values.service.admin.port }}:{{ .Values.hydra.config.serve.admin.port }}
+  export HYDRA_ADMIN_URL=http://127.0.0.1:{{ .Values.service.admin.port }}/
+  curl $HYDRA_ADMIN_URL/clients
+
+If you have the ORY Hydra CLI installed locally, you can run commands
+against this endpoint:
+
+  hydra clients list \
+    --endpoint $HYDRA_ADMIN_URL
+
+{{- end }}