➜ hydra git:(master) ✗ kubectl version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.8", GitCommit:"211047e9a1922595eaa3a1127ed365e9299a6c23", GitTreeState:"clean", BuildDate:"2019-10-15T12:11:03Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-07T21:12:17Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"linux/amd64"}➜ hydra git:(master) ✗ helm install hydra ory/hydra \
--debug \
--dry-run \
--set 'maester.enabled=false' \
--set 'hydra.dangerousForceHttp=true' \
--set 'hydra.config.dsn=memory' \
--set 'hydra.config.urls.self.issuer=http://localhost:4444' \
--set 'hydra.config.urls.login=http://localhost:3000/login' \
--set 'hydra.config.urls.consent=http://localhost:3000/consent' \
--set 'hydra.config.oauth2.expose_internal_errors=true'
install.go:148: [debug] Original chart version: ""
install.go:165: [debug] CHART PATH: /Users/garryyuan/Library/Caches/helm/repository/hydra-0.0.48.tgz
NAME: hydra
LAST DEPLOYED: Mon Dec 30 21:59:38 2019
NAMESPACE: default
STATUS: pending-install
REVISION: 1
USER-SUPPLIED VALUES:
hydra:
config:
dsn: memory
oauth2:
expose_internal_errors: true
urls:
consent: http://localhost:3000/consent
login: http://localhost:3000/login
self:
issuer: http://localhost:4444
dangerousForceHttp: true
maester:
enabled: false
COMPUTED VALUES:
affinity: {}
deployment:
annotations: {}
labels: {}
nodeSelector: {}
resources: {}
tolerations: []
fullnameOverride: ""
hydra:
autoMigrate: false
config:
dsn: memory
oauth2:
expose_internal_errors: true
secrets: {}
serve:
admin:
port: 4445
public:
port: 4444
tls:
allow_termination_from:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
urls:
consent: http://localhost:3000/consent
login: http://localhost:3000/login
self:
issuer: http://localhost:4444
dangerousAllowInsecureRedirectUrls: false
dangerousForceHttp: true
hydra-maester:
adminService:
name: null
port: null
affinity: {}
deployment:
annotations: {}
nodeSelector: {}
resources: {}
tolerations: []
enabledNamespaces: []
global: {}
image:
pullPolicy: IfNotPresent
repository: oryd/hydra-maester
tag: v0.0.5
rbacJob:
image:
repository: eu.gcr.io/kyma-project/test-infra/alpine-kubectl
tag: v20190325-ff66a3a
replicaCount: 1
image:
pullPolicy: IfNotPresent
repository: oryd/hydra
tag: v1.0.0
imagePullSecrets: []
ingress:
admin:
annotations: {}
enabled: false
hosts:
- host: admin.hydra.localhost
paths:
- /
public:
annotations: {}
enabled: false
hosts:
- host: public.hydra.localhost
paths:
- /
maester:
adminService: null
enabled: false
nameOverride: ""
replicaCount: 1
service:
admin:
annotations: {}
enabled: true
port: 4445
type: ClusterIP
public:
annotations: {}
enabled: true
port: 4444
type: ClusterIP
HOOKS:
---
# Source: hydra/charts/hydra-maester/templates/crd-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: hydra-crd-init
annotations:
"helm.sh/hook": "pre-install, pre-upgrade"
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": "before-hook-creation"
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create", "get", "list", "watch", "patch"]
---
# Source: hydra/charts/hydra-maester/templates/crd-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: hydra-crd-init
annotations:
"helm.sh/hook": "pre-install, pre-upgrade"
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": "before-hook-creation"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hydra-crd-init
subjects:
- kind: ServiceAccount
name: hydra-crd-init
namespace: default
---
# Source: hydra/charts/hydra-maester/templates/crd-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hydra-crd-init
namespace: default
annotations:
"helm.sh/hook": "pre-install, pre-upgrade"
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": "before-hook-creation"
---
# Source: hydra/charts/hydra-maester/templates/crd-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
namespace: default
name: hydra-crd-oauth2clients
annotations:
"helm.sh/hook": "pre-install, pre-upgrade"
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": "before-hook-creation"
data:
oauth2clients.yaml: |-
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: oauth2clients.hydra.ory.sh
spec:
group: hydra.ory.sh
names:
kind: OAuth2Client
plural: oauth2clients
scope: ""
subresources:
status: {}
validation:
openAPIV3Schema:
description: OAuth2Client is the Schema for the oauth2clients API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
properties:
annotations:
additionalProperties:
type: string
description: 'Annotations is an unstructured key value map stored with
a resource that may be set by external tools to store and retrieve
arbitrary metadata. They are not queryable and should be preserved
when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations'
type: object
clusterName:
description: The name of the cluster which the object belongs to. This
is used to distinguish resources with same name and namespace in different
clusters. This field is not set anywhere right now and apiserver is
going to ignore it if set in create or update request.
