Comments (6)
Run it against a strong database with e.g. one or two read replicas and scale the hydra pod/container horizontally to e.g. 3 or 4 nodes. Nothing more required.
from docs.
We’re considering rolling out ory/hydra as our OpenID Connect and OAuth2 solution - as such, it would be great to understand what best practice is for deploying hydra in a Highly Available manner, in production.
(As per the comments in issue #772, ory/hydra appears to be running well in the wild - any real world HA examples of production hydra deployments would also be much appreciated /cc @rjw57 @dtt101 @pnicolcev-tulipretail)
from docs.
Re. the above, we’ve experimented with scaling the number of ory/hydra pod replicas on Kubernetes, with a managed RDBMS
specified in the DATABASE_URL/dsn
, and have observed intermittent 401 responses when attempting to retrieve tokens:
description="Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)" error=invalid_client
other than these intermittent errors, token requests are granted.
As issue #1319 highlights, this appears to be the case as
Hydra naturally introduces some level of state when being deployed, which is often not suitable for a Kubernetes environment.
Just to confirm that is indeed the case, and whether or not there are any configuration changes we could make in the meantime while
https://github.com/ory/hydra-k8s-controller
is under development (happy to move this discussion to issue #1319 for the sake of continuity, if that helps)?
/cc @kminehart
from docs.
As issue #1319 highlights, this appears to be the case as
This comment is taken out of context and is in your interpretation not true.
Re. the above, we’ve experimented with scaling the number of ory/hydra pod replicas on Kubernetes, with a managed RDBMS specified in the DATABASE_URL/dsn, and have observed intermittent 401 responses when attempting to retrieve tokens:
We have observed this before. It was caused by a lack of resources, specifically CPU/memory of the pods and/or a very lightweight database. Specifically the token endpoint requires substantial CPU time as requests grow because of the bcrypt-hashed OAuth 2.0 Client password.
However, please create an issue on ORY Hydra GitHub. There is so much context missing, like logs, k8s config, db config, hydra config, dsn config, reproducible example, ... - without that it is impossible to help.
ORY Hydra is deployed in environments that handle > 500m API requests per month and works flawlessly when scaled horizontally.
from docs.
@category I was merely talking about the database. Databases, especially postgres and mysql, are difficult to maintain in Kubernetes. The "state" introduced would be managed by a Kubernetes "StatefulSet". You yourself use a hosted solution for your database. Hydra itself however can be managed with stateless horizontal scaling.
The Kubernetes controller won't solve your problem, as Hydra will still need a place to store and manage requests, and Kubernetes resources are definitely not the place to do that.
from docs.
@aeneasr Thanks very much for the information and guidance here - I'll try adjusting the metrics provided with a view to creating an issue if the errors persist 😄.
@kminehart Thanks very much for the clarification, I wasn't aware that the issue was specifically describing the state introduced by databases deployed within Kubernetes 😄.
Lastly, thank you both for taking the time to reply here, I really appreciate it.
from docs.
Related Issues (20)
- Write docs for verification flows after registration
- docs/cli is empty HOT 1
- Use case: Ory Showcase illustrating database integration
- Ory OAuth js SDK example outdated HOT 1
- Refactor links on top navigation bar for docs
- Document ISO 27001 compliance
- Document gRPC usage with Ory Permissions on Ory Network HOT 1
- Page missing from sidebar HOT 1
- Retry schedule for webhooks HOT 1
- Documentation unclear on self-service flows post payload HOT 2
- Can't running Vue example HOT 3
- Document the ory.sh/kratos object (schema extensions) with a schema HOT 1
- API documentation is missing HOT 3
- Add documentation that the sprig template library is supported in templates. HOT 1
- Document Can't Create Non-Root User Connection to CockroachDB in Insecure Mode HOT 2
- Documentation of protobufs is broken with multiline comments HOT 2
- Ory Network with Ory Oathkeeper setup
- Update Documentation Style
- Document hmac hashed password import HOT 1
- Update JWT mentions across all docs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docs.