feat: initial commit

resources/hydra/kustomization.yaml

@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./resources/hydra-deployment.yaml
+  - ./resources/hydra-service.yaml
+  - ./resources/hydra-role.yaml
+  - ./resources/hydra-rolebinding.yaml
+  - ./resources/hydra-serviceaccount.yaml
+  - ./resources/hydra-migrate-job.yaml
+
+secretGenerator:
+  - name: hydra-secret
+    literals:
+      - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged
+
+configMapGenerator:
+  - name: hydra-env
+    literals:
+      - URLS_SELF_ISSUER=http://localhost:4444
+      - URLS_LOGIN=http://hydra-login-app/login
+      - URLS_CONSENT=http://hydra-consent-app/consent
+      - URLS_LOGOUT=http://hydra-logout-app/logout
+      - HYDRA_SERVE_ALL_ARGS=

resources/hydra/resources/hydra-deployment.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    io.kompose.service: hydra
+  name: hydra
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: hydra
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        io.kompose.service: hydra
+    spec:
+      serviceAccount: hydra-sa
+      initContainers:
+        - name: wait-for-migrate
+          image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
+          args:
+          - job
+          - hydra-migrate
+      containers:
+        - name: hydra
+          image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
+          envFrom:
+            - configMapRef:
+                name: hydra-env
+          env:
+            - name: LOG_LEVEL
+              value: debug
+            - name: LOG_LEAK_SENSITIVE_VALUES
+              value: "true"
+            - name: SECRETS_SYSTEM
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-secret
+                  key: SECRETS_SYSTEM
+          args: ["serve", "all", "$(HYDRA_SERVE_ALL_ARGS)"]
+          livenessProbe:
+            exec:
+              command:
+                - wget
+                - --spider
+                - -q
+                - http://127.0.0.1:4444/.well-known/openid-configuration
+            failureThreshold: 6
+            periodSeconds: 10
+            timeoutSeconds: 10
+          ports:
+            - containerPort: 4444
+              name: hydra-public
+            - containerPort: 4445
+              name: hydra-admin
+          resources: {}
+      restartPolicy: Always

resources/hydra/resources/hydra-migrate-job.yaml

@@ -0,0 +1,14 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: hydra-migrate
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - env: []
+        name: hydra-migrate
+        image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
+        imagePullPolicy: IfNotPresent
+        args: ["migrate", "sql", "--yes", "$(DSN)"]

resources/hydra/resources/hydra-role.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: hydra-job-status-reader
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list

resources/hydra/resources/hydra-rolebinding.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: hydra-job-status-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: hydra-job-status-reader
+subjects:
+- kind: ServiceAccount
+  name: hydra-sa

resources/hydra/resources/hydra-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.kompose.service: hydra
+  name: hydra
+spec:
+  ports:
+    - name: hydra-public
+      port: 4444
+      targetPort: hydra-public
+    - name: hydra-admin
+      port: 4445
+      targetPort: hydra-admin
+  selector:
+    io.kompose.service: hydra
+status:
+  loadBalancer: {}

resources/hydra/resources/hydra-serviceaccount.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hydra-sa