From 4cbf7d0f8a152efa53c6d651f17ad526c3a85c51 Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Tue, 13 Aug 2024 08:08:02 +0200 Subject: [PATCH 1/4] BC-5724 simplified --- ansible/group_vars/develop/hydra.yml | 3 --- ansible/group_vars/infra/hydra.yml | 3 --- ansible/group_vars/loadtest/hydra.yml | 3 --- ansible/group_vars/production/hydra.yml | 3 --- ansible/group_vars/reference/hydra.yml | 3 --- ansible/roles/hydra/defaults/main.yaml | 3 +++ 6 files changed, 3 insertions(+), 15 deletions(-) delete mode 100644 ansible/group_vars/develop/hydra.yml delete mode 100644 ansible/group_vars/infra/hydra.yml delete mode 100644 ansible/group_vars/loadtest/hydra.yml delete mode 100644 ansible/group_vars/production/hydra.yml delete mode 100644 ansible/group_vars/reference/hydra.yml create mode 100644 ansible/roles/hydra/defaults/main.yaml diff --git a/ansible/group_vars/develop/hydra.yml b/ansible/group_vars/develop/hydra.yml deleted file mode 100644 index 59c619d6e..000000000 --- a/ansible/group_vars/develop/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth- -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/group_vars/infra/hydra.yml b/ansible/group_vars/infra/hydra.yml deleted file mode 100644 index 8abb4c13b..000000000 --- a/ansible/group_vars/infra/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth. -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/group_vars/loadtest/hydra.yml b/ansible/group_vars/loadtest/hydra.yml deleted file mode 100644 index 8abb4c13b..000000000 --- a/ansible/group_vars/loadtest/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth. -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/group_vars/production/hydra.yml b/ansible/group_vars/production/hydra.yml deleted file mode 100644 index 8abb4c13b..000000000 --- a/ansible/group_vars/production/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth. -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/group_vars/reference/hydra.yml b/ansible/group_vars/reference/hydra.yml deleted file mode 100644 index 8abb4c13b..000000000 --- a/ansible/group_vars/reference/hydra.yml +++ /dev/null @@ -1,3 +0,0 @@ -HYDRA_DNS_PREFIX: oauth. -HYDRA_IMAGE_NAME: oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 diff --git a/ansible/roles/hydra/defaults/main.yaml b/ansible/roles/hydra/defaults/main.yaml new file mode 100644 index 000000000..65e623993 --- /dev/null +++ b/ansible/roles/hydra/defaults/main.yaml @@ -0,0 +1,3 @@ +HYDRA_DNS_PREFIX: oauth. +HYDRA_IMAGE_NAME: docker.io/oryd/hydra +HYDRA_IMAGE_TAG: v1.11.10-amd64 \ No newline at end of file From 571bd0761eeeb67f9ea8eea225723f5d812759f7 Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Tue, 13 Aug 2024 10:53:03 +0200 Subject: [PATCH 2/4] meeeeeh --- ansible/group_vars/develop/hydra.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 ansible/group_vars/develop/hydra.yml diff --git a/ansible/group_vars/develop/hydra.yml b/ansible/group_vars/develop/hydra.yml new file mode 100644 index 000000000..1e1062050 --- /dev/null +++ b/ansible/group_vars/develop/hydra.yml @@ -0,0 +1 @@ +HYDRA_DNS_PREFIX: oauth- From a4743cfcbd0e488fb590797238f84a687b4e9fb3 Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Wed, 14 Aug 2024 18:20:49 +0200 Subject: [PATCH 3/4] update hydra to 2.0.3 --- ansible/roles/hydra/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/hydra/defaults/main.yaml b/ansible/roles/hydra/defaults/main.yaml index 65e623993..19c0d3c8e 100644 --- a/ansible/roles/hydra/defaults/main.yaml +++ b/ansible/roles/hydra/defaults/main.yaml @@ -1,3 +1,3 @@ HYDRA_DNS_PREFIX: oauth. HYDRA_IMAGE_NAME: docker.io/oryd/hydra -HYDRA_IMAGE_TAG: v1.11.10-amd64 \ No newline at end of file +HYDRA_IMAGE_TAG: v2.0.3-amd64 \ No newline at end of file From d20496cbeba1f85f2dd51dc8427e75a69c518e62 Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Thu, 15 Aug 2024 18:43:08 +0200 Subject: [PATCH 4/4] various additional hydra related fixes and improvements - added pod monitor - named port for hydras admin interface - migration aids: HYDRA_URI (the one we use for admin requests, port 4445) does now need an /admin prefix - removed unused env var SC_FRONTEND from configmap - scaled down/up hydra to 2 pods per instance --- ansible/group_vars/all/config.yml | 2 +- ansible/host_vars/prod-brb/pod.yml | 2 +- ansible/host_vars/prod-dbc/pod.yml | 2 +- ansible/host_vars/prod-nbc/pod.yml | 2 +- ansible/host_vars/prod-thr/pod.yml | 2 +- ansible/roles/hydra/tasks/main.yml | 6 ++++++ ansible/roles/hydra/templates/configmap.yml.j2 | 1 - ansible/roles/hydra/templates/deployment.yml.j2 | 4 ++++ ansible/roles/hydra/templates/pod-monitor.yml.j2 | 14 ++++++++++++++ 9 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 ansible/roles/hydra/templates/pod-monitor.yml.j2 diff --git a/ansible/group_vars/all/config.yml b/ansible/group_vars/all/config.yml index 02491e69e..86fb059fd 100644 --- a/ansible/group_vars/all/config.yml +++ b/ansible/group_vars/all/config.yml @@ -261,7 +261,7 @@ configuration_all: client: false nuxtclient: false HYDRA_URI: - value: "http://hydra-svc:4445" + value: "http://hydra-svc:4445/admin" server: true client: false nuxtclient: false diff --git a/ansible/host_vars/prod-brb/pod.yml b/ansible/host_vars/prod-brb/pod.yml index 600f7e026..fefa64517 100644 --- a/ansible/host_vars/prod-brb/pod.yml +++ b/ansible/host_vars/prod-brb/pod.yml @@ -8,7 +8,7 @@ CLAMAV_REPLICAS: 1 CLIENT_REPLICAS: 20 ETHERPAD_NGINX_REPLICAS: 1 ETHERPAD_REPLICAS: 1 -HYDRA_REPLICAS: 4 +HYDRA_REPLICAS: 2 LIBREOFFICE_REPLICAS: 1 MAILDROP_REPLICAS: 1 NUXTCLIENT_REPLICAS: 4 diff --git a/ansible/host_vars/prod-dbc/pod.yml b/ansible/host_vars/prod-dbc/pod.yml index 843c8372a..eb4e84954 100644 --- a/ansible/host_vars/prod-dbc/pod.yml +++ b/ansible/host_vars/prod-dbc/pod.yml @@ -8,7 +8,7 @@ CLAMAV_REPLICAS: 1 CLIENT_REPLICAS: 10 ETHERPAD_NGINX_REPLICAS: 1 ETHERPAD_REPLICAS: 1 -HYDRA_REPLICAS: 1 +HYDRA_REPLICAS: 2 LIBREOFFICE_REPLICAS: 1 MAILDROP_REPLICAS: 1 NUXTCLIENT_REPLICAS: 4 diff --git a/ansible/host_vars/prod-nbc/pod.yml b/ansible/host_vars/prod-nbc/pod.yml index 73f444d1a..7b0a6fe20 100644 --- a/ansible/host_vars/prod-nbc/pod.yml +++ b/ansible/host_vars/prod-nbc/pod.yml @@ -9,7 +9,7 @@ CLAMAV_REPLICAS: 1 CLIENT_REPLICAS: 10 ETHERPAD_NGINX_REPLICAS: 1 ETHERPAD_REPLICAS: 1 -HYDRA_REPLICAS: 1 +HYDRA_REPLICAS: 2 LIBREOFFICE_REPLICAS: 1 MAILDROP_REPLICAS: 1 NUXTCLIENT_REPLICAS: 4 diff --git a/ansible/host_vars/prod-thr/pod.yml b/ansible/host_vars/prod-thr/pod.yml index e3bb83867..260f46587 100644 --- a/ansible/host_vars/prod-thr/pod.yml +++ b/ansible/host_vars/prod-thr/pod.yml @@ -10,7 +10,7 @@ CLAMAV_REPLICAS: 1 CLIENT_REPLICAS: 15 ETHERPAD_NGINX_REPLICAS: 1 ETHERPAD_REPLICAS: 1 -HYDRA_REPLICAS: 6 +HYDRA_REPLICAS: 2 LIBREOFFICE_REPLICAS: 1 MAILDROP_REPLICAS: 1 NUXTCLIENT_REPLICAS: 4 diff --git a/ansible/roles/hydra/tasks/main.yml b/ansible/roles/hydra/tasks/main.yml index 99928416d..36f5eb0f7 100644 --- a/ansible/roles/hydra/tasks/main.yml +++ b/ansible/roles/hydra/tasks/main.yml @@ -80,4 +80,10 @@ kubeconfig: ~/.kube/config namespace: "{{ NAMESPACE }}" template: deployment.yml.j2 + + - name: Pod Monitor + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: pod-monitor.yml.j2 diff --git a/ansible/roles/hydra/templates/configmap.yml.j2 b/ansible/roles/hydra/templates/configmap.yml.j2 index 2de2f0165..9c0dc56cf 100644 --- a/ansible/roles/hydra/templates/configmap.yml.j2 +++ b/ansible/roles/hydra/templates/configmap.yml.j2 @@ -15,7 +15,6 @@ data: URLS_POST_LOGOUT_REDIRECT: https://{{ DOMAIN }}/logout/ SERVE_TLS_ALLOW_TERMINATION_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES: "public,pairwise" - SC_FRONTEND: "https://{{ DOMAIN }}" SQA_OPT_OUT: "true" LOG_LEVEL: "info" {% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %} diff --git a/ansible/roles/hydra/templates/deployment.yml.j2 b/ansible/roles/hydra/templates/deployment.yml.j2 index dd5351740..452c27bfa 100644 --- a/ansible/roles/hydra/templates/deployment.yml.j2 +++ b/ansible/roles/hydra/templates/deployment.yml.j2 @@ -40,7 +40,11 @@ spec: args: ["serve", "all"] ports: - containerPort: 4444 + name: http + protocol: TCP - containerPort: 4445 + name: http-admin + protocol: TCP livenessProbe: httpGet: path: /health/alive diff --git a/ansible/roles/hydra/templates/pod-monitor.yml.j2 b/ansible/roles/hydra/templates/pod-monitor.yml.j2 new file mode 100644 index 000000000..69731eb8a --- /dev/null +++ b/ansible/roles/hydra/templates/pod-monitor.yml.j2 @@ -0,0 +1,14 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: hydra-pod-monitor + namespace: {{ NAMESPACE }} + labels: + app: hydra +spec: + selector: + matchLabels: + app: hydra + podMetricsEndpoints: + - port: http-admin + path: /admin/metrics/prometheus