type: string
creationTimestamp:
description: "CreationTimestamp is a timestamp representing the server
time when this object was created. It is not guaranteed to be set
in happens-before order across separate operations. Clients may not
set this value. It is represented in RFC3339 form and is in UTC. \n
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
format: date-time
type: string
deletionGracePeriodSeconds:
description: Number of seconds allowed for this object to gracefully
terminate before it will be removed from the system. Only set when
deletionTimestamp is also set. May only be shortened. Read-only.
format: int64
type: integer
deletionTimestamp:
description: "DeletionTimestamp is RFC 3339 date and time at which this
resource will be deleted. This field is set by the server when a graceful
deletion is requested by the user, and is not directly settable by
a client. The resource is expected to be deleted (no longer visible
from resource lists, and not reachable by name) after the time in
this field, once the finalizers list is empty. As long as the finalizers
list contains items, deletion is blocked. Once the deletionTimestamp
is set, this value may not be unset or be set further into the future,
although it may be shortened or the resource may be deleted prior
to this time. For example, a user may request that a pod is deleted
in 30 seconds. The Kubelet will react by sending a graceful termination
signal to the containers in the pod. After that 30 seconds, the Kubelet
will send a hard termination signal (SIGKILL) to the container and
after cleanup, remove the pod from the API. In the presence of network
partitions, this object may still exist after this timestamp, until
an administrator or automated process can determine the resource is
fully terminated. If not set, graceful deletion of the object has
not been requested. \n Populated by the system when a graceful deletion
is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
format: date-time
type: string
finalizers:
description: Must be empty before the object is deleted from the registry.
Each entry is an identifier for the responsible component that will
remove the entry from the list. If the deletionTimestamp of the object
is non-nil, entries in this list can only be removed.
items:
type: string
type: array
generateName:
description: "GenerateName is an optional prefix, used by the server,
to generate a unique name ONLY IF the Name field has not been provided.
If this field is used, the name returned to the client will be different
than the name passed. This value will also be combined with a unique
suffix. The provided value has the same validation rules as the Name
field, and may be truncated by the length of the suffix required to
make the value unique on the server. \n If this field is specified
and the generated name exists, the server will NOT return a 409 -
instead, it will either return 201 Created or 500 with Reason ServerTimeout
indicating a unique name could not be found in the time allotted,
and the client should retry (optionally after the time indicated in
the Retry-After header). \n Applied only if Name is not specified.
More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency"
type: string
generation:
description: A sequence number representing a specific generation of
the desired state. Populated by the system. Read-only.
format: int64
type: integer
initializers:
description: "An initializer is a controller which enforces some system
invariant at object creation time. This field is a list of initializers
that have not yet acted on this object. If nil or empty, this object
has been completely initialized. Otherwise, the object is considered
uninitialized and is hidden (in list/watch and get calls) from clients
that haven't explicitly asked to observe uninitialized objects. \n
When an object is created, the system will populate this list with
the current set of initializers. Only privileged users may set or
modify this list. Once it is empty, it may not be modified further
by any user. \n DEPRECATED - initializers are an alpha field and will
be removed in v1.15."
properties:
pending:
description: Pending is a list of initializers that must execute
in order before this object is visible. When the last pending
initializer is removed, and no failing result is set, the initializers
struct will be set to nil and the object is considered as initialized
and visible to all clients.
