feat: added configuration for TLS enabled hydra admin services (#636)

hacks/values/hydra-maester.yaml

@@ -10,3 +10,10 @@ deployment:
   serviceAccount:
     annotations:
       ory.sh/pod_annotation: hydra-maester
+  extraVolumes:
+    - name: "test-volume"
+      emptyDir:
+        sizeLimit: 1Mi
+  extraVolumeMounts:
+    - name: "test-volume"
+      mountPath: /test-volume

helm/charts/hydra-maester/templates/deployment.yaml

@@ -1,3 +1,6 @@
+{{- if and (ne .Values.adminService.scheme "http") (ne .Values.adminService.scheme "https") -}}
+{{ fail "invalid scheme: must be http or https" }}
+{{- end -}}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -40,6 +43,10 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      volumes:
+        {{- if .Values.deployment.extraVolumes }}
+          {{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -48,8 +55,8 @@ spec:
             - /manager
           args:
             - --metrics-addr=127.0.0.1:8080
-            - --hydra-url=http://{{ .Values.adminService.name | default ( include "hydra-maester.adminService" . ) }}
-            - --hydra-port={{ .Values.adminService.port | default 4445 }}
+            - --hydra-url={{ required "scheme is required" .Values.adminService.scheme }}://{{ .Values.adminService.name | default ( include "hydra-maester.adminService" . ) }}
+            - --hydra-port={{ .Values.adminService.port }}
             {{- with .Values.adminService.endpoint }}
             - --endpoint={{ . }}
             {{- end }}
@@ -62,6 +69,16 @@ spec:
             {{- if .Values.deployment.args.syncPeriod }}
             - --sync-period={{ .Values.deployment.args.syncPeriod }}
             {{- end }}
+            {{- if .Values.adminService.insecureSkipVerify }}
+            - --insecure-skip-verify={{ .Values.adminService.insecureSkipVerify }}
+            {{- end}}
+            {{- if .Values.adminService.tlsTrustStorePath }}
+            - --tls-trust-store={{ .Values.adminService.tlsTrustStorePath }}
+            {{- end }}
+          volumeMounts:
+            {{- if .Values.deployment.extraVolumeMounts }}
+              {{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
+            {{- end }}
           resources:
             {{- toYaml .Values.deployment.resources | nindent 12 }}
           terminationMessagePath: /dev/termination-log

helm/charts/hydra-maester/values.yaml

@@ -28,10 +28,16 @@ adminService:
   # -- Service name
   name:
   # -- Service port
-  port:
+  port: 4445
   # -- Set the clients endpoint, should be `/clients` for Hydra 1.x and
   # `/admin/clients` for Hydra 2.x
   endpoint: /admin/clients
+  # -- Scheme used by Hydra client endpoint. May be "http" or "https"
+  scheme: http
+  # -- TLS ca-cert path for hydra client
+  tlsTrustStorePath: ""
+  # -- Skip http client insecure verification
+  insecureSkipVerify: false
 
 forwardedProto:
 
@@ -49,6 +55,16 @@ deployment:
     #   cpu: 100m
     #   memory: 20Mi
 
+  # -- If you want to mount external volume
+  extraVolumes: []
+  # - name: my-volume
+  #   secret:
+  #     secretName: my-secret
+  extraVolumeMounts: []
+  # - name: my-volume
+  #   mountPath: /etc/secrets/my-secret
+  #   readOnly: true
+
   # -- Default security context
   securityContext:
     capabilities: