base/ory/hydra-values.yaml

# Base Ory Hydra Helm values.
# DOMAIN_SUFFIX is replaced at apply time via sed.
# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).

hydra:
  automigration:
    enabled: true
  config:
    urls:
      self:
        issuer: https://auth.DOMAIN_SUFFIX/
      consent: https://auth.DOMAIN_SUFFIX/consent
      login: https://auth.DOMAIN_SUFFIX/login
      logout: https://auth.DOMAIN_SUFFIX/logout
      error: https://auth.DOMAIN_SUFFIX/error

    ttl:
      # Login session persists 30 days — matches Kratos session lifespan so the
      # Hydra session cookie survives browser restarts and prompt=none keeps working.
      authentication_session: 720h
      # Access/ID tokens renewed via refresh token; 1h keeps the window short.
      access_token: 1h
      id_token: 1h
      # Refresh tokens last 30 days; Kratos session carries silent re-auth.
      # Revoking a Kratos session (sunbeam user disable) prevents refresh.
      refresh_token: 720h

    serve:
      cookies:
        same_site_mode: Lax
      public:
        cors:
          enabled: true
          allowed_origins:
            - https://*.DOMAIN_SUFFIX

# Disable chart's secret generation — we create the "hydra" secret via seed script
# with keys: secretsSystem, secretsCookie, pairwise-salt.
secret:
  enabled: false

# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.
# 'hydra-maester' is the subchart alias — values flow down under this key.
hydra-maester:
  enabledNamespaces:
    - lasuite
    - matrix

deployment:
  extraEnv:
    - name: DSN
      valueFrom:
        secretKeyRef:
          name: hydra-db-creds
          key: dsn
  resources:
    limits:
      memory: 64Mi
    requests:
      memory: 32Mi
      cpu: 25m
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00			`# Base Ory Hydra Helm values.`
feat: bring up local dev stack — all services running - Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations, OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars - SeaweedFS: added s3.json credentials file via -s3.config CLI flag - OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret - OpenSearch: increased memory to 1.5Gi / JVM 1g heap - Gitea: SSL_MODE disable, S3 bucket creation fixed - Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk) - LiveKit: API keys in values, hostPort conflict resolved - Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs - All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node Full stack running: postgres, valkey, openbao, opensearch, seaweedfs, kratos, hydra, gitea, livekit, hive (placeholder), login-ui 2026-02-28 22:08:38 +00:00			`# DOMAIN_SUFFIX is replaced at apply time via sed.`
			`# secret.enabled: false — we create the "hydra" K8s Secret via seed script.`
feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO All Ory service credentials now flow from OpenBao through VSO instead of being hardcoded in Helm values or Deployment env vars. Kratos: - Remove config.dsn; flip secret.enabled=false with nameOverride pointing at kratos-app-secrets (a VSO-managed Secret with secretsDefault, secretsCookie, smtpConnectionURI). - Inject DSN at runtime via deployment.extraEnv from kratos-db-creds (VaultDynamicSecret backed by OpenBao database static role, 24h rotation). Hydra: - Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds (VaultDynamicSecret, same rotation scheme). Login UI: - Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui). vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS, login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS. 2026-03-02 18:32:33 +00:00			`# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).`
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00
			`hydra:`
feat: bring up local dev stack — all services running - Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations, OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars - SeaweedFS: added s3.json credentials file via -s3.config CLI flag - OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret - OpenSearch: increased memory to 1.5Gi / JVM 1g heap - Gitea: SSL_MODE disable, S3 bucket creation fixed - Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk) - LiveKit: API keys in values, hostPort conflict resolved - Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs - All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node Full stack running: postgres, valkey, openbao, opensearch, seaweedfs, kratos, hydra, gitea, livekit, hive (placeholder), login-ui 2026-02-28 22:08:38 +00:00			`automigration:`
			`enabled: true`
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00			`config:`
			`urls:`
			`self:`
			`issuer: https://auth.DOMAIN_SUFFIX/`
			`consent: https://auth.DOMAIN_SUFFIX/consent`
			`login: https://auth.DOMAIN_SUFFIX/login`
			`logout: https://auth.DOMAIN_SUFFIX/logout`
			`error: https://auth.DOMAIN_SUFFIX/error`

fix(ory,lasuite): harden session security and fix logout + WebSocket routing - Fix Hydra postLogoutRedirectUris for docs and people to match the actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/) instead of the root URL, resolving 599 logout errors. - Fix docs y-provider WebSocket backend port: use Service port 443 (not pod port 4444 which has no DNAT rule) in Pingora config. - Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true and reduce refreshAfter from 1h to 5m across all static-creds paths (kratos, hydra, gitea, hive, people, docs) so credential rotation is reflected within 5 minutes instead of up to 1 hour. - Set Hydra token TTLs: access_token and id_token to 5m; refresh_token to 720h (30 days). Kratos session carries silent re-auth so the short access token TTL does not require users to log in manually. - Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After 1h, apps silently re-auth via the active Kratos session. Disabled identities (sunbeam user disable) cannot re-auth on next expiry. 2026-03-03 18:07:08 +00:00			`ttl:`
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only) 2026-03-10 18:52:47 +00:00			`# Login session persists 30 days — matches Kratos session lifespan so the`
			`# Hydra session cookie survives browser restarts and prompt=none keeps working.`
			`authentication_session: 720h`
			`# Access/ID tokens renewed via refresh token; 1h keeps the window short.`
			`access_token: 1h`
			`id_token: 1h`
fix(ory,lasuite): harden session security and fix logout + WebSocket routing - Fix Hydra postLogoutRedirectUris for docs and people to match the actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/) instead of the root URL, resolving 599 logout errors. - Fix docs y-provider WebSocket backend port: use Service port 443 (not pod port 4444 which has no DNAT rule) in Pingora config. - Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true and reduce refreshAfter from 1h to 5m across all static-creds paths (kratos, hydra, gitea, hive, people, docs) so credential rotation is reflected within 5 minutes instead of up to 1 hour. - Set Hydra token TTLs: access_token and id_token to 5m; refresh_token to 720h (30 days). Kratos session carries silent re-auth so the short access token TTL does not require users to log in manually. - Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After 1h, apps silently re-auth via the active Kratos session. Disabled identities (sunbeam user disable) cannot re-auth on next expiry. 2026-03-03 18:07:08 +00:00			`# Refresh tokens last 30 days; Kratos session carries silent re-auth.`
			`# Revoking a Kratos session (sunbeam user disable) prevents refresh.`
			`refresh_token: 720h`

chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00			`serve:`
			`cookies:`
			`same_site_mode: Lax`
			`public:`
			`cors:`
			`enabled: true`
			`allowed_origins:`
			`- https://*.DOMAIN_SUFFIX`

feat: bring up local dev stack — all services running - Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations, OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars - SeaweedFS: added s3.json credentials file via -s3.config CLI flag - OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret - OpenSearch: increased memory to 1.5Gi / JVM 1g heap - Gitea: SSL_MODE disable, S3 bucket creation fixed - Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk) - LiveKit: API keys in values, hostPort conflict resolved - Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs - All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node Full stack running: postgres, valkey, openbao, opensearch, seaweedfs, kratos, hydra, gitea, livekit, hive (placeholder), login-ui 2026-02-28 22:08:38 +00:00			`# Disable chart's secret generation — we create the "hydra" secret via seed script`
			`# with keys: secretsSystem, secretsCookie, pairwise-salt.`
			`secret:`
			`enabled: false`

lasuite: declarative pre-work for La Suite app deployments - Add find user and find_db to postgres-cluster.yaml (11th database) - Add sunbeam-messages-imports and sunbeam-people buckets to SeaweedFS - Configure Hydra Maester with enabledNamespaces: [lasuite] so it can create and update OAuth2Client secrets in the lasuite namespace - Add find to Kratos allowed_return_urls - Add shared ConfigMaps: lasuite-postgres, lasuite-valkey, lasuite-s3, lasuite-oidc-provider — single source of truth for all app env vars - Add HydraOAuth2Client CRDs for all nine La Suite apps (docs, drive, meet, conversations, messages, people, find, gitea, hive); Maester will create oidc-<app> secrets with CLIENT_ID and CLIENT_SECRET 2026-03-01 18:03:13 +00:00			`# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.`
			`# 'hydra-maester' is the subchart alias — values flow down under this key.`
			`hydra-maester:`
			`enabledNamespaces:`
			`- lasuite`
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only) 2026-03-10 18:52:47 +00:00			`- matrix`
lasuite: declarative pre-work for La Suite app deployments - Add find user and find_db to postgres-cluster.yaml (11th database) - Add sunbeam-messages-imports and sunbeam-people buckets to SeaweedFS - Configure Hydra Maester with enabledNamespaces: [lasuite] so it can create and update OAuth2Client secrets in the lasuite namespace - Add find to Kratos allowed_return_urls - Add shared ConfigMaps: lasuite-postgres, lasuite-valkey, lasuite-s3, lasuite-oidc-provider — single source of truth for all app env vars - Add HydraOAuth2Client CRDs for all nine La Suite apps (docs, drive, meet, conversations, messages, people, find, gitea, hive); Maester will create oidc-<app> secrets with CLIENT_ID and CLIENT_SECRET 2026-03-01 18:03:13 +00:00
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00			`deployment:`
feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO All Ory service credentials now flow from OpenBao through VSO instead of being hardcoded in Helm values or Deployment env vars. Kratos: - Remove config.dsn; flip secret.enabled=false with nameOverride pointing at kratos-app-secrets (a VSO-managed Secret with secretsDefault, secretsCookie, smtpConnectionURI). - Inject DSN at runtime via deployment.extraEnv from kratos-db-creds (VaultDynamicSecret backed by OpenBao database static role, 24h rotation). Hydra: - Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds (VaultDynamicSecret, same rotation scheme). Login UI: - Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui). vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS, login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS. 2026-03-02 18:32:33 +00:00			`extraEnv:`
			`- name: DSN`
			`valueFrom:`
			`secretKeyRef:`
			`name: hydra-db-creds`
			`key: dsn`
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets 2026-02-28 13:42:27 +00:00			`resources:`
			`limits:`
			`memory: 64Mi`
			`requests:`
			`memory: 32Mi`
			`cpu: 25m`