Transition to Ory Hydra 2 (in parallel)

Brutus5000 · Brutus5000 · commit 55e7a9e83ba1 · 2025-09-25T22:11:36.000+02:00
diff --git a/apps/faf-user-service/templates/config-hydra2.yaml b/apps/faf-user-service/templates/config-hydra2.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: faf-user-service-hydra2
+  labels:
+    app: faf-user-service-hydra2
+data:
+  # Only for testing environments
+  FAF_ENVIRONMENT: {{ eq .Values.environment "prod" | ternary "" .Values.environment }}
+  REAL_IP_HEADER: "Cf-Connecting-Ip"
+  PASSWORD_RESET_URL: "https://www.{{.Values.baseDomain}}/account/password/reset"
+  REGISTER_ACCOUNT_URL: "https://www.{{.Values.baseDomain}}/account/register"
+  ACTIVATION_URL_FORMAT: "https://user.{{.Values.baseDomain}}/register/activate?token=%s"
+  FAILED_LOGIN_ACCOUNT_THRESHOLD: "5"
+  FAILED_LOGIN_ATTEMPT_THRESHOLD: "10"
+  FAILED_LOGIN_THROTTLING_MINUTES: "5"
+  FAILED_LOGIN_DAYS_TO_CHECK: "1"
+  HYDRA_TOKEN_ISSUER: "https://login.{{.Values.baseDomain}}"
+  HYDRA_JWKS_URL: "https://login.{{.Values.baseDomain}}/.well-known/jwks.json"
+  HYDRA_BASE_ADMIN_URL: "http://ory-hydra2:4445"
+  DB_URL: "jdbc:mariadb://mariadb:3306/faf_lobby?ssl=false"
+  DB_USERNAME: "faf-user-service"
+  DB_DATABASE: "faf_lobby" # for mariadb init script
+  LOBBY_URL: "wss://ws.{{.Values.baseDomain}}"
+  IRC_TOKEN_TTL: "300"
+  JAVA_OPTS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005"
diff --git a/apps/faf-user-service/templates/deployment-hydra2.yaml b/apps/faf-user-service/templates/deployment-hydra2.yaml
@@ -0,0 +1,56 @@
+# This is for temporary running Ory Hydra 1.10 and 2.x in parallel.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: faf-user-service-hydra2
+  labels:
+    app: faf-user-service-hydra2
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: faf-user-service-hydra2
+  template:
+    metadata:
+      labels:
+        app: faf-user-service-hydra2
+      annotations:
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '8081'
+        prometheus.io/path: '/actuator/prometheus'
+    spec:
+      containers:
+        - image: faforever/faf-user-service:3.2.0-RC2
+          imagePullPolicy: Always
+          name: faf-user-service
+          envFrom:
+            - configMapRef:
+                name: faf-user-service-hydra2
+            - secretRef:
+                name: faf-user-service
+          volumeMounts:
+            - name: mail-templates
+              mountPath: /config/mail/
+              readOnly: true
+          ports:
+            - containerPort: 8080
+          startupProbe:
+            httpGet:
+              port: 8080
+              path: /q/health
+            failureThreshold: 10
+            periodSeconds: 3
+          livenessProbe:
+            httpGet:
+              port: 8080
+              path: /q/health
+            failureThreshold: 3
+            periodSeconds: 10
+      restartPolicy: Always
+      volumes:
+        - name: mail-templates
+          configMap:
+            name: faf-user-service-mail-templates
diff --git a/apps/faf-user-service/templates/ingress.yaml b/apps/faf-user-service/templates/ingress.yaml
@@ -11,3 +11,9 @@ spec:
       services:
         - name: faf-user-service
           port: 8080
+    # This is for temporary running Ory Hydra 1.10 and 2.x in parallel.
+    - match: Host(`user-nx.{{.Values.baseDomain}}`)
+      kind: Rule
+      services:
+        - name: faf-user-service-hydra2
+          port: 8080
diff --git a/apps/faf-user-service/templates/service-hydra2.yaml b/apps/faf-user-service/templates/service-hydra2.yaml
@@ -0,0 +1,13 @@
+# This is for temporary running Ory Hydra 1.10 and 2.x in parallel.
+apiVersion: v1
+kind: Service
+metadata:
+  name: faf-user-service-hydra2
+  labels:
+    app: faf-user-service-hydra2
+spec:
+  selector:
+    app: faf-user-service-hydra2
+  ports:
+    - port: 8080
+      targetPort: 8080
diff --git a/apps/ory-hydra2/Chart.yaml b/apps/ory-hydra2/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: ory-hydra2
+version: 1.0.0
diff --git a/apps/ory-hydra2/templates/config.yaml b/apps/ory-hydra2/templates/config.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ory-hydra2
+  namespace: faf-apps
+  labels:
+    app: ory-hydra2
+data:
+  URLS_SELF_ISSUER: "https://login.{{.Values.baseDomain}}"
+  URLS_LOGIN: "https://user-nx.{{.Values.baseDomain}}/oauth2/login"
+  URLS_CONSENT: "https://user-nx.{{.Values.baseDomain}}/oauth2/consent"
+  STRATEGIES_ACCESS_TOKEN: "jwt"
+  OAUTH2_CLIENT_CREDENTIALS_DEFAULT_GRANT_ALLOWED_SCOPE: "true"
+  # These are only used for postgres init script, it is redundant in the DSN secret! Don't forget to also create a secret for DB_PASSWORD
+  DB_USER: "hydra"
+  DB_NAME: "ory-hydra"
diff --git a/apps/ory-hydra2/templates/deployment.yaml b/apps/ory-hydra2/templates/deployment.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ory-hydra2
