From 7a09045e82c8fe311d12bc832f9e2c453b4e7d13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laurent=20Gourv=C3=A9nec?= <lgourvenec@cadoles.com>
Date: Thu, 27 Feb 2025 16:01:54 +0100
Subject: [PATCH 1/3] feat(hydra-cleaner): add component

---
 .../hydra-cleaner/files/hydra-cleaner.sh      | 116 ++++++++++++++++++
 components/hydra-cleaner/kustomization.yaml   |  17 +++
 .../resources/hydra-cleaner-cronjob.yaml      |  54 ++++++++
 3 files changed, 187 insertions(+)
 create mode 100644 components/hydra-cleaner/files/hydra-cleaner.sh
 create mode 100644 components/hydra-cleaner/kustomization.yaml
 create mode 100644 components/hydra-cleaner/resources/hydra-cleaner-cronjob.yaml

diff --git a/components/hydra-cleaner/files/hydra-cleaner.sh b/components/hydra-cleaner/files/hydra-cleaner.sh
new file mode 100644
index 0000000..dadfad3
--- /dev/null
+++ b/components/hydra-cleaner/files/hydra-cleaner.sh
@@ -0,0 +1,116 @@
+#!/bin/sh
+
+set -e
+set -o nounset
+
+# 4 tables to empty, at least
+# oidc, code, flow, authentication_session
+
+# \d hydra_oauth2_flow
+#Referenced by:
+#    TABLE "hydra_oauth2_access" CONSTRAINT "hydra_oauth2_access_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+#    TABLE "hydra_oauth2_code" CONSTRAINT "hydra_oauth2_code_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+#    TABLE "hydra_oauth2_oidc" CONSTRAINT "hydra_oauth2_oidc_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+#    TABLE "hydra_oauth2_pkce" CONSTRAINT "hydra_oauth2_pkce_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+#    TABLE "hydra_oauth2_refresh" CONSTRAINT "hydra_oauth2_refresh_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+
+# -> delete "cascade" on table "flow" cleans access, code, oidc, pkce and refresh tables.
+
+
+DSN="postgresql://${HYDRA_DATABASE_USER}:${HYDRA_DATABASE_PASSWORD}@${HYDRA_DATABASE_SERVICE_NAME}:5432/hydra?sslmode=disable"
+RETENTION_HOURS="${RETENTION_HOURS:-48}"
+BATCH_SIZE="${BATCH_SIZE:-50}"
+LIMIT="${LIMIT:-1000}"
+BEFORE_DATE="$(date +'%Y-%m-%d %H:%M:%S' --date=@$(($(date +%s) - RETENTION_HOURS * 3600)))"
+
+
+log() {
+    echo "$(date +'%d-%m-%y %H:%M:%S%z')| $1"
+}
+
+perror() {
+    log "Something went wrong, exiting."
+    trap - EXIT
+    exit 1
+}
+
+trap perror EXIT
+
+if ! [[ ${RETENTION_HOURS} =~ '^[0-9]+$' ]]; then
+    log "Error: variable RETENTION_HOURS is not a positive integer."
+    perror
+fi
+
+if ! [[ ${LIMIT} =~ '^[0-9]+$' ]]; then
+    log "Error: variable LIMIT is not a positive integer."
+    perror
+fi
+
+if ! [[ ${BATCH_SIZE} =~ '^[0-9]+$' ]]; then
+    log "Error: variable BATCH_SIZE is not a positive integer."
+    perror
+fi
+
+log "Starting hydra cleaner"
+
+log "Removing up to ${LIMIT} elements before ${BEFORE_DATE} by batch of ${BATCH_SIZE}"
+
+log "Beginning estimated size:"
+psql "${DSN}" <<EOF
+select
+  table_name, reltuples as estimate,
+  pg_size_pretty(pg_total_relation_size(quote_ident(table_name))),
+  pg_total_relation_size(quote_ident(table_name))
+from information_schema.tables left join pg_class on information_schema.tables.table_name=pg_class.relname
+where table_schema = 'public'
+order by 4 desc;
+EOF
+
+
+REMAINING_ELMTS="${LIMIT}"
+while [ "${REMAINING_ELMTS}" -gt 0 ]; do
+    OUTPUT=$(psql "${DSN}" <<EOF
+DELETE
+FROM hydra_oauth2_flow
+WHERE login_challenge = ANY (
+  array(
+    SELECT login_challenge
+    FROM hydra_oauth2_flow
+    WHERE requested_at < '${BEFORE_DATE}'
+    LIMIT ${BATCH_SIZE}
+  )
+);
+EOF
+    )
+
+    log "${OUTPUT}"
+
+    if ! [[ "${OUTPUT}" =~ '^DELETE ' ]] ; then
+	log "Output doesn't seems OK..."
+	break
+    fi
+    OUTPUT_NB=$(echo "${OUTPUT}" | cut -d' ' -f 2)
+
+    if [ "${OUTPUT_NB}" -lt "${BATCH_SIZE}" ]; then
+	break
+    fi
+
+    REMAINING_ELMTS=$((REMAINING_ELMTS - BATCH_SIZE))
+    if [ "${REMAINING_ELMTS}" -lt "${BATCH_SIZE}" ]; then
+	BATCH_SIZE="${REMAINING_ELMTS}"
+    fi
+done
+
+
+log "Final estimated size:"
+psql "${DSN}" <<EOF
+select
+  table_name, reltuples as estimate,
+  pg_size_pretty(pg_total_relation_size(quote_ident(table_name))),
+  pg_total_relation_size(quote_ident(table_name))
+from information_schema.tables left join pg_class on information_schema.tables.table_name=pg_class.relname
+where table_schema = 'public'
+order by 4 desc;
+EOF
+
+trap - EXIT
diff --git a/components/hydra-cleaner/kustomization.yaml b/components/hydra-cleaner/kustomization.yaml
new file mode 100644
index 0000000..a4e123e
--- /dev/null
+++ b/components/hydra-cleaner/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- ./resources/hydra-cleaner-cronjob.yaml
+
+configMapGenerator:
+- name: hydra-cleaner-env
+  behavior: create
+  literals:
+  - RETENTION_HOURS="48"
+  - BATCH_SIZE="100"
+  - LIMIT="1000"
+- name: hydra-cleaner-script
+  behavior: create
+  files:
+  - ./files/hydra-cleaner.sh
diff --git a/components/hydra-cleaner/resources/hydra-cleaner-cronjob.yaml b/components/hydra-cleaner/resources/hydra-cleaner-cronjob.yaml
new file mode 100644
index 0000000..89b6385
--- /dev/null
+++ b/components/hydra-cleaner/resources/hydra-cleaner-cronjob.yaml
@@ -0,0 +1,54 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hydra-cleaner
+  labels:
+    app.kubernetes.io/name: hydra-cleaner
+spec:
+  concurrencyPolicy: Forbid
+  schedule: "30 */1 * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: hydra-cleaner
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: hydra-sa
+          containers:
+          - name: hydra-cleaner
+            image: reg.cadoles.com/proxy_cache/alpine/psql:17.4
+            envFrom:
+            - configMapRef:
+                name: hydra-env
+            - configMapRef:
+                name: hydra-cleaner-env
+            imagePullPolicy: IfNotPresent
+            command: ["/hydra-cleaner.sh"]
+            env:
+            - name: HYDRA_DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-postgres-app
+                  key: username
+            - name: HYDRA_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-postgres-app
+                  key: password
+            - name: HYDRA_DATABASE_SERVICE_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-postgres-app
+                  key: host
+            args: []
+            volumeMounts:
+            - name: hydra-cleaner-script
+              mountPath: "/hydra-cleaner.sh"
+              subPath: "hydra-cleaner.sh"
+          volumes:
+          - name: hydra-cleaner-script
+            configMap:
+              name: hydra-cleaner-script
+              defaultMode: 0544

From b0506995e5dd84958e01744cbbd849f3bd9cf8b0 Mon Sep 17 00:00:00 2001
From: William Petit <wpetit@cadoles.com>
Date: Wed, 5 Mar 2025 17:12:42 +0100
Subject: [PATCH 2/3] feat: integrate hydra-cleaner in example app

