ory · Demonsthere · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025
@@ -1,6 +1,6 @@
 # hydra-maester
 
-![Version: 0.58.0](https://img.shields.io/badge/Version-0.58.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.39](https://img.shields.io/badge/AppVersion-v0.0.39-informational?style=flat-square)
+![Version: 0.58.0](https://img.shields.io/badge/Version-0.58.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.40](https://img.shields.io/badge/AppVersion-v0.0.40-informational?style=flat-square)
 
 A Helm chart for Kubernetes
 
@@ -57,7 +57,7 @@ A Helm chart for Kubernetes
 | global.podMetadata.labels | object | `{}` | Extra pod level labels |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"oryd/hydra-maester"` | Ory Hydra-maester image |
-| image.tag | string | `"v0.0.39"` | Ory Hydra-maester version |
+| image.tag | string | `"v0.0.40"` | Ory Hydra-maester version |
 | imagePullSecrets | list | `[]` | Image pull secrets |
 | pdb.enabled | bool | `false` |  |
 | pdb.spec.maxUnavailable | string | `""` |  |

@@ -185,17 +185,21 @@ A Helm chart for deploying ORY Hydra in Kubernetes
 | secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
 | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
 | secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
-| service.admin | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","metricsPath":"/admin/metrics/prometheus","name":"http","port":4445,"type":"ClusterIP"}` | Configures the Kubernetes service for the api port. |
+| service.admin | object | `{"annotations":{},"enabled":true,"externalTrafficPolicy":"","internalTrafficPolicy":"","labels":{},"loadBalancerIP":"","metricsPath":"/admin/metrics/prometheus","name":"http","port":4445,"type":"ClusterIP"}` | Configures the Kubernetes service for the api port. |
 | service.admin.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
 | service.admin.enabled | bool | `true` | En-/disable the service |
+| service.admin.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
+| service.admin.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.admin.loadBalancerIP | string | `""` | The load balancer IP |
 | service.admin.metricsPath | string | `"/admin/metrics/prometheus"` | Path to the metrics endpoint |
 | service.admin.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
 | service.admin.port | int | `4445` | The service port |
 | service.admin.type | string | `"ClusterIP"` | The service type |
-| service.public | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","name":"http","port":4444,"type":"ClusterIP"}` | Configures the Kubernetes service for the proxy port. |
+| service.public | object | `{"annotations":{},"enabled":true,"externalTrafficPolicy":"","internalTrafficPolicy":"","labels":{},"loadBalancerIP":"","name":"http","port":4444,"type":"ClusterIP"}` | Configures the Kubernetes service for the proxy port. |
 | service.public.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
 | service.public.enabled | bool | `true` | En-/disable the service |
+| service.public.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
+| service.public.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.public.loadBalancerIP | string | `""` | The load balancer IP |
 | service.public.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
 | service.public.port | int | `4444` | The service port |

@@ -24,6 +24,12 @@ spec:
   loadBalancerIP: {{ . }}
   {{- end }}
   {{- end }}
+  {{- if .Values.service.admin.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.admin.externalTrafficPolicy }}
+  {{- end }}
+  {{- if .Values.service.admin.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.service.admin.internalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: {{ .Values.service.admin.port }}
       targetPort: http-admin

@@ -22,6 +22,12 @@ spec:
   loadBalancerIP: {{ . }}
   {{- end }}
   {{- end }}
+  {{- if .Values.service.public.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.public.externalTrafficPolicy }}
+  {{- end }}
+  {{- if .Values.service.public.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.service.public.internalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: {{ .Values.service.public.port }}
       targetPort: http-public

@@ -51,6 +51,10 @@ service:
     #      If you do want to specify additional labels, uncomment the following
     #      lines, adjust them as necessary, and remove the curly braces after 'labels:'.
     #      e.g.  app: hydra
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    externalTrafficPolicy: ""
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    internalTrafficPolicy: ""
   # -- Configures the Kubernetes service for the api port.
   admin:
     # -- En-/disable the service
@@ -73,6 +77,10 @@ service:
     #      e.g.  app: hydra
     # -- Path to the metrics endpoint
     metricsPath: /admin/metrics/prometheus
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    externalTrafficPolicy: ""
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    internalTrafficPolicy: ""
 
