Upgrade hydra and kratos to the latest v2 and v1 releases respectively

go.mod

@@ -22,8 +22,6 @@ require (
 	github.com/fatih/color v1.14.1
 	github.com/gdamore/tcell v1.3.0
 	github.com/getsentry/sentry-go v0.20.0
-	github.com/go-openapi/runtime v0.19.26
-	github.com/go-openapi/strfmt v0.21.3
 	github.com/gofrs/uuid v4.0.0+incompatible
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang-migrate/migrate v3.5.4+incompatible
@@ -50,8 +48,8 @@ require (
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/olivere/elastic/v7 v7.0.12
 	github.com/ory/dockertest/v3 v3.8.1
-	github.com/ory/hydra-client-go v1.9.2
-	github.com/ory/kratos-client-go v0.10.1
+	github.com/ory/hydra-client-go/v2 v2.2.0
+	github.com/ory/kratos-client-go v1.3.8
 	github.com/phayes/freeport v0.0.0-20171002181615-b8543db493a5
 	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/client_model v0.3.0
@@ -68,7 +66,7 @@ require (
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.8.1
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.10.0
 	github.com/txn2/txeh v1.2.1
 	github.com/vbauerster/mpb/v4 v4.11.0
 	github.com/zenazn/goji v0.9.1-0.20160507202103-64eb34159fe5
@@ -80,7 +78,7 @@ require (
 	golang.org/x/exp v0.0.0-20230307190834-24139beb5833
 	golang.org/x/mod v0.20.0
 	golang.org/x/net v0.36.0
-	golang.org/x/oauth2 v0.6.0
+	golang.org/x/oauth2 v0.21.0
 	golang.org/x/sync v0.11.0
 	golang.org/x/sys v0.30.0
 	golang.org/x/term v0.29.0
@@ -151,14 +149,9 @@ require (
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/spec v0.20.8 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/goccy/go-yaml v1.9.8 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
@@ -244,7 +237,6 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/src-d/gcfg v1.4.0 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
 	github.com/xanzy/ssh-agent v0.2.1 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
@@ -256,7 +248,6 @@ require (
 	go.etcd.io/etcd/client/v2 v2.305.8 // indirect
 	go.etcd.io/etcd/pkg/v3 v3.5.8 // indirect
 	go.etcd.io/etcd/raft/v3 v3.5.8 // indirect
-	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
@@ -276,7 +267,7 @@ require (
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.29.1 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/launchdarkly/go-jsonstream.v1 v1.0.1 // indirect

k8s/cloud/base/kustomization.yaml

@@ -34,7 +34,6 @@ resources:
 - artifact_tracker_deployment.yaml
 - artifact_tracker_service.yaml
 - artifact_config.yaml
-- ory_service_config.yaml
 - indexer_config.yaml
 - indexer_deployment.yaml
 - script_bundles_config.yaml

