Ory Hydra improvements

Author: Brutus5000

apps/ory-hydra2/templates/deployment.yaml

@@ -21,7 +21,7 @@ spec:
         prometheus.io/scrape: 'false'
     spec:
       containers:
-        - image: oryd/hydra:v2.3.0
+        - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
           imagePullPolicy: Always
           name: ory-hydra2
           envFrom:

apps/ory-hydra2/templates/init-clients.yaml

@@ -0,0 +1,50 @@
+{{- $wave := 1 }}
+{{- range .Values.clients }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ory-hydra-create-client-{{ .id | replace "-" "" }}
+  namespace: faf-apps
+  labels:
+    app: ory-hydra-create-clients
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    #argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: '{{ $wave }}'
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      containers:
+        - name: ory-hydra-create-client
+          image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
+          imagePullPolicy: Always
+          envFrom:
+            - configMapRef:
+                name: ory-hydra2
+            - secretRef:
+                name: ory-hydra2
+          env:
+            - name: ORY_SDK_URL
+              value: http://ory-hydra2:4445
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              if ! hydra get oauth2-client "{{ .id }}" >/dev/null 2>&1; then
+                hydra create oauth2-client \
+                  --name "{{ .name }}" \
+                  --id "{{ .id }}" \
+                  --grant-type "{{ .grantType }}" \
+                  --scope "{{ .scope }}" \
+                  {{- if .redirectUri }}--redirect-uri "{{ .redirectUri }}" {{- end }} \
+                  {{- if .logoUri }}--logo-uri "{{ .logoUri }}" {{- end }} \
+                  {{- if .tosUri }}--tos-uri "{{ .tosUri }}" {{- end }} \
+                  {{- if .policyUri }}--policy-uri "{{ .policyUri }}" {{- end }} \
+                  {{- if .tokenEndpointAuthMethod }}--token-endpoint-auth-method "{{ .tokenEndpointAuthMethod }}" {{- end }}
+              else
+                echo "Client {{ .id }} already exists, skipping."
+              fi
+      restartPolicy: Never
+{{- $wave = add $wave 1 }}
+{{- end }}

apps/ory-hydra2/templates/janitor-cronjob.yaml

@@ -20,7 +20,7 @@ spec:
       template:
         spec:
           containers:
-            - image: oryd/hydra:v2.3.0
+            - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
               imagePullPolicy: Always
               name: ory-hydra
               envFrom:

apps/ory-hydra2/templates/migration-cronjob.yaml

@@ -0,0 +1,29 @@
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: ory-hydra2-migration
+  namespace: faf-apps
+  labels:
+    app: ory-hydra-migration
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: '-1'
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      containers:
+        - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+          imagePullPolicy: Always
+          name: ory-hydra-migration
+          envFrom:
+            - configMapRef:
+                name: ory-hydra2
+            - secretRef:
+                name: ory-hydra2
+          ports:
+            - containerPort: 4444
+            - containerPort: 4445
+          args: [ "migrate", "sql", "--read-from-env", "--yes"]
+      restartPolicy: Never

apps/ory-hydra2/templates/migration-job.yaml

@@ -0,0 +1,33 @@
+image:
+  repository: "oryd/hydra"
+  tag: "v25.4.0"
+clients:
+  - name: "FAF Client"
+    id: "2e8808cf-5889-469b-b2c3-01f0cc58c4af"
+    grantType: "authorization_code,refresh_token"
+    scope: "openid,email,offline,public_profile,lobby,upload_map,upload_mod"
+    redirectUri: "http://127.0.0.1"
+    logoUri: "https://faforever.com/images/faf-logo.png"
+    tosUri: "https://faforever.com/tos"
+    policyUri: "https://faforever.com/privacy"
+    tokenEndpointAuthMethod: "none"
+
+  - name: "FAF Moderator Client"
+    id: "8ff5c14f-60e2-41b9-b594-a641dc5013be"
+    grantType: "authorization_code"
+    scope: "openid,public_profile,upload_avatar,administrative_actions,read_sensible_userdata,manage_vault"
+    redirectUri: "http://localhost,http://localhost:8080/,http://127.0.0.1"
+    logoUri: "https://faforever.com/images/faf-logo.png"
+    tosUri: "https://faforever.com/tos"
+    policyUri: "https://faforever.com/privacy"
+    clientUri: "https://github.com/FAForever/faf-moderator-client"
+    tokenEndpointAuthMethod: "none"
+
+  - name: "Ethereal FAF client"
+    id: "b05039ed-e2ab-4fb6-8a7f-e6ecdcc2edcd"
+    grantType: "authorization_code,refresh_token"
+    scope: "openid,offline,public_profile,lobby,upload_map,upload_mod"
+    redirectUri: "http://localhost,http://localhost:57728,http://localhost:59573,http://localhost:58256,http://localhost:53037,http://localhost:51360"
+    logoUri: "https://raw.githubusercontent.com/Eternal-ll/Ethereal-FAF-Client/master/Logo/OAuth.svg"
+    clientUri: "https://github.com/Eternal-ll/Ethereal-FAF-Client"
+    tokenEndpointAuthMethod: "none"