items:
properties:
name:
description: name of the process that is responsible for initializing
this object.
type: string
required:
- name
type: object
type: array
result:
description: If result is set with the Failure field, the object
will be persisted to storage and then deleted, ensuring that other
clients can observe the deletion.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this
representation of an object. Servers should convert recognized
schemas to the latest internal value, and may reject unrecognized
values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
code:
description: Suggested HTTP return code for this status, 0 if
not set.
format: int32
type: integer
details:
description: Extended data associated with the reason. Each
reason may define its own extended details. This field is
optional and the data returned is not guaranteed to conform
to any schema except that defined by the reason type.
properties:
causes:
description: The Causes array includes more details associated
with the StatusReason failure. Not all StatusReasons may
provide detailed causes.
items:
properties:
field:
description: "The field of the resource that has caused
this error, as named by its JSON serialization.
May include dot and postfix notation for nested
attributes. Arrays are zero-indexed. Fields may
appear more than once in an array of causes due
to fields having multiple errors. Optional. \n Examples:
\ \"name\" - the field \"name\" on the current
resource \"items[0].name\" - the field \"name\"
on the first array entry in \"items\""
type: string
message:
description: A human-readable description of the cause
of the error. This field may be presented as-is
to a reader.
type: string
reason:
description: A machine-readable description of the
cause of the error. If this value is empty there
is no information available.
type: string
type: object
type: array
group:
description: The group attribute of the resource associated
with the status StatusReason.
type: string
kind:
description: 'The kind attribute of the resource associated
with the status StatusReason. On some operations may differ
from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
name:
description: The name attribute of the resource associated
with the status StatusReason (when there is a single name
which can be described).
type: string
retryAfterSeconds:
description: If specified, the time in seconds before the
operation should be retried. Some errors may indicate
the client must take an alternate action - for those errors
this field may indicate how long to wait before taking
the alternate action.
format: int32
type: integer
uid:
description: 'UID of the resource. (when there is a single
resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
type: string
type: object
kind:
description: 'Kind is a string value representing the REST resource
this object represents. Servers may infer this from the endpoint
the client submits requests to. Cannot be updated. In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
message:
description: A human-readable description of the status of this
operation.
type: string
metadata:
description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
properties:
continue:
description: continue may be set if the user set a limit
on the number of items returned, and indicates that the
server has more data available. The value is opaque and
may be used to issue another request to the endpoint that
served this list to retrieve the next set of available
objects. Continuing a consistent list may not be possible
if the server configuration has changed or more than a
few minutes have passed. The resourceVersion field returned
when using this continue value will be identical to the
value in the first response, unless you have received
this token from an error message.
type: string
resourceVersion:
description: 'String that identifies the server''s internal
version of this object that can be used by clients to
determine when objects have changed. Value must be treated
as opaque by clients and passed unmodified back to the
server. Populated by the system. Read-only. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency'
type: string
selfLink:
description: selfLink is a URL representing this object.
Populated by the system. Read-only.
type: string
type: object
reason:
description: A machine-readable description of why this operation
is in the "Failure" status. If this value is empty there is
no information available. A Reason clarifies an HTTP status
code but does not override it.
type: string
status:
description: 'Status of the operation. One of: "Success" or
"Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status'
type: string
type: object
required:
- pending
type: object
labels:
additionalProperties:
type: string
description: 'Map of string keys and values that can be used to organize
and categorize (scope and select) objects. May match selectors of
replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels'
type: object
managedFields:
description: "ManagedFields maps workflow-id and version to the set
of fields that are managed by that workflow. This is mostly for internal
housekeeping, and users typically shouldn't need to set or understand
this field. A workflow can be the user's name, a controller's name,
or the name of a specific apply path like \"ci-cd\". The set of fields
is always in the version that the workflow used when modifying the
object. \n This field is alpha and can be changed or removed without
notice."
items:
properties:
apiVersion:
description: APIVersion defines the version of this resource that
this field set applies to. The format is "group/version" just
like the top-level APIVersion field. It is necessary to track
the version of a field set because it cannot be automatically
converted.
type: string
fields:
additionalProperties: true
description: Fields identifies a set of fields.
type: object
manager:
description: Manager is an identifier of the workflow managing
these fields.
type: string
operation:
description: Operation is the type of operation which lead to
this ManagedFieldsEntry being created. The only valid values
for this field are 'Apply' and 'Update'.
type: string
time:
description: Time is timestamp of when these fields were set.
