chore: update hydra-master to 0.30 (#642)

helm/charts/hydra-maester/README.md

@@ -8,17 +8,22 @@ A Helm chart for Kubernetes
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| adminService | object | `{"endpoint":"/admin/clients","name":null,"port":null}` | Connection data to admin service of Hydra |
+| adminService | object | `{"endpoint":"/admin/clients","insecureSkipVerify":false,"name":null,"port":4445,"scheme":"http","tlsTrustStorePath":""}` | Connection data to admin service of Hydra |
 | adminService.endpoint | string | `"/admin/clients"` | Set the clients endpoint, should be `/clients` for Hydra 1.x and `/admin/clients` for Hydra 2.x |
+| adminService.insecureSkipVerify | bool | `false` | Skip http client insecure verification |
 | adminService.name | string | `nil` | Service name |
-| adminService.port | string | `nil` | Service port |
+| adminService.port | int | `4445` | Service port |
+| adminService.scheme | string | `"http"` | Scheme used by Hydra client endpoint. May be "http" or "https" |
+| adminService.tlsTrustStorePath | string | `""` | TLS ca-cert path for hydra client |
 | affinity | object | `{}` | Configure node affinity |
 | deployment.args | object | `{"syncPeriod":""}` | Arguments to be passed to the program |
 | deployment.args.syncPeriod | string | `""` | The minimum frequency at which watched resources are reconciled |
 | deployment.automountServiceAccountToken | bool | `true` | This applications connects to the k8s API and requires the permissions |
 | deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
 | deployment.extraAnnotations | object | `{}` | Deployment level extra annotations |
 | deployment.extraLabels | object | `{}` | Deployment level extra labels |
+| deployment.extraVolumeMounts | list | `[]` |  |
+| deployment.extraVolumes | list | `[]` | If you want to mount external volume |
 | deployment.nodeSelector | object | `{}` | Node labels for pod assignment. |
 | deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
 | deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
@@ -33,7 +38,7 @@ A Helm chart for Kubernetes
 | forwardedProto | string | `nil` |  |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"oryd/hydra-maester"` | Ory Hydra-maester image |
-| image.tag | string | `"v0.0.29"` | Ory Hydra-maester version |
+| image.tag | string | `"v0.0.30"` | Ory Hydra-maester version |
 | imagePullSecrets | list | `[]` | Image pull secrets |
 | pdb | object | `{"enabled":false,"spec":{"minAvailable":1}}` | PodDistributionBudget configuration |
 | priorityClassName | string | `""` | Pod priority # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |

helm/charts/hydra-maester/crds/crd-oauth2clients.yaml

@@ -58,11 +58,45 @@ spec:
                   items:
                     type: string
                   type: array
+                backChannelLogoutSessionRequired:
+                  default: false
+                  description:
+                    BackChannelLogoutSessionRequired Boolean value specifying
+                    whether the RP requires that a sid (session ID) Claim be
+                    included in the Logout Token to identify the RP session with
+                    the OP when the backchannel_logout_uri is used. If omitted,
+                    the default value is false.
+                  type: boolean
+                backChannelLogoutURI:
+                  description:
+                    BackChannelLogoutURI RP URL that will cause the RP to log
+                    itself out when sent a Logout Token by the OP
+                  pattern: (^$|^https?://.*)
+                  type: string
                 clientName:
                   description:
                     ClientName is the human-readable string name of the client
                     to be presented to the end-user during authorization.
                   type: string
+                frontChannelLogoutSessionRequired:
+                  default: false
+                  description:
+                    FrontChannelLogoutSessionRequired Boolean value specifying
+                    whether the RP requires that iss (issuer) and sid (session
+                    ID) query parameters be included to identify the RP session
+                    with the OP when the frontchannel_logout_uri is used
+                  type: boolean
+                frontChannelLogoutURI:
+                  description:
+                    FrontChannelLogoutURI RP URL that will cause the RP to log
+                    itself out when rendered in an iframe by the OP. An iss
+                    (issuer) query parameter and a sid (session ID) query
+                    parameter MAY be included by the OP to enable the RP to
+                    validate the request and to determine which of the
+                    potentially multiple sessions is to be logged out; if either
+                    is included, both MUST be
+                  pattern: (^$|^https?://.*)
+                  type: string
                 grantTypes:
                   description:
                     GrantTypes is an array of grant types the client is allowed
@@ -122,7 +156,7 @@ spec:
                   pattern: (^$|^https?://.*)
                   type: string
                 metadata:
-                  description: Metadata is abritrary data
+                  description: Metadata is arbitrary data
                   nullable: true
                   type: object
                   x-kubernetes-preserve-unknown-fields: true

helm/charts/hydra-maester/values.yaml

@@ -12,7 +12,7 @@ image:
   # -- Ory Hydra-maester image
   repository: oryd/hydra-maester
   # -- Ory Hydra-maester version
-  tag: v0.0.29
+  tag: v0.0.30
   # -- Image pull policy
   pullPolicy: IfNotPresent
 

helm/charts/hydra/README.md

@@ -137,6 +137,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes
 | maester | object | `{"enabled":true}` | Configures controller setup |
 | nameOverride | string | `""` |  |
 | pdb | object | `{"enabled":false,"spec":{"minAvailable":1}}` | PodDistributionBudget configuration |
+| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | replicaCount | int | `1` | Number of ORY Hydra members |
 | secret.enabled | bool | `true` | switch to false to prevent creating the secret |
 | secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |

helm/charts/keto/README.md

@@ -84,6 +84,7 @@ Access Control Policies as a Server
 | keto.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand |
 | nameOverride | string | `""` |  |
 | pdb | object | `{"enabled":false,"spec":{"minAvailable":1}}` | PodDistributionBudget configuration |
+| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | replicaCount | int | `1` | Number of replicas in deployment |
 | secret | object | `{"enabled":true,"hashSumEnabled":true,"nameOverride":"","secretAnnotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}}` | Secret management |
 | secret.enabled | bool | `true` | Switch to false to prevent creating the secret |

helm/charts/kratos/README.md

@@ -32,7 +32,7 @@ A ORY Kratos Helm chart for Kubernetes
 | cronjob.cleanup.schedule | string | `"0 */1 * * *"` | Configure how often the cron job is ran |
 | cronjob.cleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}}` | Configure the containers' SecurityContext for the cleanup cronjob |
 | cronjob.cleanup.tolerations | list | `[]` | Configure node tolerations |
-| deployment | object | `{"affinity":{},"annotations":{},"automigration":{"extraEnv":[]},"automountServiceAccountToken":true,"customLivenessProbe":{},"customReadinessProbe":{},"customStartupProbe":{},"dnsConfig":{},"extraArgs":[],"extraContainers":"","extraEnv":[],"extraInitContainers":"","extraVolumeMounts":[],"extraVolumes":[],"initContainerSecurityContext":{},"labels":{},"lifecycle":{},"livenessProbe":{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10},"nodeSelector":{},"podMetadata":{"annotations":{},"labels":{}},"podSecurityContext":{},"readinessProbe":{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10},"resources":{},"revisionHistoryLimit":5,"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}},"serviceAccount":{"annotations":{},"create":true,"name":""},"startupProbe":{"failureThreshold":60,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1},"tolerations":[],"topologySpreadConstraints":[]}` | Configuration options for the k8s deployment |
+| deployment | object | `{"affinity":{},"annotations":{},"automigration":{"extraEnv":[]},"automountServiceAccountToken":true,"customLivenessProbe":{},"customReadinessProbe":{},"customStartupProbe":{},"dnsConfig":{},"extraArgs":[],"extraContainers":"","extraEnv":[],"extraInitContainers":"","extraVolumeMounts":[],"extraVolumes":[],"initContainerSecurityContext":{},"labels":{},"lifecycle":{},"livenessProbe":{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10},"nodeSelector":{},"podMetadata":{"annotations":{},"labels":{}},"podSecurityContext":{},"priorityClassName":"","readinessProbe":{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10},"resources":{},"revisionHistoryLimit":5,"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}},"serviceAccount":{"annotations":{},"create":true,"name":""},"startupProbe":{"failureThreshold":60,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1},"tolerations":[],"topologySpreadConstraints":[]}` | Configuration options for the k8s deployment |
 | deployment.affinity | object | `{}` | Configure node affinity |
 | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
 | deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected - name: FOO   value: BAR |
@@ -52,6 +52,7 @@ A ORY Kratos Helm chart for Kubernetes
 | deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
 | deployment.podMetadata.labels | object | `{}` | Extra pod level labels |
 | deployment.podSecurityContext | object | `{}` | pod securityContext for Kratos & migration init |
+| deployment.priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | deployment.readinessProbe | object | `{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10}` | Configure the readinessProbe parameters |
 | deployment.resources | object | `{}` | Set desired resource parameters  We usually recommend not to specify default resources and to leave this as a conscious  choice for the user. This also increases chances charts run on environments with little  resources, such as Minikube. If you do want to specify resources, uncomment the following  lines, adjust them as necessary, and remove the curly braces after 'resources:'. |
 | deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
@@ -163,6 +164,7 @@ A ORY Kratos Helm chart for Kubernetes
 | statefulSet.nodeSelector | object | `{}` | Node labels for pod assignment. |
 | statefulSet.podMetadata.annotations | object | `{}` | Extra pod level annotations |
 | statefulSet.podMetadata.labels | object | `{}` | Extra pod level labels |
+| statefulSet.priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | statefulSet.resources | object | `{}` |  |
 | statefulSet.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
 | statefulSet.tolerations | list | `[]` | Configure node tolerations. |

helm/charts/oathkeeper-maester/README.md

@@ -31,6 +31,7 @@ A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes
 | deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
 | deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
 | deployment.podMetadata.labels | object | `{}` | Extra pod level labels |
+| deployment.priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | deployment.resources | object | `{}` |  |
 | deployment.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | deployment.securityContext.capabilities.drop[0] | string | `"ALL"` |  |

helm/charts/oathkeeper/README.md

@@ -88,6 +88,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes
 | oathkeeper.managedAccessRules | bool | `true` | If you enable maester, the following value should be set to "false" to avoid overwriting the rules generated by the CDRs. Additionally, the value "accessRules" shouldn't be used as it will have no effect once "managedAccessRules" is disabled. |
 | oathkeeper.mutatorIdTokenJWKs | string | `""` | If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. |
 | pdb | object | `{"enabled":false,"spec":{"minAvailable":1}}` | PodDistributionBudget configuration |
+| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | replicaCount | int | `1` | Number of ORY Oathkeeper members |
 | revisionHistoryLimit | int | `5` | Number of revisions kept in history |
 | secret.enabled | bool | `true` | switch to false to prevent creating the secret |