Sienna Meridian Satterwhite
c7b812dde8
All Ory service credentials now flow from OpenBao through VSO instead of being hardcoded in Helm values or Deployment env vars. Kratos: - Remove config.dsn; flip secret.enabled=false with nameOverride pointing at kratos-app-secrets (a VSO-managed Secret with secretsDefault, secretsCookie, smtpConnectionURI). - Inject DSN at runtime via deployment.extraEnv from kratos-db-creds (VaultDynamicSecret backed by OpenBao database static role, 24h rotation). Hydra: - Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds (VaultDynamicSecret, same rotation scheme). Login UI: - Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui). vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS, login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS.
51 lines
1.3 KiB
YAML
51 lines
1.3 KiB
YAML
# Base Ory Hydra Helm values.
|
|
# DOMAIN_SUFFIX is replaced at apply time via sed.
|
|
# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
|
|
# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).
|
|
|
|
hydra:
|
|
automigration:
|
|
enabled: true
|
|
config:
|
|
urls:
|
|
self:
|
|
issuer: https://auth.DOMAIN_SUFFIX/
|
|
consent: https://auth.DOMAIN_SUFFIX/consent
|
|
login: https://auth.DOMAIN_SUFFIX/login
|
|
logout: https://auth.DOMAIN_SUFFIX/logout
|
|
error: https://auth.DOMAIN_SUFFIX/error
|
|
|
|
serve:
|
|
cookies:
|
|
same_site_mode: Lax
|
|
public:
|
|
cors:
|
|
enabled: true
|
|
allowed_origins:
|
|
- https://*.DOMAIN_SUFFIX
|
|
|
|
# Disable chart's secret generation — we create the "hydra" secret via seed script
|
|
# with keys: secretsSystem, secretsCookie, pairwise-salt.
|
|
secret:
|
|
enabled: false
|
|
|
|
# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.
|
|
# 'hydra-maester' is the subchart alias — values flow down under this key.
|
|
hydra-maester:
|
|
enabledNamespaces:
|
|
- lasuite
|
|
|
|
deployment:
|
|
extraEnv:
|
|
- name: DSN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: hydra-db-creds
|
|
key: dsn
|
|
resources:
|
|
limits:
|
|
memory: 64Mi
|
|
requests:
|
|
memory: 32Mi
|
|
cpu: 25m
|