To provide a Hydra configuration assuming TLS is terminated on an Application Load Balancer (ALB), we need to consider a few key aspects. Based on the knowledge sources provided, I can offer the following configuration:

yaml serve:   public:     cors:       enabled: true       allowed_origins:         - "*"       allowed_methods:         - POST         - GET         - PUT         - PATCH         - DELETE       allowed_headers:         - Authorization       exposed_headers:         - Content-Type     tls:       enabled: false   admin:     cors:       enabled: true       allowed_origins:         - "*"       allowed_methods:         - POST         - GET         - PUT         - PATCH         - DELETE       allowed_headers:         - Authorization       exposed_headers:         - Content-Type     tls:       enabled: false   tls:     enabled: false

This configuration is based on the example provided in the [Ory Network GitHub issue](https://github.com/ory/network/issues/248). Here's an explanation of the key points: 1. TLS is disabled for both the public and admin interfaces (

tls: enabled: false

) since TLS termination is happening at the ALB. 2. CORS is enabled for both public and admin interfaces to allow cross-origin requests. 3. The

allowed_origins

is set to

"*"

, which allows requests from any origin. In a production environment, you might want to restrict this to specific domains. 4. The configuration allows common HTTP methods and headers. Additionally, you should consider the following when deploying Hydra behind an ALB: 1. Configure the ALB to forward the original host header to Hydra. This is important for Hydra to compute the correct values for consent challenges. 2. Set up the ALB to pass the

X-Forwarded-Proto

header with the value

https

. This tells Hydra that the original request was made over HTTPS, even though the connection between the ALB and Hydra is not encrypted. 3. You may need to configure the

SERVE_PUBLIC_TLS_ALLOW_TERMINATION_FROM

and

SERVE_ADMIN_TLS_ALLOW_TERMINATION_FROM

environment variables to include the IP ranges of your ALB, as mentioned in the [Ory Hydra deployment guide](https://www.ory.sh/docs/hydra/self-hosted/deploy-hydra-example#install-and-configure-nginx). Remember to adjust this configuration based on your specific security requirements and infrastructure setup.

To answer your question about disabling the

URLS_SELF_ISSUER

environment variable in the Hydra Helm chart, I've reviewed the provided knowledge sources, but I couldn't find specific information about this particular scenario. The documentation doesn't explicitly mention a way to disable this environment variable in favor of using a value from a ConfigMap. However, based on general Kubernetes and Helm practices, there might be a workaround, although I can't confirm if this will work for the Ory Hydra Helm chart specifically: 1. You could try setting the value to an empty string in your Helm values file:

yaml    hydra:      config:        urls:          self:            issuer: ""

2. Then, ensure that your ConfigMap contains the desired value for

urls.self.issuer

. If this doesn't work, you might need to modify the Helm chart templates directly to remove the environment variable setting and instead use the value from your ConfigMap. For the most accurate and up-to-date information, I recommend: 1. Checking the [Ory Hydra Helm Chart documentation](https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart) for any recent updates on this topic. 2. Reviewing the Helm chart source code in the [Ory GitHub repository](https://github.com/ory/k8s) to see how the environment variables are set. 3. If you can't find a solution, consider opening an issue on the Ory GitHub repository to ask about this specific use case. I apologize that I couldn't provide a definitive answer based on the available knowledge sources. The documentation doesn't cover this specific scenario of disabling an environment variable in favor of a ConfigMap value.