studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c02fe18ed3d7ac4170d762155f8610c6db1e7c0
sbbb/base/ory/hydra-values.yaml
Sienna Meridian Satterwhite e8c64e6f18 feat: add ServiceMonitors and enable metrics scraping 
- SeaweedFS: enable -metricsPort=9091 on master/volume/filer, add
  service labels, create ServiceMonitor
- Gitea: enable metrics in config, create ServiceMonitor
- Hydra/Kratos: standalone ServiceMonitors (chart templates require
  .Capabilities.APIVersions unavailable in kustomize helm template)
- LiveKit: add prometheus_port=6789, standalone ServiceMonitor
  (disabled in kustomization — host firewall blocks port 6789)
- OpenSearch: revert prometheus-exporter attempt (no plugin for v3.x),
  add service label for future exporter sidecar
2026-03-24 12:21:18 +00:00

67 lines
2.0 KiB
YAML
Raw Blame History

# Base Ory Hydra Helm values.
# DOMAIN_SUFFIX is replaced at apply time via sed.
# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).
hydra:
automigration:
enabled: true
config:
urls:
self:
issuer: https://auth.DOMAIN_SUFFIX/
consent: https://auth.DOMAIN_SUFFIX/consent
login: https://auth.DOMAIN_SUFFIX/login
logout: https://auth.DOMAIN_SUFFIX/logout
error: https://auth.DOMAIN_SUFFIX/error
ttl:
# Login session persists 30 days — matches Kratos session lifespan so the
# Hydra session cookie survives browser restarts and prompt=none keeps working.
authentication_session: 720h
# Access/ID tokens renewed via refresh token; 1h keeps the window short.
access_token: 1h
id_token: 1h
# Refresh tokens last 30 days; Kratos session carries silent re-auth.
# Revoking a Kratos session (sunbeam user disable) prevents refresh.
refresh_token: 720h
serve:
cookies:
same_site_mode: Lax
public:
cors:
enabled: true
allowed_origins:
- https://*.DOMAIN_SUFFIX
# Disable chart's secret generation — we create the "hydra" secret via seed script
# with keys: secretsSystem, secretsCookie, pairwise-salt.
secret:
enabled: false
# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.
# 'hydra-maester' is the subchart alias — values flow down under this key.
hydra-maester:
enabledNamespaces:
- lasuite
- matrix
# ServiceMonitor created as standalone resource (hydra-servicemonitor.yaml) —
# chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
# kustomize helm template doesn't provide.
deployment:
extraEnv:
- name: DSN
valueFrom:
secretKeyRef:
name: hydra-db-creds
key: dsn
resources:
limits:
memory: 64Mi
requests:
memory: 32Mi
cpu: 25m
Reference in New Issue View Git Blame Copy Permalink