studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9af3cd3c49310eab7c5fb3c3b3e0333535b4185a
sbbb/base/ory/hydra-values.yaml
Sienna Meridian Satterwhite e5741c4df6 feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain 
- Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD
- Update allowed_return_urls and selfservice URLs: chat→messages
- Add Kratos verification flow, employee/external identity schemas
- Extend session lifespan to 30 days with persistent cookies
- Route messages.* to tuwunel via Pingora with WebSocket support
- Replace login-ui with kratos-admin-ui as unified auth frontend
- Update TLS certificate SANs: chat→messages, add monitoring subdomains
- Add tuwunel + La Suite images to production overlay
- Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00

63 lines
1.8 KiB
YAML
Raw Blame History

# Base Ory Hydra Helm values.
# DOMAIN_SUFFIX is replaced at apply time via sed.
# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).
hydra:
automigration:
enabled: true
config:
urls:
self:
issuer: https://auth.DOMAIN_SUFFIX/
consent: https://auth.DOMAIN_SUFFIX/consent
login: https://auth.DOMAIN_SUFFIX/login
logout: https://auth.DOMAIN_SUFFIX/logout
error: https://auth.DOMAIN_SUFFIX/error
ttl:
# Login session persists 30 days — matches Kratos session lifespan so the
# Hydra session cookie survives browser restarts and prompt=none keeps working.
authentication_session: 720h
# Access/ID tokens renewed via refresh token; 1h keeps the window short.
access_token: 1h
id_token: 1h
# Refresh tokens last 30 days; Kratos session carries silent re-auth.
# Revoking a Kratos session (sunbeam user disable) prevents refresh.
refresh_token: 720h
serve:
cookies:
same_site_mode: Lax
public:
cors:
enabled: true
allowed_origins:
- https://*.DOMAIN_SUFFIX
# Disable chart's secret generation — we create the "hydra" secret via seed script
# with keys: secretsSystem, secretsCookie, pairwise-salt.
secret:
enabled: false
# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.
# 'hydra-maester' is the subchart alias — values flow down under this key.
hydra-maester:
enabledNamespaces:
- lasuite
- matrix
deployment:
extraEnv:
- name: DSN
valueFrom:
secretKeyRef:
name: hydra-db-creds
key: dsn
resources:
limits:
memory: 64Mi
requests:
memory: 32Mi
cpu: 25m
Reference in New Issue View Git Blame Copy Permalink