{"id":46203178,"url":"https://github.com/canonical/hydra-operator","last_synced_at":"2026-03-03T05:32:12.761Z","repository":{"id":63796028,"uuid":"545928748","full_name":"canonical/hydra-operator","owner":"canonical","description":"A Charmed Operator for running Ory Hydra on Kubernetes","archived":false,"fork":false,"pushed_at":"2026-02-24T13:41:03.000Z","size":1944,"stargazers_count":6,"open_issues_count":16,"forks_count":9,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-24T18:26:50.004Z","etag":null,"topics":["charm","hydra","identity-platform","python"],"latest_commit_sha":null,"homepage":"https://github.com/canonical/hydra-operator","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/canonical.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-10-05T08:12:00.000Z","updated_at":"2026-02-24T13:41:05.000Z","dependencies_parsed_at":"2023-09-26T19:48:12.693Z","dependency_job_id":"eccb387d-be1f-4b37-9562-beda32532b5a","html_url":"https://github.com/canonical/hydra-operator","commit_stats":null,"previous_names":[],"tags_count":220,"template":false,"template_full_name":null,"purl":"pkg:github/canonical/hydra-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/canonical%2Fhydra-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/canonical%2Fhydra-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/canonical%2Fhydra-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/canonical%2Fhydra-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/canonical","download_url":"https://codeload.github.com/canonical/hydra-operator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/canonical%2Fhydra-operator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30033334,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-03T05:09:26.876Z","status":"ssl_error","status_checked_at":"2026-03-03T05:09:23.944Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["charm","hydra","identity-platform","python"],"created_at":"2026-03-03T05:32:12.266Z","updated_at":"2026-03-03T05:32:12.755Z","avatar_url":"https://github.com/canonical.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Charmed Ory Hydra\n\n[![CharmHub Badge](https://charmhub.io/hydra/badge.svg)](https://charmhub.io/hydra)\n[![Juju](https://img.shields.io/badge/Juju%20-3.0+-%23E95420)](https://github.com/juju/juju)\n[![License](https://img.shields.io/github/license/canonical/hydra-operator?label=License)](https://github.com/canonical/hydra-operator/blob/main/LICENSE)\n\n[![Continuous Integration Status](https://github.com/canonical/hydra-operator/actions/workflows/on_push.yaml/badge.svg?branch=main)](https://github.com/canonical/hydra-operator/actions?query=branch%3Amain)\n[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)\n[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196.svg)](https://conventionalcommits.org)\n\n## Description\n\nPython Operator for Ory Hydra - a scalable, security first OAuth 2.0 and\nOpenID Connect server. For more details and documentation,\nvisit \u003chttps://www.ory.sh/docs/hydra/\u003e.\n\n## Usage\n\n```shell\njuju deploy postgresql-k8s --channel 14/stable --trust\njuju deploy self-signed-certificates --channel latest/stable --trust\njuju deploy identity-platform-login-ui-operator --channel latest/edge --trust\njuju deploy traefik-k8s --channel latest/stable --trust\n\njuju deploy hydra --trust\n\njuju integrate postgresql-k8s hydra\njuju integrate identity-platform-login-ui-operator hydra\njuju integrate traefik-k8s:certificates self-signed-certificates:certificates\njuju integrate traefik-k8s hydra:public-ingress\n```\n\nYou can follow the deployment status with `watch -c juju status --color`.\n\n## Integrations\n\n### PostgreSQL\n\nThis charm requires an integration\nwith [postgresql-k8s-operator](https://github.com/canonical/postgresql-k8s-operator).\n\n### Ingress\n\nThe Hydra Operator offers integration with\nthe [traefik-k8s-operator](https://github.com/canonical/traefik-k8s-operator)\nfor ingress. Hydra has two APIs which can be exposed through ingress, the public\nAPI and the admin API.\n\nIf you have traefik deployed and configured in your hydra model, to provide\ningress to the admin API run:\n\n```shell\njuju integrate traefik-admin hydra:admin-ingress\n```\n\nTo provide ingress to the public API run:\n\n```shell\njuju integrate traefik-public hydra:public-ingress\n```\n\nNote that the public ingress needs to be secured with HTTPS if the charm\nconfig `dev` is not `true`.\n\n### Kratos\n\nThis charm offers integration\nwith [kratos-operator](https://github.com/canonical/kratos-operator). In order\nto integrate hydra with kratos, it needs to be able to access hydra's admin API\nendpoint. To enable that, integrate the two charms:\n\n```shell\njuju integrate kratos hydra\n```\n\n### Identity Platform Login UI\n\nThe following instructions assume that you have deployed `traefik-admin`\nand `traefik-public` charms and integrated them with hydra. Note that the UI\ncharm should run behind a proxy.\n\nThis charm offers integration\nwith [identity-platform-login-ui-operator](https://github.com/canonical/identity-platform-login-ui-operator).