It should always be empty if Operation is 'Apply'
format: date-time
type: string
type: object
type: array
name:
description: 'Name must be unique within a namespace. Is required when
creating resources, although some resources may allow a client to
request the generation of an appropriate name automatically. Name
is primarily intended for creation idempotence and configuration definition.
Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
namespace:
description: "Namespace defines the space within each name must be unique.
An empty namespace is equivalent to the \"default\" namespace, but
\"default\" is the canonical representation. Not all objects are required
to be scoped to a namespace - the value of this field for those objects
will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info:
http://kubernetes.io/docs/user-guide/namespaces"
type: string
ownerReferences:
description: List of objects depended by this object. If ALL objects
in the list have been deleted, this object will be garbage collected.
If this object is managed by a controller, then an entry in this list
will point to this controller, with the controller field set to true.
There cannot be more than one managing controller.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion"
finalizer, then the owner cannot be deleted from the key-value
store until this reference is removed. Defaults to false. To
set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
uid:
description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
type: string
required:
- apiVersion
- kind
- name
- uid
type: object
type: array
resourceVersion:
description: "An opaque value that represents the internal version of
this object that can be used by clients to determine when objects
have changed. May be used for optimistic concurrency, change detection,
and the watch operation on a resource or set of resources. Clients
must treat these values as opaque and passed unmodified back to the
server. They may only be valid for a particular resource or set of
resources. \n Populated by the system. Read-only. Value must be treated
as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency"
type: string
selfLink:
description: SelfLink is a URL representing this object. Populated by
the system. Read-only.
type: string
uid:
description: "UID is the unique in time and space value for this object.
It is typically generated by the server on successful creation of
a resource and is not allowed to change on PUT operations. \n Populated
by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids"
type: string
type: object
spec:
properties:
grantTypes:
description: GrantTypes is an array of grant types the client is allowed
to use.
items:
enum:
- client_credentials
- authorization_code
- implicit
- refresh_token
type: string
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description: HydraAdmin is the optional configuration to use for managing
this client
properties:
endpoint:
description: Endpoint is the endpoint for the hydra instance on
which to set up the client. This value will override the value
provided to `--endpoint` (defaults to `"/clients"` in the application)
pattern: (^$|^/.*)
type: string
forwardedProto:
description: ForwardedProto overrides the `--forwarded-proto` flag.
The value "off" will force this to be off even if `--forwarded-proto`
is specified
pattern: (^$|https?|off)
type: string
port:
description: Port is the port for the hydra instance on which to
set up the client. This value will override the value provided
to `--hydra-port`
maximum: 65535
type: integer
url:
description: URL is the URL for the hydra instance on which to set
up the client. This value will override the value provided to
`--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type: string
type: object
redirectUris:
description: RedirectURIs is an array of the redirect URIs allowed for
the application
items:
pattern: \w+:/?/?[^\s]+
type: string
type: array
responseTypes:
description: ResponseTypes is an array of the OAuth 2.0 response type
strings that the client can use at the authorization endpoint.
items:
enum:
- id_token
- code
- token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description: Scope is a string containing a space-separated list of
scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
that the client can use when requesting access tokens.
