Ory Hydra improvements

Author: Brutus5000

apps/ory-hydra2/templates/deployment.yaml

@@ -21,7 +21,7 @@ spec:
         prometheus.io/scrape: 'false'
     spec:
       containers:
-        - image: oryd/hydra:v2.3.0
+        - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
           imagePullPolicy: Always
           name: ory-hydra2
           envFrom:

apps/ory-hydra2/templates/init-clients.yaml

@@ -0,0 +1,79 @@
+{{- $wave := 1 }}
+{{- range .Values.clients }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ory-hydra-create-client-{{ $wave }}
+  namespace: faf-apps
+  labels:
+    app: ory-hydra-create-clients
+    argocd.argoproj.io/instance: hydra-clients
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    #argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: '{{ $wave }}'
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      containers:
+        - name: ory-hydra-create-client
+          image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
+          imagePullPolicy: Always
+          envFrom:
+            - configMapRef:
+                name: ory-hydra2
+            - secretRef:
+                name: ory-hydra2
+          env:
+            - name: BASE_DOMAIN
+              value: {{ $.Values.baseDomain }}
+            - name: ORY_SDK_URL
+              value: http://ory-hydra2:4445
+          {{- if .secret }}
+            - name: OAUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secret.name }}
+                  key:  {{ .secret.key }}
+          {{- end}}
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              if ! hydra get oauth2-client "{{ .id }}" >/dev/null 2>&1; then
+                hydra create oauth2-client \
+                  --name "{{ .name }}" \
+                  --id "{{ .id }}" \
+                  --grant-type "{{ .grantType }}" \
+                  --scope "{{ .scope }}" \
+                  {{- if .secret }}
+                  --secret "$OAUTH_SECRET" \
+                  {{- end}}
+                  {{- if .skipConsent }}
+                  --skip-consent \
+                  {{- end }}
+                  {{- if .redirectUri }}
+                  --redirect-uri "{{ .redirectUri }}" \
+                  {{- end }}
+                  {{- if .logoUri }}
+                  --logo-uri "{{ .logoUri }}" \
+                  {{- end }}
+                  {{- if .tosUri }}
+                  --tos-uri "{{ .tosUri }}" \
+                  {{- end }}
+                  {{- if .policyUri }}
+                  --policy-uri "{{ .policyUri }}" \
+                  {{- end }}
+                  {{- if .tokenEndpointAuthMethod }}
+                  --token-endpoint-auth-method "{{ .tokenEndpointAuthMethod }}"
+                  {{- end }}
+                  {{- if .owner }}
+                  --owner "{{ .owner }}"
+                  {{- end }}
+              else
+                echo "Client {{ .id }} already exists, skipping."
+              fi
+      restartPolicy: Never
+{{- $wave = add $wave 1 }}
+{{- end }}

apps/ory-hydra2/templates/janitor-cronjob.yaml

@@ -20,7 +20,7 @@ spec:
       template:
         spec:
           containers:
-            - image: oryd/hydra:v2.3.0
+            - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
               imagePullPolicy: Always
               name: ory-hydra
               envFrom:

apps/ory-hydra2/templates/migration-cronjob.yaml

@@ -0,0 +1,29 @@
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: ory-hydra2-migration
+  namespace: faf-apps
+  labels:
+    app: ory-hydra-migration
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: '-1'
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      containers:
+        - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+          imagePullPolicy: Always
+          name: ory-hydra-migration
+          envFrom:
+            - configMapRef:
+                name: ory-hydra2
+            - secretRef:
+                name: ory-hydra2
+          ports:
+            - containerPort: 4444
+            - containerPort: 4445
+          args: [ "migrate", "sql", "--read-from-env", "--yes"]
+      restartPolicy: Never