\nIn order to integrate them, run:\n\n```shell\njuju integrate hydra:ui-endpoint-info identity-platform-login-ui-operator:ui-endpoint-info\njuju integrate identity-platform-login-ui-operator:hydra-endpoint-info hydra:hydra-endpoint-info\n```\n\n## Run Hydra from backup\n\nWhen migrating an Ory Hydra instance—for example, to a new server or environment—you need to ensure the new instance can decrypt existing user sessions and data. Hydra relies on two crucial secrets for this:\n\n1. System Secret: Used to encrypt sensitive data stored in the database, such as session payloads and JSON Web Key Sets (JWKS).\n2. Cookie Secret: Used to encrypt and sign Hydra's cookies.\n\nIf you restore Hydra from a database backup without using the original secrets, the new instance will generate its own, rendering the backed-up data unusable. The Charmed Hydra Operator provides several helper actions and configuration options to manage these secrets and enable seamless server migration.\n\n### Key Management Actions\n\nThe operator includes two Juju actions for managing secrets on a running Hydra instance.\n\n#### get-secret-keys\n\nThis action retrieves the current secret keys used by Hydra. It's essential for backing up secrets before a migration.\n\n```console\n# Get the system secret keys\njuju run hydra/0 get-secret-keys type=system\n\n# Get the cookie secret keys\njuju run hydra/0 get-secret-keys type=cookie\n```\n\n#### add-secret-key\n\nThis action adds a new secret key to Hydra's configuration. This is useful for key rotation or for adding a key from a backup to an existing deployment.\n\n```console\njuju run hydra/0 add-secret-key type=cookie key=YOUR_NEW_COOKIE_SECRET\n```\n\nNOTE: key length MUST be \u003e16 characters\n\n### Config\n\nWhen deploying a new Hydra instance, you can use the following Juju configuration options to pre-seed the secrets, preventing the charm from generating new ones. These configurations only work on the initial deployment.\n\n- `initial_system_secret_id`: The ID of a Juju secret containing the system keys.\n- `initial_cookie_secret_id`: The ID of a Juju secret containing the cookie keys.\n\nThese config have no effect after the charm has been deployed and secrets have been generated.\n\n### Migration Walkthrough\n\nLet's walk through a common server migration scenario. Assume you have an existing Hydra deployment (old-model) integrated with a PostgreSQL database, and you want to migrate it to a new Juju model (new-model).\n\nFirst we need to get the old Hydra secret keys:\n\n```console\n$ juju run -m old-model hydra/0 get-secret-keys type=system -q\nsystem: '[\"old-system-key-1\", \"old-system-key-2\"]'\n\n$ juju run -m old-model hydra/0 get-secret-keys type=cookie -q\ncookie: '[\"old-cookie-key-1\", \"old-cookie-key-2\"]'\n```\n\nIn your new model, create Juju secrets using the values you just retrieved:\n\n```console\n$ juju add-secret -m new-model hydra-system-keys system1=old-system-key-1 system2=old-system-key-2\n\n$ juju add-secret -m new-model hydra-cookie-keys cookie1=old-cookie-key-1 cookie2=old-cookie-key-2\n```\n\n💡 Important: The order of the key-value pairs matters. The first key you provide (e.g., system1) will become the primary secret for the new Hydra instance.\n\nNow we can deploy the Hydra in the new model, referencing the Juju secrets you just created:\n\n```console\njuju deploy -m new-model hydra --config initial_system_secret_id=secret:\u003csystem-secret-id\u003e --config initial_cookie_secret_id=secret:\u003ccookie-secret-id\u003e\n```\n\nAfter deployment, you must grant the Hydra charm access to the secrets:\n\n```console\njuju grant-secret -m new-model system hydra\njuju grant-secret -m new-model cookie hydra\n```\n\nNow, integrate the new Hydra instance with your migrated PostgreSQL database and any other necessary applications:\n\n```console\njuju integrate -m new-model hydra postgresql\n# ... integrate with other applications as needed\n```\n\nOnce the new Hydra instance is running and integrated, it should be able to decrypt and use the backed-up database data seamlessly. You can verify this by checking that the new instance's JWKS endpoint (https://hydra-url/.well-known/jwks.json) matches the one from your old deployment.\n\n## OCI Images\n\nThe image used by this charm is hosted\non [Docker Hub](https://hub.docker.com/r/oryd/hydra) and maintained by Ory.\n\n## Security\n\nPlease see [SECURITY.md](https://github.com/canonical/hydra-operator/blob/main/SECURITY.md)\nfor guidelines on reporting security issues.\n\n## Contributing\n\nPlease see the [Juju SDK docs](https://juju.is/docs/sdk) for guidelines on\nenhancements to this charm following best practice guidelines,\nand [CONTRIBUTING.md](https://github.com/canonical/hydra-operator/blob/main/CONTRIBUTING.md)\nfor developer guidance.\n\n## License\n\nThe Charmed Hydra Operator is free software, distributed under the Apache\nSoftware License, version 2.0.\nSee [LICENSE](https://github.com/canonical/hydra-operator/blob/main/LICENSE) for\nmore information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcanonical%2Fhydra-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcanonical%2Fhydra-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcanonical%2Fhydra-operator/lists"}