The ORY Hydra Helm Chart helps you deploy ORY Hydra on Kubernetes using Helm. The source code is available on github.com/ory/k8s.
To install ORY Hydra, the following configuration values must be set:
NOTE: If no
hydra.config.secrets.systemsecrets is supplied and
hydra.existingSecretis empty, a secret is generated automatically. The generated secret is cryptographically secure, and 32 signs long.
If you wish to install ORY Hydra with an in-memory database, a cryptographically strong secret, a Login and Consent
provider located at
You can optionally also set the cookie secrets:
Alternatively, you can use an existing Kubernetes Secret instead of letting the Helm Chart create one for you:
With SQL Database
To run ORY Hydra against a SQL database, set the connection string. For example:
This chart does not require MySQL, PostgreSQL, or CockroachDB as dependencies because we strongly encourage you not to run a database in Kubernetes but instead recommend to rely on a managed SQL database such as Google Cloud SQL or AWS Aurora.
With Google Cloud SQL
To connect to Google Cloud SQL, you could use
When bringing up ORY Hydra, set the host to
pg-sqlproxy-gcloud-sqlproxy as documented
You can pass your ORY Hydra configuration file
by creating a yaml file with key
and passing that as a value override to helm:
Additionally, the following extra settings are available:
autoMigrate(bool): If enabled, an
hydra migrate sqlwill be created.
dangerousForceHttp(bool): If enabled, sets the
hydra serve all.
dangerousAllowInsecureRedirectUrls(string): Sets the
hydra serve all.
Exemplary Login and Consent App
This tutorial assumes that you're running Minikube locally. If you're not running Kubernetes locally, please adjust the hostnames accordingly.
Let's install the Login and Consent App first
http://hydra-example-api:4445/corresponding to deployment name
--name hydra-example(see next code sample) with suffix
-adminwhich is the hostname of the ORY Hydra Admin API Service.
https://public.hydra.localhost/which is the default value for
ory/hydra( see next code sample).
Next install ORY Hydra. Please note that SSL is disabled using
which should never be done when working outside of
localhost and only
for testing and demonstration purposes. Install the ORY Hydra Helm Chart
example-idp.localhostwhich is the default for
If running Minikube, enable the Ingress addon
and get the IP addresses for the Ingress controllers with (you may need to wait a bit)
or alternatively with
next route the hostnames to the IP Address from above by editing, for example
/etc/hosts. The result should look something
Please note that file contents will be different on every operating system and network. Now, confirm that everything is working:
Next, you can follow the 5 Minute Tutorial,
docker-compose set up sections. Assuming
you have ORY Hydra installed locally, you can rewrite commands
from, for example,
This chart includes a helper chart in the form of Hydra Maester, a Kubernetes controller, which manages OAuth2 clients using the
oauth2clients.hydra.ory.sh custom resource. By default, this component is enabled and installed together with Hydra. However, it can be disabled by setting the proper flag:
If you use need to override the name of the hydra resources such as the deployment or services, the traditional
fullnameOverride value is available.
If you use it and deploy maester as part of hydra, make sure you also set
maester.hydraFullnameOverride with the same value, so that the admin service name used by maester is properly computed with the new value.
Should you forget, helm will fail and remind you to.