local kubernetes = import 'ci/kubernetes.jsonnet'; local db = import 'ci/db.jsonnet'; local utils = import 'ci/utils.jsonnet'; local tag = std.extVar('tag'); local DSN = db.dsn('hydra'); local authn = if kubernetes.prod() then 'https://id.build.resf.org' else 'http://obsidian.pdot.localhost:16000'; { image: 'oryd/hydra', tag: 'v1.11.7', legacyDb: true, env: [ { name: 'URLS_SELF_ISSUER', value: if kubernetes.prod() then 'https://hdr.build.resf.org/' else 'https://hdr-dev.internal.pdev.resf.localhost', }, { name: 'URLS_SELF_PUBLIC', value: if kubernetes.prod() then 'https://hdr.build.resf.org/' else 'https://hdr-dev.internal.pdev.resf.localhost', }, { name: 'URLS_LOGIN', value: '%s/login' % authn }, { name: 'URLS_CONSENT', value: '%s/consent' % authn }, { name: 'URLS_LOGOUT', value: '%s/logout' % authn }, { name: 'URLS_ERROR', value: '%s/error' % authn }, { name: 'URLS_POST_LOGOUT_REDIRECT', value: 'https://rockylinux.org' }, { name: 'SERVE_TLS_ALLOW_TERMINATION_FROM', value: '127.0.0.1/32,172.39.0.0/16,100.96.0.0/24' }, { name: 'LOG_LEAK_SENSITIVE_VALUES', value: if utils.local_image then 'true' else 'false' }, { name: 'SECRETS_SYSTEM', valueFrom: true, secret: { name: 'hydra', key: 'system-secret', } }, { name: 'SECRETS_COOKIE', valueFrom: true, secret: { name: 'hydra', key: 'cookie-secret', } }, ], sh_args(dsn, cmd): [ '-c', 'export REAL_DSN=`echo $%s | sed -e "s/REPLACEME/${DATABASE_PASSWORD}/g"%s`; DSN=$REAL_DSN %s' % [dsn.name, if $.legacyDb then '' else ' | sed -e "s/postgresql/cockroachdb/g"', cmd], ] }