---
 examples/authenticated-app/kustomization.yaml         | 11 +++++++++++
 .../authenticated-app/patches/hydra-cleaner-env.yaml  |  9 +++++++++
 examples/authenticated-app/patches/hydra-cleaner.yaml |  3 +++
 3 files changed, 23 insertions(+)
 create mode 100644 examples/authenticated-app/patches/hydra-cleaner-env.yaml
 create mode 100644 examples/authenticated-app/patches/hydra-cleaner.yaml

diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml
index c2e4685..ba58311 100644
--- a/examples/authenticated-app/kustomization.yaml
+++ b/examples/authenticated-app/kustomization.yaml
@@ -14,6 +14,7 @@ components:
   - ../../components/hydra-ldap
   - ../../components/oidc-test
   - ../../components/redis
+  - ../../components/hydra-cleaner
 
 patchesJson6902:
   - target:
@@ -51,6 +52,16 @@ patchesJson6902:
       kind: OAuth2Client
       name: oidc-test-oauth2-client
     path: patches/oidc-test-oauth2-client.yaml
+  - target:
+      version: v1
+      kind: ConfigMap
+      name: hydra-cleaner-env
+    path: patches/hydra-cleaner-env.yaml
+  - target:
+      version: v1
+      kind: CronJob
+      name: hydra-cleaner
+    path: patches/hydra-cleaner.yaml
 
 configMapGenerator:
   - name: hydra-dispatcher-apps
diff --git a/examples/authenticated-app/patches/hydra-cleaner-env.yaml b/examples/authenticated-app/patches/hydra-cleaner-env.yaml
new file mode 100644
index 0000000..35e9707
--- /dev/null
+++ b/examples/authenticated-app/patches/hydra-cleaner-env.yaml
@@ -0,0 +1,9 @@
+- op: replace
+  path: "/data/RETENTION_HOURS"
+  value: "1" # 1 HOUR
+- op: replace
+  path: "/data/BATCH_SIZE"
+  value: "100"
+- op: replace
+  path: "/data/LIMIT"
+  value: "1000"
diff --git a/examples/authenticated-app/patches/hydra-cleaner.yaml b/examples/authenticated-app/patches/hydra-cleaner.yaml
new file mode 100644
index 0000000..3b58dd1
--- /dev/null
+++ b/examples/authenticated-app/patches/hydra-cleaner.yaml
@@ -0,0 +1,3 @@
+- op: replace
+  path: "/spec/schedule"
+  value: "* * * * *"

From fedf44a0627c797c99737382edc283f686e3506c Mon Sep 17 00:00:00 2001
From: William Petit <wpetit@cadoles.com>
Date: Thu, 6 Mar 2025 10:07:40 +0100
Subject: [PATCH 3/3] feat(hydra-cleaner): configurable dsn and hydra port

---
 components/hydra-cleaner/files/hydra-cleaner.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/hydra-cleaner/files/hydra-cleaner.sh b/components/hydra-cleaner/files/hydra-cleaner.sh
index dadfad3..da52fe7 100644
--- a/components/hydra-cleaner/files/hydra-cleaner.sh
+++ b/components/hydra-cleaner/files/hydra-cleaner.sh
@@ -17,7 +17,7 @@ set -o nounset
 # -> delete "cascade" on table "flow" cleans access, code, oidc, pkce and refresh tables.
 
 
-DSN="postgresql://${HYDRA_DATABASE_USER}:${HYDRA_DATABASE_PASSWORD}@${HYDRA_DATABASE_SERVICE_NAME}:5432/hydra?sslmode=disable"
+DSN="${DSN:-postgresql://${HYDRA_DATABASE_USER}:${HYDRA_DATABASE_PASSWORD}@${HYDRA_DATABASE_SERVICE_NAME}:${HYDRA_DATABASE_SERVICE_PORT:-5432}/hydra?sslmode=disable}"
 RETENTION_HOURS="${RETENTION_HOURS:-48}"
 BATCH_SIZE="${BATCH_SIZE:-50}"
 LIMIT="${LIMIT:-1000}"