pattern: ([a-zA-Z0-9\.\*]+\s?)+
type: string
secretName:
description: SecretName points to the K8s secret that contains this
client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
required:
- grantTypes
- scope
- secretName
type: object
status:
properties:
observedGeneration:
description: ObservedGeneration represents the most recent generation
observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
properties:
description:
description: Description is the description of the reconciliation
error
type: string
statusCode:
description: Code is the status code of the reconciliation error
type: string
type: object
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
# Source: hydra/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: hydra
namespace: default
labels:
"app.kubernetes.io/name": "hydra"
"app.kubernetes.io/instance": "hydra"
"app.kubernetes.io/version": "v1.0.0-rc.14_oryOS.12"
"app.kubernetes.io/managed-by": "Helm"
"helm.sh/chart": "hydra-0.0.48"
annotations:
# Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
type: Opaque
data:
# Generate a random secret if the user doesn't give one. User given password has priority
secretsSystem: "emwzSGFwQTMxS08xY0RNOU9KT3dqVHFRY3ZUUHFHa0c="
secretsCookie: "SFBsNm01d3M0aXhXZ1h3c1J1cHJ5R0lIWEF3b2NxUVE="
dsn: "bWVtb3J5"
---
# Source: hydra/templates/tests/test-connection.yaml
apiVersion: v1
kind: Pod
metadata:
name: "hydra-test-connection"
namespace: default
labels:
"app.kubernetes.io/name": "hydra"
"app.kubernetes.io/instance": "hydra"
"app.kubernetes.io/version": "v1.0.0-rc.14_oryOS.12"
"app.kubernetes.io/managed-by": "Helm"
"helm.sh/chart": "hydra-0.0.48"
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: healthcheck-ready
image: busybox
command: ['wget']
args: ['hydra-admin:4445/health/ready']
restartPolicy: Never
---
# Source: hydra/charts/hydra-maester/templates/crd-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
namespace: default
name: hydra-crd-init
annotations:
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-weight": "10"
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: hydra-crd-init
containers:
- name: hydra-crd-oauth2clients
image: "eu.gcr.io/kyma-project/test-infra/alpine-kubectl:v20190325-ff66a3a"
volumeMounts:
- name: crd-oauth2clients
mountPath: /etc/crd
readOnly: true
command: ["kubectl", "apply", "-f", "/etc/crd/oauth2clients.yaml"]
volumes:
- name: crd-oauth2clients
configMap:
name: hydra-crd-oauth2clients
restartPolicy: OnFailure
MANIFEST:
---
# Source: hydra/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: hydra
namespace: default
labels:
"app.kubernetes.io/name": "hydra"
"app.kubernetes.io/instance": "hydra"
"app.kubernetes.io/version": "v1.0.0-rc.14_oryOS.12"
"app.kubernetes.io/managed-by": "Helm"
"helm.sh/chart": "hydra-0.0.48"
data:
"config.yaml": |
oauth2:
expose_internal_errors: true
serve:
admin:
port: 4445
public:
port: 4444
tls:
allow_termination_from:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
urls:
consent: http://localhost:3000/consent
login: http://localhost:3000/login
self:
issuer: http://localhost:4444
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hydra-maester-account
namespace: default
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: hydra-maester-role
namespace: default
rules:
- apiGroups: ["hydra.ory.sh"]
resources: ["oauth2clients", "oauth2clients/status"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "watch", "create"]
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: hydra-maester-role-binding
namespace: default
subjects:
- kind: ServiceAccount
name: hydra-maester-account # Service account assigned to the controller pod.
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hydra-maester-role
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: hydra-maester-role-default
namespace: default
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create"]
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: hydra-maester-role-binding-default
namespace: default
subjects:
- kind: ServiceAccount
name: hydra-maester-account # Service account assigned to the controller pod.
