From c32196f4d04c56897ee65b9647943befd0bdcca4 Mon Sep 17 00:00:00 2001 From: Phillip Date: Tue, 20 Aug 2024 09:45:10 +0200 Subject: [PATCH] BC-5724 update hydra (#935) various additional hydra related fixes and improvements - added pod monitor - named port for hydras admin interface - migration aids: HYDRA_URI (the one we use for admin requests, port 4445) does now need an /admin prefix - removed unused env var SC_FRONTEND from configmap - scaled down/up hydra to 2 pods per instance --- ansible/group_vars/all/config.yml | 2 +- ansible/group_vars/develop/hydra.yml | 2 -- ansible/group_vars/infra/hydra.yml | 3 --- ansible/group_vars/loadtest/hydra.yml | 3 --- ansible/group_vars/production/hydra.yml | 3 --- ansible/group_vars/reference/hydra.yml | 3 --- ansible/host_vars/prod-brb/pod.yml | 2 +- ansible/host_vars/prod-dbc/pod.yml | 2 +- ansible/host_vars/prod-nbc/pod.yml | 2 +- ansible/host_vars/prod-thr/pod.yml | 2 +- ansible/roles/hydra/defaults/main.yaml | 3 +++ ansible/roles/hydra/tasks/main.yml | 19 +++++++++++++------ .../roles/hydra/templates/configmap.yml.j2 | 1 - .../roles/hydra/templates/deployment.yml.j2 | 4 ++++ .../roles/hydra/templates/pod-monitor.yml.j2 | 14 ++++++++++++++ 15 files changed, 39 insertions(+), 26 deletions(-) delete mode 100644 ansible/group_vars/infra/hydra.yml delete mode 100644 ansible/group_vars/loadtest/hydra.yml delete mode 100644 ansible/group_vars/production/hydra.yml delete mode 100644 ansible/group_vars/reference/hydra.yml create mode 100644 ansible/roles/hydra/defaults/main.yaml create mode 100644 ansible/roles/hydra/templates/pod-monitor.yml.j2 diff --git a/ansible/group_vars/all/config.yml b/ansible/group_vars/all/config.yml index 02491e69e..86fb059fd 100644 --- a/ansible/group_vars/all/config.yml +++ b/ansible/group_vars/all/config.yml @@ -261,7 +261,7 @@ configuration_all: client: false nuxtclient: false HYDRA_URI: - value: "http://hydra-svc:4445" + value: "http://hydra-svc:4445/admin" server: true client: false nuxtclient: false diff --git a/ansible/group_vars/develop/hydra.yml b/ansible/group_vars/develop/hydra.yml index 59c619d6e..1e1062050 100644 --- a/ansible/group_vars/develop/hydra.yml +++ b/ansible/group_vars/develop/hydra.yml @@ -1,3 +1 @@ HYDRA_DNS_PREFIX: oauth- -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/group_vars/infra/hydra.yml b/ansible/group_vars/infra/hydra.yml deleted file mode 100644 index 8abb4c13b..000000000 --- a/ansible/group_vars/infra/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth. -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/group_vars/loadtest/hydra.yml b/ansible/group_vars/loadtest/hydra.yml deleted file mode 100644 index 8abb4c13b..000000000 --- a/ansible/group_vars/loadtest/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth. -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/group_vars/production/hydra.yml b/ansible/group_vars/production/hydra.yml deleted file mode 100644 index 8abb4c13b..000000000 --- a/ansible/group_vars/production/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth. -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/group_vars/reference/hydra.yml b/ansible/group_vars/reference/hydra.yml deleted file mode 100644 index 8abb4c13b..000000000 --- a/ansible/group_vars/reference/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth. -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/host_vars/prod-brb/pod.yml b/ansible/host_vars/prod-brb/pod.yml index f364b4e06..10850684d 100644 --- a/ansible/host_vars/prod-brb/pod.yml +++ b/ansible/host_vars/prod-brb/pod.yml @@ -8,7 +8,7 @@ CLAMAV_REPLICAS: 1 CLIENT_REPLICAS: 20 ETHERPAD_NGINX_REPLICAS: 1 ETHERPAD_REPLICAS: 1 -HYDRA_REPLICAS: 4 +HYDRA_REPLICAS: 2 LIBREOFFICE_REPLICAS: 1 MAILDROP_REPLICAS: 1 NUXTCLIENT_REPLICAS: 4 diff --git a/ansible/host_vars/prod-dbc/pod.yml b/ansible/host_vars/prod-dbc/pod.yml index c2c7684ae..84943ba97 100644 --- a/ansible/host_vars/prod-dbc/pod.yml +++ b/ansible/host_vars/prod-dbc/pod.yml @@ -8,7 +8,7 @@ CLAMAV_REPLICAS: 1 CLIENT_REPLICAS: 10 ETHERPAD_NGINX_REPLICAS: 1 ETHERPAD_REPLICAS: 1 -HYDRA_REPLICAS: 1 +HYDRA_REPLICAS: 2 LIBREOFFICE_REPLICAS: 1 MAILDROP_REPLICAS: 1 NUXTCLIENT_REPLICAS: 4 diff --git a/ansible/host_vars/prod-nbc/pod.yml b/ansible/host_vars/prod-nbc/pod.yml index 70e837fee..f681f9ca5 100644 --- a/ansible/host_vars/prod-nbc/pod.yml +++ b/ansible/host_vars/prod-nbc/pod.yml @@ -9,7 +9,7 @@ CLAMAV_REPLICAS: 1 CLIENT_REPLICAS: 10 ETHERPAD_NGINX_REPLICAS: 1 ETHERPAD_REPLICAS: 1 -HYDRA_REPLICAS: 1 +HYDRA_REPLICAS: 2 LIBREOFFICE_REPLICAS: 1 MAILDROP_REPLICAS: 1 NUXTCLIENT_REPLICAS: 4 diff --git a/ansible/host_vars/prod-thr/pod.yml b/ansible/host_vars/prod-thr/pod.yml index 5c193b9b8..957a28a76 100644 --- a/ansible/host_vars/prod-thr/pod.yml +++ b/ansible/host_vars/prod-thr/pod.yml @@ -10,7 +10,7 @@ CLAMAV_REPLICAS: 1 CLIENT_REPLICAS: 15 ETHERPAD_NGINX_REPLICAS: 1 ETHERPAD_REPLICAS: 1 -HYDRA_REPLICAS: 6 +HYDRA_REPLICAS: 2 LIBREOFFICE_REPLICAS: 1 MAILDROP_REPLICAS: 1 NUXTCLIENT_REPLICAS: 4 diff --git a/ansible/roles/hydra/defaults/main.yaml b/ansible/roles/hydra/defaults/main.yaml new file mode 100644 index 000000000..19c0d3c8e --- /dev/null +++ b/ansible/roles/hydra/defaults/main.yaml @@ -0,0 +1,3 @@ +HYDRA_DNS_PREFIX: oauth. +HYDRA_IMAGE_NAME: docker.io/oryd/hydra +HYDRA_IMAGE_TAG: v2.0.3-amd64 \ No newline at end of file diff --git a/ansible/roles/hydra/tasks/main.yml b/ansible/roles/hydra/tasks/main.yml index 086a21512..872976e89 100644 --- a/ansible/roles/hydra/tasks/main.yml +++ b/ansible/roles/hydra/tasks/main.yml @@ -44,7 +44,7 @@ template: svc.yml.j2 tags: - service - + - name: Ingress kubernetes.core.k8s: kubeconfig: ~/.kube/config @@ -52,7 +52,7 @@ template: ingress.yml.j2 tags: - ingress - + - name: Configmap kubernetes.core.k8s: kubeconfig: ~/.kube/config @@ -61,7 +61,7 @@ apply: yes tags: - configmap - + - name: Secret by 1Password kubernetes.core.k8s: kubeconfig: ~/.kube/config @@ -70,7 +70,7 @@ when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool tags: - 1password - + - name: remove old Job kubernetes.core.k8s: kubeconfig: ~/.kube/config @@ -96,7 +96,7 @@ template: job.yml.j2 tags: - job - + - name: Deployment kubernetes.core.k8s: kubeconfig: ~/.kube/config @@ -104,4 +104,11 @@ template: deployment.yml.j2 tags: - deployment - + + - name: Pod Monitor + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: pod-monitor.yml.j2 + tags: + - prometheus diff --git a/ansible/roles/hydra/templates/configmap.yml.j2 b/ansible/roles/hydra/templates/configmap.yml.j2 index 2de2f0165..9c0dc56cf 100644 --- a/ansible/roles/hydra/templates/configmap.yml.j2 +++ b/ansible/roles/hydra/templates/configmap.yml.j2 @@ -15,7 +15,6 @@ data: URLS_POST_LOGOUT_REDIRECT: https://{{ DOMAIN }}/logout/ SERVE_TLS_ALLOW_TERMINATION_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES: "public,pairwise" - SC_FRONTEND: "https://{{ DOMAIN }}" SQA_OPT_OUT: "true" LOG_LEVEL: "info" {% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %} diff --git a/ansible/roles/hydra/templates/deployment.yml.j2 b/ansible/roles/hydra/templates/deployment.yml.j2 index dd5351740..452c27bfa 100644 --- a/ansible/roles/hydra/templates/deployment.yml.j2 +++ b/ansible/roles/hydra/templates/deployment.yml.j2 @@ -40,7 +40,11 @@ spec: args: ["serve", "all"] ports: - containerPort: 4444 + name: http + protocol: TCP - containerPort: 4445 + name: http-admin + protocol: TCP livenessProbe: httpGet: path: /health/alive diff --git a/ansible/roles/hydra/templates/pod-monitor.yml.j2 b/ansible/roles/hydra/templates/pod-monitor.yml.j2 new file mode 100644 index 000000000..69731eb8a --- /dev/null +++ b/ansible/roles/hydra/templates/pod-monitor.yml.j2 @@ -0,0 +1,14 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: hydra-pod-monitor + namespace: {{ NAMESPACE }} + labels: + app: hydra +spec: + selector: + matchLabels: + app: hydra + podMetricsEndpoints: + - port: http-admin + path: /admin/metrics/prometheus