BC-5724 update hydra (#935)

various additional hydra related fixes and improvements - added pod monitor - named port for hydras admin interface - migration aids: HYDRA_URI (the one we use for admin requests, port 4445) does now need an /admin prefix - removed unused env var SC_FRONTEND from configmap - scaled down/up hydra to 2 pods per instance
hpi-schul-cloud · Aug 20, 2024 · c32196f · c32196f
1 parent d062b26
commit c32196f
Show file tree

Hide file tree

Showing 15 changed files with 39 additions and 26 deletions.
diff --git a/ansible/group_vars/all/config.yml b/ansible/group_vars/all/config.yml
@@ -261,7 +261,7 @@ configuration_all:
     client: false
     nuxtclient: false
   HYDRA_URI:
-    value: "http://hydra-svc:4445"
+    value: "http://hydra-svc:4445/admin"
     server: true
     client: false
     nuxtclient: false

diff --git a/ansible/group_vars/develop/hydra.yml b/ansible/group_vars/develop/hydra.yml
@@ -1,3 +1 @@
 HYDRA_DNS_PREFIX: oauth-
-HYDRA_IMAGE_NAME: oryd/hydra
-HYDRA_IMAGE_TAG: v1.11.10-amd64
diff --git a/ansible/group_vars/infra/hydra.yml b/ansible/group_vars/infra/hydra.yml
diff --git a/ansible/group_vars/loadtest/hydra.yml b/ansible/group_vars/loadtest/hydra.yml
diff --git a/ansible/group_vars/production/hydra.yml b/ansible/group_vars/production/hydra.yml
diff --git a/ansible/group_vars/reference/hydra.yml b/ansible/group_vars/reference/hydra.yml
diff --git a/ansible/host_vars/prod-brb/pod.yml b/ansible/host_vars/prod-brb/pod.yml
@@ -8,7 +8,7 @@ CLAMAV_REPLICAS: 1
 CLIENT_REPLICAS: 20
 ETHERPAD_NGINX_REPLICAS: 1
 ETHERPAD_REPLICAS: 1
-HYDRA_REPLICAS: 4
+HYDRA_REPLICAS: 2
 LIBREOFFICE_REPLICAS: 1
 MAILDROP_REPLICAS: 1
 NUXTCLIENT_REPLICAS: 4

diff --git a/ansible/host_vars/prod-dbc/pod.yml b/ansible/host_vars/prod-dbc/pod.yml
@@ -8,7 +8,7 @@ CLAMAV_REPLICAS: 1
 CLIENT_REPLICAS: 10
 ETHERPAD_NGINX_REPLICAS: 1
 ETHERPAD_REPLICAS: 1
-HYDRA_REPLICAS: 1
+HYDRA_REPLICAS: 2
 LIBREOFFICE_REPLICAS: 1
 MAILDROP_REPLICAS: 1
 NUXTCLIENT_REPLICAS: 4

diff --git a/ansible/host_vars/prod-nbc/pod.yml b/ansible/host_vars/prod-nbc/pod.yml
@@ -9,7 +9,7 @@ CLAMAV_REPLICAS: 1
 CLIENT_REPLICAS: 10
 ETHERPAD_NGINX_REPLICAS: 1
 ETHERPAD_REPLICAS: 1
-HYDRA_REPLICAS: 1
+HYDRA_REPLICAS: 2
 LIBREOFFICE_REPLICAS: 1
 MAILDROP_REPLICAS: 1
 NUXTCLIENT_REPLICAS: 4

diff --git a/ansible/host_vars/prod-thr/pod.yml b/ansible/host_vars/prod-thr/pod.yml
@@ -10,7 +10,7 @@ CLAMAV_REPLICAS: 1
 CLIENT_REPLICAS: 15
 ETHERPAD_NGINX_REPLICAS: 1
 ETHERPAD_REPLICAS: 1
-HYDRA_REPLICAS: 6
+HYDRA_REPLICAS: 2
 LIBREOFFICE_REPLICAS: 1
 MAILDROP_REPLICAS: 1
 NUXTCLIENT_REPLICAS: 4

diff --git a/ansible/roles/hydra/defaults/main.yaml b/ansible/roles/hydra/defaults/main.yaml
@@ -0,0 +1,3 @@
+HYDRA_DNS_PREFIX: oauth.
+HYDRA_IMAGE_NAME: docker.io/oryd/hydra
+HYDRA_IMAGE_TAG: v2.0.3-amd64
diff --git a/ansible/roles/hydra/tasks/main.yml b/ansible/roles/hydra/tasks/main.yml
@@ -44,15 +44,15 @@
       template: svc.yml.j2
     tags:
       - service
-      
+
   - name: Ingress
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: ingress.yml.j2
     tags:
       - ingress
-      
+
   - name: Configmap
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
@@ -61,7 +61,7 @@
       apply: yes
     tags:
       - configmap
-      
+
   - name: Secret by 1Password
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
@@ -70,7 +70,7 @@
     when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
     tags:
       - 1password
- 
+
   - name:  remove old Job
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
@@ -96,12 +96,19 @@
       template: job.yml.j2
     tags:
       - job
-      
+
   - name: Deployment
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: deployment.yml.j2
     tags:
       - deployment
-
+
+  - name: Pod Monitor
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: pod-monitor.yml.j2
+    tags:
+      - prometheus
diff --git a/ansible/roles/hydra/templates/configmap.yml.j2 b/ansible/roles/hydra/templates/configmap.yml.j2
@@ -15,7 +15,6 @@ data:
   URLS_POST_LOGOUT_REDIRECT: https://{{ DOMAIN }}/logout/
   SERVE_TLS_ALLOW_TERMINATION_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
   OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES: "public,pairwise"
-  SC_FRONTEND: "https://{{ DOMAIN }}"
   SQA_OPT_OUT: "true"
   LOG_LEVEL: "info"
 {% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}

diff --git a/ansible/roles/hydra/templates/deployment.yml.j2 b/ansible/roles/hydra/templates/deployment.yml.j2
@@ -40,7 +40,11 @@ spec:
         args: ["serve", "all"]
         ports:
         - containerPort: 4444
+          name: http
+          protocol: TCP
         - containerPort: 4445
+          name: http-admin
+          protocol: TCP
         livenessProbe:
           httpGet:
             path: /health/alive

diff --git a/ansible/roles/hydra/templates/pod-monitor.yml.j2 b/ansible/roles/hydra/templates/pod-monitor.yml.j2
@@ -0,0 +1,14 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: hydra-pod-monitor
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: hydra
+spec:
+  selector:
+    matchLabels:
+      app: hydra
+  podMetricsEndpoints:
+  - port: http-admin
+    path: /admin/metrics/prometheus