The ORY Hydra Helm Chart helps you deploy ORY Hydra on Kubernetes using Helm. The source code is available on github.com/ory/k8s.
To install ORY Hydra, the following configuration values must be set:
NOTE: If no
hydra.config.secrets.systemsecrets is supplied and
hydra.existingSecretis empty, a secret is generated automatically. The generated secret is cryptographically secure, and 32 signs long.
If you wish to install ORY Hydra with an in-memory database, a cryptographically
strong secret, a Login and Consent provider located at
You can optionally also set the cookie secrets:
Alternatively, you can use an existing Kubernetes Secret instead of letting the Helm Chart create one for you:
To run ORY Hydra against a SQL database, set the connection string. For example:
This chart does not require MySQL, PostgreSQL, or CockroachDB as dependencies because we strongly encourage you not to run a database in Kubernetes but instead recommend to rely on a managed SQL database such as Google Cloud SQL or AWS Aurora.
To connect to Google Cloud SQL, you could use the
When bringing up ORY Hydra, set the host to
You can pass your ORY Hydra configuration file
by creating a yaml file with key
and passing that as a value override to helm:
Additionally, the following extra settings are available:
autoMigrate(bool): If enabled, an
hydra migrate sqlwill be created.
dangerousForceHttp(bool): If enabled, sets the
hydra serve all.
dangerousAllowInsecureRedirectUrls(string): Sets the
hydra serve all.
This tutorial assumes that you're running Minikube locally. If you're not running Kubernetes locally, please adjust the hostnames accordingly.
Let's install the Login and Consent App first
http://hydra-example-admin:4445/corresponding to deployment name
--name hydra-example(see next code sample) with suffix
-adminwhich is the hostname of the ORY Hydra Admin API Service.
https://public.hydra.localhost/which is the default value for
ory/hydra( see next code sample).
Next install ORY Hydra. Please note that SSL is disabled using
--set hydra.dangerousForceHttp=true which should never be done when working
localhost and only for testing and demonstration purposes. Install
the ORY Hydra Helm Chart
example-idp.localhostwhich is the default for
If running Minikube, enable the Ingress addon
and get the IP addresses for the Ingress controllers with (you may need to wait a bit)
or alternatively with
next route the hostnames to the IP Address from above by editing, for example
/etc/hosts. The result should look something like:
Please note that file contents will be different on every operating system and network. Now, confirm that everything is working:
Next, you can follow the 5 Minute Tutorial, skipping the
docker-compose set up sections. Assuming you have ORY Hydra
installed locally, you can rewrite commands from, for example,
This chart includes a helper chart in the form of
a Kubernetes controller, which manages OAuth2 clients using the
oauth2clients.hydra.ory.sh custom resource. By default, this component is
enabled and installed together with Hydra. However, it can be disabled by
setting the proper flag:
If you use need to override the name of the hydra resources such as the
deployment or services, the traditional
fullnameOverride value is available.
If you use it and deploy maester as part of hydra, make sure you also set
maester.hydraFullnameOverride with the same value, so that the admin service
name used by maester is properly computed with the new value.
Should you forget, helm will fail and remind you to.