2026-02-28 13:42:27 +00:00
|
|
|
# Base Ory Hydra Helm values.
|
feat: bring up local dev stack — all services running
- Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations,
OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars
- SeaweedFS: added s3.json credentials file via -s3.config CLI flag
- OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret
- OpenSearch: increased memory to 1.5Gi / JVM 1g heap
- Gitea: SSL_MODE disable, S3 bucket creation fixed
- Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk)
- LiveKit: API keys in values, hostPort conflict resolved
- Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs
- All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node
Full stack running: postgres, valkey, openbao, opensearch, seaweedfs,
kratos, hydra, gitea, livekit, hive (placeholder), login-ui
2026-02-28 22:08:38 +00:00
|
|
|
# DOMAIN_SUFFIX is replaced at apply time via sed.
|
|
|
|
|
# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
|
|
|
|
|
# DSN is set in config (chart strips it from env, so must be in values).
|
2026-02-28 13:42:27 +00:00
|
|
|
|
|
|
|
|
hydra:
|
feat: bring up local dev stack — all services running
- Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations,
OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars
- SeaweedFS: added s3.json credentials file via -s3.config CLI flag
- OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret
- OpenSearch: increased memory to 1.5Gi / JVM 1g heap
- Gitea: SSL_MODE disable, S3 bucket creation fixed
- Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk)
- LiveKit: API keys in values, hostPort conflict resolved
- Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs
- All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node
Full stack running: postgres, valkey, openbao, opensearch, seaweedfs,
kratos, hydra, gitea, livekit, hive (placeholder), login-ui
2026-02-28 22:08:38 +00:00
|
|
|
automigration:
|
|
|
|
|
enabled: true
|
2026-02-28 13:42:27 +00:00
|
|
|
config:
|
feat: bring up local dev stack — all services running
- Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations,
OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars
- SeaweedFS: added s3.json credentials file via -s3.config CLI flag
- OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret
- OpenSearch: increased memory to 1.5Gi / JVM 1g heap
- Gitea: SSL_MODE disable, S3 bucket creation fixed
- Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk)
- LiveKit: API keys in values, hostPort conflict resolved
- Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs
- All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node
Full stack running: postgres, valkey, openbao, opensearch, seaweedfs,
kratos, hydra, gitea, livekit, hive (placeholder), login-ui
2026-02-28 22:08:38 +00:00
|
|
|
dsn: "postgresql://hydra:localdev@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable"
|
2026-02-28 13:42:27 +00:00
|
|
|
urls:
|
|
|
|
|
self:
|
|
|
|
|
issuer: https://auth.DOMAIN_SUFFIX/
|
|
|
|
|
consent: https://auth.DOMAIN_SUFFIX/consent
|
|
|
|
|
login: https://auth.DOMAIN_SUFFIX/login
|
|
|
|
|
logout: https://auth.DOMAIN_SUFFIX/logout
|
|
|
|
|
error: https://auth.DOMAIN_SUFFIX/error
|
|
|
|
|
|
|
|
|
|
serve:
|
|
|
|
|
cookies:
|
|
|
|
|
same_site_mode: Lax
|
|
|
|
|
public:
|
|
|
|
|
cors:
|
|
|
|
|
enabled: true
|
|
|
|
|
allowed_origins:
|
|
|
|
|
- https://*.DOMAIN_SUFFIX
|
|
|
|
|
|
feat: bring up local dev stack — all services running
- Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations,
OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars
- SeaweedFS: added s3.json credentials file via -s3.config CLI flag
- OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret
- OpenSearch: increased memory to 1.5Gi / JVM 1g heap
- Gitea: SSL_MODE disable, S3 bucket creation fixed
- Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk)
- LiveKit: API keys in values, hostPort conflict resolved
- Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs
- All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node
Full stack running: postgres, valkey, openbao, opensearch, seaweedfs,
kratos, hydra, gitea, livekit, hive (placeholder), login-ui
2026-02-28 22:08:38 +00:00
|
|
|
# Disable chart's secret generation — we create the "hydra" secret via seed script
|
|
|
|
|
# with keys: secretsSystem, secretsCookie, pairwise-salt.
|
|
|
|
|
secret:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
lasuite: declarative pre-work for La Suite app deployments
- Add find user and find_db to postgres-cluster.yaml (11th database)
- Add sunbeam-messages-imports and sunbeam-people buckets to SeaweedFS
- Configure Hydra Maester with enabledNamespaces: [lasuite] so it can
create and update OAuth2Client secrets in the lasuite namespace
- Add find to Kratos allowed_return_urls
- Add shared ConfigMaps: lasuite-postgres, lasuite-valkey, lasuite-s3,
lasuite-oidc-provider — single source of truth for all app env vars
- Add HydraOAuth2Client CRDs for all nine La Suite apps (docs, drive,
meet, conversations, messages, people, find, gitea, hive); Maester
will create oidc-<app> secrets with CLIENT_ID and CLIENT_SECRET
2026-03-01 18:03:13 +00:00
|
|
|
# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.
|
|
|
|
|
# 'hydra-maester' is the subchart alias — values flow down under this key.
|
|
|
|
|
hydra-maester:
|
|
|
|
|
enabledNamespaces:
|
|
|
|
|
- lasuite
|
|
|
|
|
|
2026-02-28 13:42:27 +00:00
|
|
|
deployment:
|
|
|
|
|
resources:
|
|
|
|
|
limits:
|
|
|
|
|
memory: 64Mi
|
|
|
|
|
requests:
|
|
|
|
|
memory: 32Mi
|
|
|
|
|
cpu: 25m
|