+  namespace: faf-apps
+  labels:
+    app: ory-hydra2
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: ory-hydra2
+  template:
+    metadata:
+      labels:
+        app: ory-hydra2
+      annotations:
+        prometheus.io/scrape: 'false'
+    spec:
+      containers:
+        - image: oryd/hydra:v2.3.0
+          imagePullPolicy: Always
+          name: ory-hydra2
+          envFrom:
+            - configMapRef:
+                name: ory-hydra2
+            - secretRef:
+                name: ory-hydra2
+          ports:
+            - containerPort: 4444
+            - containerPort: 4445
+      restartPolicy: Always
diff --git a/apps/ory-hydra2/templates/ingress.yaml b/apps/ory-hydra2/templates/ingress.yaml
@@ -0,0 +1,13 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ory-hydra2
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`login.{{.Values.baseDomain}}`)
+      kind: Rule
+      services:
+        - name: ory-hydra2
+          port: 4444
diff --git a/apps/ory-hydra2/templates/janitor-cronjob.yaml b/apps/ory-hydra2/templates/janitor-cronjob.yaml
@@ -0,0 +1,43 @@
+kind: CronJob
+apiVersion: batch/v1
+metadata:
+  name: ory-hydra-janitor
+  namespace: faf-apps
+  labels:
+    app: ory-hydra-janitor
+spec:
+  # Once per hour
+  schedule: "0 * * * *"
+  suspend: true
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+        app: ory-hydra-janitor
+      annotations:
+        prometheus.io/scrape: 'false'
+    spec:
+      template:
+        spec:
+          containers:
+            - image: oryd/hydra:v2.3.0
+              imagePullPolicy: Always
+              name: ory-hydra
+              envFrom:
+                - configMapRef:
+                    name: ory-hydra
+                - secretRef:
+                    name: ory-hydra
+              ports:
+                - containerPort: 4444
+                - containerPort: 4445
+              args: [ "janitor",
+                      "--read-from-env",
+                      "--keep-if-younger", "230h",
+                      "--access-lifespan", "100h",
+                      "--refresh-lifespan", "1000h",
+                      "--consent-request-lifespan", "1000h",
+                      "--requests",
+                      "--grants",
+                      "--tokens" ]
+          restartPolicy: Never
diff --git a/apps/ory-hydra2/templates/migration-cronjob.yaml b/apps/ory-hydra2/templates/migration-cronjob.yaml
@@ -0,0 +1,35 @@
+kind: CronJob
+apiVersion: batch/v1
+metadata:
+  name: ory-hydra2-migration
+  namespace: faf-apps
+  labels:
+    app: ory-hydra-migration
+spec:
+  # Disabled because triggered manually
+  schedule: "0 0 31 2 *"
+  suspend: true
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+        app: ory-hydra2-migration
+      annotations:
+        prometheus.io/scrape: 'false'
+    spec:
+      template:
+        spec:
+          containers:
+            - image: oryd/hydra:v2.3.0
+              imagePullPolicy: Always
+              name: ory-hydra
+              envFrom:
+                - configMapRef:
+                    name: ory-hydra2
+                - secretRef:
+                    name: ory-hydra2
+              ports:
+                - containerPort: 4444
+                - containerPort: 4445
+              args: [ "migrate", "sql", "--read-from-env", "--yes"]
+          restartPolicy: Never
diff --git a/apps/ory-hydra2/templates/secret.yaml b/apps/ory-hydra2/templates/secret.yaml
@@ -0,0 +1,19 @@
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: ory-hydra2
+  namespace: faf-apps
+spec:
+  authentication:
+    universalAuth:
+      credentialsRef:
+        secretName: infisical-machine-identity
+        secretNamespace: faf-ops
+      secretsScope:
+        projectSlug: {{.Values.infisical.projectSlug}}
+        envSlug: {{.Values.infisical.envSlug}}
+        secretsPath: "/ory-hydra2"
+  managedSecretReference:
+    secretName: ory-hydra2
+    secretNamespace: faf-apps
+    creationPolicy: "Owner"
diff --git a/apps/ory-hydra2/templates/service.yaml b/apps/ory-hydra2/templates/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ory-hydra2
+  namespace: faf-apps
+  labels:
+    app: ory-hydra2
+spec:
+  selector:
+    app: ory-hydra2
+  ports:
+    - name: public-port
+      port: 4444
+      targetPort: 4444
+    - name: admin-port
+      port: 4445
+      targetPort: 4445
diff --git a/scripts/init-postgres.sh b/scripts/init-postgres.sh
@@ -50,5 +50,6 @@ create_user_and_db() {
 }
 
 create_user_and_db faf-apps wikijs DB_USER DB_PASS DB_NAME
+create_user_and_db faf-apps ory-hydra2 DB_USER DB_PASSWORD DB_NAME
 
 echo "All users and databases have been processed."

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+apiVersion: v2`
	`2`	`+name: ory-hydra2`
	`3`	`+version: 1.0.0`