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: hydra-maester-role-default
---
# Source: hydra/templates/service-admin.yaml
apiVersion: v1
kind: Service
metadata:
name: hydra-admin
namespace: default
labels:
"app.kubernetes.io/name": "hydra"
"app.kubernetes.io/instance": "hydra"
"app.kubernetes.io/version": "v1.0.0-rc.14_oryOS.12"
"app.kubernetes.io/managed-by": "Helm"
"helm.sh/chart": "hydra-0.0.48"
spec:
type: ClusterIP
ports:
- port: 4445
targetPort: http-admin
protocol: TCP
name: http
selector:
app.kubernetes.io/name: hydra
app.kubernetes.io/instance: hydra
---
# Source: hydra/templates/service-public.yaml
apiVersion: v1
kind: Service
metadata:
name: hydra-public
namespace: default
labels:
"app.kubernetes.io/name": "hydra"
"app.kubernetes.io/instance": "hydra"
"app.kubernetes.io/version": "v1.0.0-rc.14_oryOS.12"
"app.kubernetes.io/managed-by": "Helm"
"helm.sh/chart": "hydra-0.0.48"
spec:
type: ClusterIP
ports:
- port: 4444
targetPort: http-public
protocol: TCP
name: http
selector:
app.kubernetes.io/name: hydra
app.kubernetes.io/instance: hydra
---
# Source: hydra/charts/hydra-maester/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hydra-hydra-maester
labels:
app.kubernetes.io/name: hydra-maester
helm.sh/chart: hydra-maester-0.0.5-alpha10
app.kubernetes.io/instance: hydra
app.kubernetes.io/version: "0.0.5-alpha10"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: hydra-maester
app.kubernetes.io/instance: hydra
template:
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: hydra-maester
app.kubernetes.io/instance: hydra
spec:
containers:
- name: hydra-maester
image: "oryd/hydra-maester:v0.0.5"
imagePullPolicy: IfNotPresent
command:
- /manager
args:
- --metrics-addr=127.0.0.1:8080
- --hydra-url=http://hydra-admin
- --hydra-port=4445
resources:
{}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
serviceAccountName: hydra-maester-account
nodeSelector:
---
# Source: hydra/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hydra
namespace: default
labels:
"app.kubernetes.io/name": "hydra"
"app.kubernetes.io/instance": "hydra"
"app.kubernetes.io/version": "v1.0.0-rc.14_oryOS.12"
"app.kubernetes.io/managed-by": "Helm"
"helm.sh/chart": "hydra-0.0.48"
annotations:
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: hydra
app.kubernetes.io/instance: hydra
template:
metadata:
labels:
"app.kubernetes.io/name": "hydra"
"app.kubernetes.io/instance": "hydra"
"app.kubernetes.io/version": "v1.0.0-rc.14_oryOS.12"
"app.kubernetes.io/managed-by": "Helm"
"helm.sh/chart": "hydra-0.0.48"
annotations:
spec:
volumes:
- name: hydra-config-volume
configMap:
name: hydra
containers:
- name: hydra
image: "oryd/hydra:v1.0.0"
imagePullPolicy: IfNotPresent
command: ["hydra"]
volumeMounts:
- name: hydra-config-volume
mountPath: /etc/config
readOnly: true
args: [
"serve",
"all",
"--dangerous-force-http",
"--config",
"/etc/config/config.yaml"
]
ports:
- name: http-public
containerPort: 4444
protocol: TCP
- name: http-admin
containerPort: 4445
protocol: TCP
livenessProbe:
httpGet:
path: /health/alive
port: http-admin
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /health/ready
port: http-admin
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 5
env:
- name: URLS_SELF_ISSUER
value: "http://localhost:4444"
- name: DSN
valueFrom:
secretKeyRef:
name: hydra
key: dsn
- name: SECRETS_SYSTEM
valueFrom:
secretKeyRef:
name: hydra
key: secretsSystem
- name: SECRETS_COOKIE
valueFrom:
secretKeyRef:
name: hydra
key: secretsCookie
resources:
{}
NOTES:
The ORY Hydra HTTP Public API is available via:
export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=hydra,app.kubernetes.io/instance=hydra" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:4444 to use your application"
kubectl port-forward $POD_NAME 4444:4444
export HYDRA_PUBLIC_URL=http://127.0.0.1:4444/
curl $HYDRA_PUBLIC_URL/.well-known/openid-configuration
If you have the ORY Hydra CLI installed locally, you can run commands
against this endpoint:
hydra token client \
--endpoint $HYDRA_PUBLIC_URL \
# ...
The ORY Hydra HTTP Admin API is available via:
export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=hydra,app.kubernetes.io/instance=hydra" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:4445 to use your application"
kubectl port-forward $POD_NAME 4445:4445
export HYDRA_ADMIN_URL=http://127.0.0.1:4445/
curl $HYDRA_ADMIN_URL/clients
If you have the ORY Hydra CLI installed locally, you can run commands
against this endpoint:
hydra clients list \
--endpoint $HYDRA_ADMIN_URL
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent