sbbb/base/ory/hydra-values.yaml

# Base Ory Hydra Helm values.
# DOMAIN_SUFFIX is replaced at apply time via sed.
# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).

hydra:
  automigration:
    enabled: true
  config:
    urls:
      self:
        issuer: https://auth.DOMAIN_SUFFIX/
      consent: https://auth.DOMAIN_SUFFIX/consent
      login: https://auth.DOMAIN_SUFFIX/login
      logout: https://auth.DOMAIN_SUFFIX/logout
      error: https://auth.DOMAIN_SUFFIX/error

    ttl:
      # Login session persists 30 days — matches Kratos session lifespan so the
      # Hydra session cookie survives browser restarts and prompt=none keeps working.
      authentication_session: 720h
      # Access/ID tokens renewed via refresh token; 1h keeps the window short.
      access_token: 1h
      id_token: 1h
      # Refresh tokens last 30 days; Kratos session carries silent re-auth.
      # Revoking a Kratos session (sunbeam user disable) prevents refresh.
      refresh_token: 720h

    oauth2:
      expose_internal_errors: false
      pkce:
        enforced_for_public_clients: true

    log:
      format: json
      leak_sensitive_values: false

    clients:
      http:
        disallow_private_ip_ranges: true

    serve:
      cookies:
        same_site_mode: Lax
        domain: DOMAIN_SUFFIX
      public:
        cors:
          enabled: true
          allowed_origins:
            - https://*.DOMAIN_SUFFIX

# Disable chart's secret generation — we create the "hydra" secret via seed script
# with keys: secretsSystem, secretsCookie, pairwise-salt.
secret:
  enabled: false

# Allow Maester to create/update OAuth2Client secrets in the lasuite namespace.
# 'hydra-maester' is the subchart alias — values flow down under this key.
hydra-maester:
  enabledNamespaces:
    - lasuite
    - matrix
    - monitoring

# ServiceMonitor created as standalone resource (hydra-servicemonitor.yaml) —
# chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
# kustomize helm template doesn't provide.

janitor:
  enabled: true
  cleanupGrants: true
  cleanupRequests: true
  cleanupTokens: true

cronjob:
  janitor:
    schedule: "0 */6 * * *"

deployment:
  extraEnv:
    - name: DSN
      valueFrom:
        secretKeyRef:
          name: hydra-db-creds
          key: dsn
  resources:
    limits:
      memory: 256Mi
    requests:
      memory: 64Mi
      cpu: 25m