k8s/cloud/base/ory_auth/hydra/hydra_deployment.yaml

@@ -26,14 +26,17 @@ spec:
       - name: migrate
         args:
         - migrate
-        - -c
-        - /etc/config/hydra/hydra.yml
         - sql
+        - up
         - -e
+        - -c
+        - /etc/config/hydra/hydra.yml
         - --yes
         envFrom:
         - configMapRef:
             name: pl-db-config
+        - configMapRef:
+            name: pl-ory-service-config
         env:
         - name: PL_POSTGRES_USERNAME
           valueFrom:
@@ -55,13 +58,12 @@ spec:
             secretKeyRef:
               name: pl-hydra-secrets
               key: SECRETS_SYSTEM
-        - name: HYDRA_DATABASE
-          value: hydra
         - name: DSN
           # yamllint disable-line rule:line-length
-          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_POSTGRES_DB)?sslmode=disable&max_conns=20&max_idle_conns=4
+          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_HYDRA_DATABASE)?sslmode=disable&max_conns=20&max_idle_conns=4
         imagePullPolicy: IfNotPresent
-        image: oryd/hydra:v1.9.2-sqlite@sha256:61771c706934e1ffd66f86700a28a294ce4ed150fbf30cc131710924271a5871
+        # yamllint disable-line rule:line-length
+        image: ghcr.io/pixie-io/hydra:2.3.0-pl1@sha256:9f0b31b1ca13d22bf14abf0c83251333b9a957a9ade39e3c723a963b84402572
         volumeMounts:
         - mountPath: /etc/config/hydra
           name: config
@@ -77,7 +79,8 @@ spec:
       containers:
       - name: server
         imagePullPolicy: IfNotPresent
-        image: oryd/hydra:v1.9.2-sqlite@sha256:61771c706934e1ffd66f86700a28a294ce4ed150fbf30cc131710924271a5871
+        # yamllint disable-line rule:line-length
+        image: ghcr.io/pixie-io/hydra:2.3.0-pl1@sha256:9f0b31b1ca13d22bf14abf0c83251333b9a957a9ade39e3c723a963b84402572
         args:
         - serve
         - -c
@@ -86,6 +89,8 @@ spec:
         envFrom:
         - configMapRef:
             name: pl-db-config
+        - configMapRef:
+            name: pl-ory-service-config
         - configMapRef:
             name: pl-domain-config
         env:
@@ -111,11 +116,17 @@ spec:
               key: SECRETS_SYSTEM
         - name: DSN
           # yamllint disable-line rule:line-length
-          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_POSTGRES_DB)?sslmode=disable&max_conns=20&max_idle_conns=4
+          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_HYDRA_DATABASE)?sslmode=disable&max_conns=20&max_idle_conns=4
+        - name: SERVE_TLS_ENABLED
+          value: "true"
         - name: SERVE_TLS_CERT_PATH
           value: /certs/server.crt
         - name: SERVE_TLS_KEY_PATH
           value: /certs/server.key
+        - name: SERVE_PUBLIC_CORS_ALLOWED_ORIGINS_0
+          value: https://$(PL_DOMAIN_NAME)
+        - name: SERVE_PUBLIC_CORS_ALLOWED_ORIGINS_1
+          value: https://work.$(PL_DOMAIN_NAME)
         - name: PL_WORK_DOMAIN
           value: work.$(PL_DOMAIN_NAME)
         - name: PL_OAUTH_DOMAIN
@@ -132,6 +143,10 @@ spec:
           value: $(HYDRA_URL)
         - name: URLS_SELF_ISSUER
           value: $(HYDRA_URL)
+        # admin is not exposed to Pixie clients. Requests to this endpoint originate
+        # from Pixie services.
+        - name: URLS_SELF_ADMIN
+          value: $(PL_HYDRA_ADMIN_HOST)
         ports:
         - containerPort: 4444
         - containerPort: 4445
@@ -153,7 +168,8 @@ spec:
             type: RuntimeDefault
       - name: client-create-or-update
         imagePullPolicy: IfNotPresent
-        image: oryd/hydra:v1.9.2-alpine@sha256:faa6ca02e77e0a08f66bfa7470a5e06d80e6e68c9c35410c65a4ea7b501aea61
+        # yamllint disable-line rule:line-length
+        image: ghcr.io/pixie-io/hydra:2.3.0-alpine-pl1@sha256:8e09f1a6882d37387411dc8ee1647cc3c40ba42c7f74d9a711b0fa1f483a6dba
         command: ['sh', '-c', 'set -x;
           URL="https://localhost:4445/health/ready";
           until [
@@ -163,22 +179,30 @@ spec:
             echo "waiting for ${URL}";
             sleep 2;
           done;
-          CMD="hydra clients update auth-code-client";
-          hydra clients get auth-code-client
+          CMD="hydra update oauth2-client auth-code-client";
+          hydra get client auth-code-client
             --endpoint=https://localhost:4445
             --skip-tls-verify;
           if [ $? -ne 0 ]; then
             echo "Creating client";
-            CMD="hydra clients create --id auth-code-client";
+            CMD="hydra create oauth2-client --id auth-code-client";
           fi;
           ${CMD}
             --endpoint https://localhost:4445
             --secret "${HYDRA_CLIENT_SECRET}"
-            --grant-types authorization_code,refresh_token,implicit
-            --response-types code,id_token,token
-            --scope openid,offline,notifications,gist,vizier
-            --callbacks "https://${PL_DOMAIN_NAME}/oauth/auth/callback"
-            --callbacks "https://work.${PL_DOMAIN_NAME}/auth/callback"
+            --grant-type authorization_code
+            --grant-type refresh_token
+            --grant-type implicit
+            --response-type code
+            --response-type id_token
+            --response-type token
+            --scope openid
+            --scope offline
+            --scope notifications
+            --scope gist
+            --scope vizier
+            --redirect-uri "https://${PL_DOMAIN_NAME}/oauth/auth/callback"
+            --redirect-uri "https://work.${PL_DOMAIN_NAME}/auth/callback"
             --skip-tls-verify;
           sleep infinity;
         ']

