# Base Ory Hydra Helm values.
# DOMAIN_SUFFIX is replaced at apply time via sed.
# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).

hydra:
  automigration:
    enabled: true
  config:
    urls:
      self:
        issuer: https://auth.DOMAIN_SUFFIX/
      consent: https://auth.DOMAIN_SUFFIX/consent
      login: https://auth.DOMAIN_SUFFIX/login
      logout: https://auth.DOMAIN_SUFFIX/logout
      error: https://auth.DOMAIN_SUFFIX/error

    ttl:
      # Login session persists 30 days — matches Kratos session lifespan so the
      # Hydra session cookie survives browser restarts and prompt=none keeps working.
      authentication_session: 720h
      # Access/ID tokens renewed via refresh token; 1h keeps the window short.
      access_token: 1h
      id_token: 1h
      # Refresh tokens last 30 days; Kratos session carries silent re-auth.
      # Revoking a Kratos session (sunbeam user disable) prevents refresh.
      refresh_token: 720h

    serve:
      cookies:
        same_site_mode: Lax
      public:
        cors:
          enabled: true
          allowed_origins:
            - https://*.DOMAIN_SUFFIX

# Disable chart's secret generation — we create the "hydra" secret via seed script
# with keys: secretsSystem, secretsCookie, pairwise-salt.
secret:
  enabled: false

# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.
# 'hydra-maester' is the subchart alias — values flow down under this key.
hydra-maester:
  enabledNamespaces:
    - lasuite
    - matrix

deployment:
  extraEnv:
    - name: DSN
      valueFrom:
        secretKeyRef:
          name: hydra-db-creds
          key: dsn
  resources:
    limits:
      memory: 64Mi
    requests:
      memory: 32Mi
      cpu: 25m