hi folks, In configuring Hydra, is there a recomme...
# ory-selfhosting
b
hi folks, In configuring Hydra, is there a recommended GitOps-friendly way to pass along DSN in the form of a secret? from helm values.yaml config section:
Copy code
...
config:
  dsn: <--- dsn connection details
...
I cant commit this to repo, but i see that a
Secret
called
hydra
is created with this value. wondering if a secretRef can be used in place of the raw value
My workaround was to create a kubernetes
Job
that reads from a secondary secret containing the dsn and to patch the
hydra
secret with this value. I had to play around with helm hook weights to get it to work, but it seems the correct value was injected into hydra and auto-migration pods. there has to be a better way though…
d
Why ? With GitOps you dont need to make this. GitLab or GitHub with an pipeline work as well with secrets. Or use vault or SOPS 😁
b
Sure the secret is there, but how to configure Hydra to use it?
The problem is the configuration for Hydra is stored in git as part of its helm chart, which Argo CD will deploy. In the charts values.yaml, the value for dsn is just clear text string
d
Using helm chart, you able to use helm templating to use env var to build and evaluate your DSN value correctly
After you make this, Ory k8s Hydra chart will be separate the DSN, cookie secret and system secret from config to k8s secret to "secure" it.
b
I see. Your suggestion is to use helmfile to do this. We have not been using that to generate charts
d
b
We are using external secrets operator already. Love it. The thing is, once the secret is in the cluster (something we've managed to do already) then the only way for me to use it in the config without introducing new tools/technologies was to use this patch Job in a pre-install helm hook. Seems helm deploys a secret called
hydra
, which contains the dsn as configured in the chart. We made a job that patches this. It just seemed like a hacky workaround to do.
So, the dsn value in values.yaml is committed to git with a dummy value, helm chart is deployed, and the helm hook runs a job which takes the actual dsn that is stored in a secret and patches this
hydra
secret with its actual value.
d
Here is the comportement: https://github.com/ory/k8s/blob/9a133f69b4abda2660189e47d43959b5cb428921/helm/charts/hydra/templates/_helpers.tpl#L62 So you have to define your dsn value in values.yaml (Go template and helm templating AFAIK, maybe https://github.com/jkroepke/helm-secrets#argocd-support)
b
I see. Then there's no standard way to do this in the raw chart without using an extra tool like helm-secrets or helmfile etc.
d
It's depend your database dsn construction, in our case at GameVerse in our k8s cluster we use CockroachDB and we have only have to put a static dsn like this: ``cockroach://root@cockroachdb-public:26257/defaultdb?sslcert=/cockroach/cockroach-certs/client.root.crt&amp;sslkey=/cockroach/cockroach-certs/client.root.key&amp;sslrootcert=/cockroach/cockroach-certs/ca.crt&amp;sslmode=verify-full`` And with a extraVolumes and extraVolumeMounts we have all the required credentials available thanks to certificates
b
Oh I see. That's not a bad idea actually.
I'm using postgres. For the dev cluster it's running in kubernetes alongside our apps, but upper envs connects to RDS