k8s/cloud/base/ory_auth/kratos/kratos_deployment.yaml

@@ -34,6 +34,8 @@ spec:
         envFrom:
         - configMapRef:
             name: pl-db-config
+        - configMapRef:
+            name: pl-ory-service-config
         env:
         - name: PL_POSTGRES_USERNAME
           valueFrom:
@@ -47,9 +49,10 @@ spec:
               key: PL_POSTGRES_PASSWORD
         - name: DSN
           # yamllint disable-line rule:line-length
-          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_POSTGRES_DB)?sslmode=disable&max_conns=20&max_idle_conns=4
+          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_KRATOS_DATABASE)?sslmode=disable&max_conns=20&max_idle_conns=4
         imagePullPolicy: IfNotPresent
-        image: oryd/kratos:v0.10.1@sha256:fdcfac3da3b64e619af553451607e1ab00160e59860bb19ec145cdc6f6f9c41d
+        # yamllint disable-line rule:line-length
+        image: ghcr.io/pixie-io/kratos:1.3.1-pl1@sha256:3edbd266d68e9fac5e188478704e3f302962310a3685eec65890101e966c7bad
         resources: {}
         securityContext:
           allowPrivilegeEscalation: false
@@ -75,6 +78,8 @@ spec:
             name: pl-db-config
         - configMapRef:
             name: pl-domain-config
+        - configMapRef:
+            name: pl-ory-service-config
         env:
         - name: PL_POSTGRES_USERNAME
           valueFrom:
@@ -88,7 +93,7 @@ spec:
               key: PL_POSTGRES_PASSWORD
         - name: DSN
           # yamllint disable-line rule:line-length
-          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_POSTGRES_DB)?sslmode=disable&max_conns=20&max_idle_conns=4
+          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_KRATOS_DATABASE)?sslmode=disable&max_conns=20&max_idle_conns=4
         - name: SERVE_PUBLIC_TLS_CERT_PATH
           value: /certs/server.crt
         - name: SERVE_PUBLIC_TLS_KEY_PATH
@@ -135,7 +140,8 @@ spec:
         - name: SELFSERVICE_FLOWS_ERROR_UI_URL
           value: https://$(PL_WORK_DOMAIN)/auth/password/error
         imagePullPolicy: IfNotPresent
-        image: oryd/kratos:v0.10.1@sha256:fdcfac3da3b64e619af553451607e1ab00160e59860bb19ec145cdc6f6f9c41d
+        # yamllint disable-line rule:line-length
+        image: ghcr.io/pixie-io/kratos:1.3.1-pl1@sha256:3edbd266d68e9fac5e188478704e3f302962310a3685eec65890101e966c7bad
         ports:
         - containerPort: 4433
         - containerPort: 4434

k8s/cloud/dev/kustomization.yaml

@@ -29,7 +29,6 @@ patches:
 - path: auth_deployment_patch.yaml
 - path: db_config.yaml
 - path: indexer_config.yaml
-- path: ory_service_config.yaml
 - path: script_bundles_config.yaml
 - path: proxy_envoy.yaml
 - path: service_config.yaml

k8s/cloud/base/ory_service_config.yaml → k8s/cloud_deps/base/ory_service_config.yaml

@@ -12,3 +12,5 @@ data:
   # Kratos only support http at the moment.
   PL_KRATOS_PUBLIC_HOST: https://kratos.plc.svc.cluster.local:4433
   PL_KRATOS_ADMIN_HOST: https://kratos.plc.svc.cluster.local:4434
+  PL_HYDRA_DATABASE: hydra
+  PL_KRATOS_DATABASE: kratos

k8s/cloud_deps/dev/kustomization.yaml

@@ -9,3 +9,4 @@ resources:
 - kibana
 - nats
 - postgres
+- ory_service_config.yaml

k8s/cloud_deps/dev/postgres/postgres_deployment.yaml

@@ -1,4 +1,20 @@
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-init-scripts
+data:
+  init-ory-dbs.sh: |
+    #!/usr/bin/env bash
+    set -e
+
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+        CREATE DATABASE $PL_HYDRA_DATABASE;
+        CREATE DATABASE $PL_KRATOS_DATABASE;
+        GRANT ALL PRIVILEGES ON DATABASE $PL_HYDRA_DATABASE TO $POSTGRES_USER;
+        GRANT ALL PRIVILEGES ON DATABASE $PL_KRATOS_DATABASE TO $POSTGRES_USER;
+    EOSQL
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -27,11 +43,20 @@ spec:
           value: pl
         - name: POSTGRES_PASSWORD
           value: pl
+        envFrom:
+        - configMapRef:
+            name: pl-ory-service-config
         volumeMounts:
         - mountPath: /var/lib/postgresql/data
           subPath: data
           name: postgres-pv-claim
+        - mountPath: /docker-entrypoint-initdb.d
+          name: postgres-init-scripts
       volumes:
       - name: postgres-pv-claim
         persistentVolumeClaim:
           claimName: postgres-pv-claim
+      - name: postgres-init-scripts
+        configMap:
+          name: postgres-init-scripts
+          defaultMode: 0755

k8s/cloud_deps/public/kustomization.yaml

@@ -6,6 +6,7 @@ commonLabels:
   app: pl-cloud
 resources:
 - configs.yaml
+- ory_service_config.yaml
 - elastic
 - nats
 - postgres

k8s/cloud_deps/public/ory_service_config.yaml

@@ -0,0 +1,16 @@
+---
+# Lists of referenceable ORY services.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pl-ory-service-config
+data:
+  PL_HYDRA_SERVICE: hydra.plc.svc.cluster.local:4444
+  PL_KRATOS_SERVICE: kratos.plc.svc.cluster.local:4433
+  PL_HYDRA_PUBLIC_HOST: https://hydra.plc.svc.cluster.local:4444
+  PL_HYDRA_ADMIN_HOST: https://hydra.plc.svc.cluster.local:4445
+  # Kratos only support http at the moment.
+  PL_KRATOS_PUBLIC_HOST: https://kratos.plc.svc.cluster.local:4433
+  PL_KRATOS_ADMIN_HOST: https://kratos.plc.svc.cluster.local:4434
+  PL_HYDRA_DATABASE: hydra
+  PL_KRATOS_DATABASE: kratos