 ## -- Secret configuration
 secret:

@@ -166,7 +166,9 @@ Access Control Policies as a Server
 | service.read.appProtocol | string | `"grpc"` |  |
 | service.read.clusterIP | string | `""` |  |
 | service.read.enabled | bool | `true` |  |
+| service.read.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.read.headless.enabled | bool | `true` |  |
+| service.read.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.read.loadBalancerIP | string | `""` |  |
 | service.read.name | string | `"grpc-read"` |  |
 | service.read.port | int | `80` |  |
@@ -175,7 +177,9 @@ Access Control Policies as a Server
 | service.write.appProtocol | string | `"grpc"` |  |
 | service.write.clusterIP | string | `""` |  |
 | service.write.enabled | bool | `true` |  |
+| service.write.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.write.headless.enabled | bool | `true` |  |
+| service.write.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.write.loadBalancerIP | string | `""` |  |
 | service.write.name | string | `"grpc-write"` |  |
 | service.write.port | int | `80` |  |

@@ -26,6 +26,12 @@ spec:
   clusterIP: {{ . }}
   {{- end }}
   {{- end }}
+  {{- if .Values.service.read.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.read.externalTrafficPolicy }}
+  {{- end }}
+  {{- if .Values.service.read.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.service.read.internalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: {{ .Values.service.read.port }}
       targetPort: {{ .Values.service.read.name }}

@@ -25,6 +25,12 @@ spec:
   clusterIP: {{ . }}
   {{- end }}
   {{- end }}
+  {{- if .Values.service.write.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.write.externalTrafficPolicy }}
+  {{- end }}
+  {{- if .Values.service.write.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.service.write.internalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: {{ .Values.service.write.port }}
       targetPort: {{ .Values.service.write.name }}

@@ -194,6 +194,10 @@ service:
     ## -- Enable extra headless service
     headless:
       enabled: true
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    externalTrafficPolicy: ""
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    internalTrafficPolicy: ""
   ## -- Write service
   write:
     enabled: true
@@ -209,6 +213,10 @@ service:
     ## -- Enable extra headless service
     headless:
       enabled: true
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    externalTrafficPolicy: ""
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    internalTrafficPolicy: ""
   ## -- Metrics service
   metrics:
     enabled: false

@@ -67,6 +67,8 @@ A Helm chart for ORY Kratos's example ui for Kubernetes
 | securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | service.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
 | service.enabled | bool | `true` |  |
+| service.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
+| service.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.labels | object | `{}` | Provide custom labels. Use the same syntax as for annotations. |
 | service.loadBalancerIP | string | `""` | The load balancer IP |
 | service.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |

@@ -20,6 +20,12 @@ spec:
   loadBalancerIP: {{ . }}
   {{- end }}
   {{- end }}
+  {{- if .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  {{- end }}
+  {{- if .Values.service.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: {{ .Values.service.port }}
       targetPort: http

@@ -40,6 +40,10 @@ service:
   annotations: {}
   # kubernetes.io/ingress.class: nginx
   # kubernetes.io/tls-acme: "true"
+  # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+  externalTrafficPolicy: ""
+  # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+  internalTrafficPolicy: ""
 
 ## -- Secret configuration
 secret:

@@ -173,6 +173,8 @@ A ORY Kratos Helm chart for Kubernetes
 | securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | service.admin.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
 | service.admin.enabled | bool | `true` |  |
+| service.admin.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
+| service.admin.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.admin.labels | object | `{}` | Provide custom labels. Use the same syntax as for annotations. |
 | service.admin.loadBalancerIP | string | `""` | Load balancer IP |
 | service.admin.metricsPath | string | `"/admin/metrics/prometheus"` | Path to the metrics endpoint |
@@ -190,6 +192,8 @@ A ORY Kratos Helm chart for Kubernetes
 | service.courier.type | string | `"ClusterIP"` |  |
 | service.public.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
 | service.public.enabled | bool | `true` |  |
+| service.public.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
+| service.public.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.public.labels | object | `{}` | Provide custom labels. Use the same syntax as for annotations. |
 | service.public.loadBalancerIP | string | `""` | Load balancer IP |
 | service.public.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |

@@ -24,6 +24,12 @@ spec:
   loadBalancerIP: {{ . }}
   {{- end }}
   {{- end }}
+  {{- if .Values.service.admin.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.admin.externalTrafficPolicy }}
+  {{- end }}
+  {{- if .Values.service.admin.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.service.admin.internalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: {{ .Values.service.admin.port }}
       targetPort: http-admin

@@ -23,6 +23,12 @@ spec:
   loadBalancerIP: {{ . }}
   {{- end }}
   {{- end }}
+  {{- if .Values.service.public.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.public.externalTrafficPolicy }}
+  {{- end }}
+  {{- if .Values.service.public.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.service.public.internalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: {{ .Values.service.public.port }}
       targetPort: http-public

@@ -49,6 +49,10 @@ service:
     # kubernetes.io/tls-acme: "true"
     # -- Path to the metrics endpoint
     metricsPath: /admin/metrics/prometheus
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    externalTrafficPolicy: ""
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    internalTrafficPolicy: ""
   public:
     enabled: true
     type: ClusterIP
@@ -65,6 +69,10 @@ service:
     annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    externalTrafficPolicy: ""
+    # -- https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
+    internalTrafficPolicy: ""
   courier:
     enabled: true
     type: ClusterIP

@@ -1,6 +1,6 @@
 # oathkeeper-maester
 
-![Version: 0.58.0](https://img.shields.io/badge/Version-0.58.0-informational?style=flat-square) ![AppVersion: v0.1.11](https://img.shields.io/badge/AppVersion-v0.1.11-informational?style=flat-square)
+![Version: 0.58.0](https://img.shields.io/badge/Version-0.58.0-informational?style=flat-square) ![AppVersion: v0.1.12](https://img.shields.io/badge/AppVersion-v0.1.12-informational?style=flat-square)
 
 A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes
 
@@ -44,7 +44,7 @@ A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes
 | global.podMetadata.labels | object | `{}` | Extra pod level labels |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"oryd/oathkeeper-maester"` | ORY Oathkeeper Rule Controller image |
-| image.tag | string | `"v0.1.11"` | ORY Oathkeeper Rule Controller version |
+| image.tag | string | `"v0.1.12"` | ORY Oathkeeper Rule Controller version |
 | imagePullSecrets | list | `[]` | Image pull secrets |
 | pdb.enabled | bool | `false` |  |
 | pdb.spec.maxUnavailable | string | `""` |  |

@@ -123,9 +123,11 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes
 | securityContext.runAsUser | int | `65534` |  |
 | securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` |  |
 | securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| service.api | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","name":"http","port":4456,"type":"ClusterIP"}` | Configures the Kubernetes service for the api port. |
+| service.api | object | `{"annotations":{},"enabled":true,"externalTrafficPolicy":"","internalTrafficPolicy":"","labels":{},"loadBalancerIP":"","name":"http","port":4456,"type":"ClusterIP"}` | Configures the Kubernetes service for the api port. |
 | service.api.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" |
 | service.api.enabled | bool | `true` | En-/disable the service |
+| service.api.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
+| service.api.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.api.labels | object | `{}` | If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'. e.g.  app: oathkeeper |
 | service.api.loadBalancerIP | string | `""` | The load balancer IP |
 | service.api.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
@@ -139,9 +141,11 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes
 | service.metrics.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
 | service.metrics.port | int | `80` | The service port |
 | service.metrics.type | string | `"ClusterIP"` | The service type |
-| service.proxy | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","name":"http","port":4455,"type":"ClusterIP"}` | Configures the Kubernetes service for the proxy port. |
+| service.proxy | object | `{"annotations":{},"enabled":true,"externalTrafficPolicy":"","internalTrafficPolicy":"","labels":{},"loadBalancerIP":"","name":"http","port":4455,"type":"ClusterIP"}` | Configures the Kubernetes service for the proxy port. |
 | service.proxy.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" |
 | service.proxy.enabled | bool | `true` | En-/disable the service |
+| service.proxy.externalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
+| service.proxy.internalTrafficPolicy | string | `""` | https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies |
 | service.proxy.labels | object | `{}` | If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'. e.g.  app: oathkeeper |
 | service.proxy.loadBalancerIP | string | `""` | The load balancer IP |
 | service.proxy.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
@@ -158,7 +162,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes
 | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
 | sidecar.envs | object | `{}` |  |
 | sidecar.image.repository | string | `"oryd/oathkeeper-maester"` |  |
-| sidecar.image.tag | string | `"v0.1.11"` |  |
+| sidecar.image.tag | string | `"v0.1.12"` |  |
 | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
 | test.labels | object | `{}` | Provide additional labels to the test pod |