apps/ory-hydra2/templates/migration-job.yaml

@@ -0,0 +1,95 @@
+image:
+  repository: "oryd/hydra"
+  tag: "v25.4.0"
+clients:
+  - name: "FAF Client"
+    id: "2e8808cf-5889-469b-b2c3-01f0cc58c4af"
+    grantType: "authorization_code,refresh_token"
+    scope: "openid,email,offline,public_profile,lobby,upload_map,upload_mod"
+    redirectUri: "http://127.0.0.1"
+    logoUri: "https://$BASE_DOMAIN/images/faf-logo.png"
+    tosUri: "https://$BASE_DOMAIN/tos"
+    policyUri: "https://$BASE_DOMAIN/privacy"
+    tokenEndpointAuthMethod: "none"
+
+  - name: "FAF Moderator Client"
+    id: "8ff5c14f-60e2-41b9-b594-a641dc5013be"
+    grantType: "authorization_code"
+    scope: "openid,public_profile,upload_avatar,administrative_actions,read_sensible_userdata,manage_vault"
+    redirectUri: "http://localhost,http://localhost:8080/,http://127.0.0.1"
+    logoUri: "https://$BASE_DOMAIN/images/faf-logo.png"
+    tosUri: "https://$BASE_DOMAIN/tos"
+    policyUri: "https://$BASE_DOMAIN/privacy"
+    clientUri: "https://github.com/FAForever/faf-moderator-client"
+    tokenEndpointAuthMethod: "none"
+
+  - name: "Ethereal FAF client"
+    id: "b05039ed-e2ab-4fb6-8a7f-e6ecdcc2edcd"
+    grantType: "authorization_code,refresh_token"
+    scope: "openid,offline,public_profile,lobby,upload_map,upload_mod"
+    redirectUri: "http://localhost,http://localhost:57728,http://localhost:59573,http://localhost:58256,http://localhost:53037,http://localhost:51360"
+    logoUri: "https://raw.githubusercontent.com/Eternal-ll/Ethereal-FAF-Client/master/Logo/OAuth.svg"
+    clientUri: "https://github.com/Eternal-ll/Ethereal-FAF-Client"
+    tokenEndpointAuthMethod: "none"
+
+  - name: "www.$BASE_DOMAIN"
+    id: "c5613672-0ee5-4956-8b03-c7951ef25640"
+    secret:
+      name: faf-website
+      key: OAUTH_CLIENT_SECRET
+    skipConsent: true
+    grantType: "authorization_code,refresh_token"
+    scope: "openid,offline,public_profile,write_account_data"
+    redirectUri: "https://www.$BASE_DOMAIN/callback,https://www.$BASE_DOMAIN/auth"
+    tosUri: "https://$BASE_DOMAIN/tos"
+    policyUri: "https://$BASE_DOMAIN/privacy"
+    logoUri: "https://$BASE_DOMAIN/images/faf-logo.png"
+    clientUri: "https://github.com/FAForever/faf-moderator-client"
+    tokenEndpointAuthMethod: "client_secret_post"
+
+  - name: "voting.$BASE_DOMAIN"
+    id: "e3dfa9e8-93ad-4593-8b3c-900005439354"
+    secret:
+      name: faf-voting
+      key: CLIENT_SECRET
+    skipConsent: true
+    grantType: "authorization_code,refresh_token"
+    scope: "openid,public_profile"
+    redirectUri: "https://wiki.$BASE_DOMAIN/login/9edbd0f7-b647-46dc-97c9-3a20293cd830/callback"
+    tosUri: "https://$BASE_DOMAIN/tos"
+    policyUri: "https://$BASE_DOMAIN/privacy"
+    logoUri: "https://$BASE_DOMAIN/images/faf-logo.png"
+    tokenEndpointAuthMethod: "client_secret_post"
+
+  - name: "forum.$BASE_DOMAIN"
+    id: "97853a31-d7fc-424b-a4c2-f8cd053d10d2"
+    secret:
+      name: nodebb
+      key: OAUTH_SECRET
+    skipConsent: true
+    grantType: "authorization_code,refresh_token"
+    scope: "openid,email,public_profile,lobby"
+    redirectUri: "https://forum.$BASE_DOMAIN/auth/faf-nodebb/callback"
+    tosUri: "https://$BASE_DOMAIN/tos"
+    policyUri: "https://$BASE_DOMAIN/privacy"
+    logoUri: "https://$BASE_DOMAIN/images/faf-logo.png"
+    tokenEndpointAuthMethod: "client_secret_post"
+
+  - name: "brackman-discord"
+    id: "fbdc5ce5-9888-4ace-8ccc-378fbcb18992"
+    secret:
+      name: ory-hydra2
+      key: BRACKMAN_DISCORD_SECRET
+    grantType: "client_credentials"
+    scope: "public_profile"
+    tokenEndpointAuthMethod: "client_secret_post"
+    owner: "Paul Wayper"
+
+  - name: "faf-qai"
+    id: "5eecb64d-0f67-4a72-ac2b-717b8c7efa98"
+    secret:
+      name: ory-hydra2
+      key: FAF_QAI_SECRET
+    grantType: "client_credentials"
+    scope: "public_profile"
+    tokenEndpointAuthMethod: "client_secret_post"