https://www.ory.sh/ logo
Join Slack
Powered by
Hello :wave: ! I am currently trying to setup a Or...
# ory-selfhosting
v
Hello 👋 ! I am currently trying to setup a Ory Oathkeeper + Kratos in Kubernetes project. I use the official helm charts provided by Ory for this (https://k8s.ory.sh/helm/oathkeeper.html). I thus only created two values-dev.yaml file for Oathkeeper and for Kratos. I can successfully install and test Kratos. My issue is with Oathkeeper. The install goes well but after I do 
kubectl port-forward pod/oathkeeper-76c895f86-ndmvz 4455:4455
And I try to reach for example 
<http://127.0.0.1:4455/.ory/kratos/public>
I meet the following error: ` {“error":{"code":500,"status":"Internal Server Error","message":"error parsing regexp: invalid nested repetition operator in `^**$`”}} ` I suspect this comes from my accessRules definition as when I do not put any accessRules the error does not show up. It would just tell me in the browser that no access rules have been defined. My access rules seems valid to me though as I took it from the Quickstart and it was working when I tested it outside Kubernetes. I have a hard time understanding where the issue is coming from as I am not yet too experienced with Ory nor Kubernetes so if someone could check my config and tell me if I’m doing something wrong that would be nice :). I put my config file in a thread. Thank you ❤️
.
Here is my 
values-dev.yaml
oathkeeper config file for the k8s charts:
Copy code
oathkeeper:
    config:
        # log:
        #     level: debug
        #     format: json

        serve:
            proxy:
                cors:
                    enabled: true
                    allowed_origins:
                        - "*"
                    allowed_methods:
                        - POST
                        - GET
                        - PUT
                        - PATCH
                        - DELETE
                    allowed_headers:
                        - Authorization
                        - Content-Type
                    exposed_headers:
                        - Content-Type
                    allow_credentials: true
                    # debug: true

        errors:
            fallback:
                - json

            handlers:
                redirect:
                    enabled: true
                    config:
                        to: <http://127.0.0.1:4455/login>
                        when:
                            - error:
                                  - unauthorized
                                  - forbidden
                              request:
                                  header:
                                      accept:
                                          - text/html
                json:
                    enabled: true
                    config:
                        verbose: true
        # access_rules:
        #     matching_strategy: glob
        #     repositories:
        #         - file:///etc/config/oathkeeper/access-rules.json

        authenticators:
            anonymous:
                enabled: true
                config:
                    subject: guest

            cookie_session:
                enabled: true
                config:
                    check_session_url: <http://kratos:4433/sessions/whoami>
                    preserve_path: true
                    extra_from: "@this"
                    subject_from: "identity.id"
                    only:
                        - ory_kratos_session

            noop:
                enabled: true

        authorizers:
            allow:
                enabled: true

        mutators:
            noop:
                enabled: true

            header:
                # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
                enabled: true
                config:
                    headers:
                        X-User: "{{ print .Subject }}"
                        X-Session: "{{ .Extra | toJson }}"
                        # X-Some-Arbitrary-Data: "{{ print .Extra.some.arbitrary.data }}"

            # id_token: # Extracts the full session from what was returned by Ory Kratos and embed it in a JWT token for backend processing
            #   enabled: true
            #   config:
            #     issuer_url: <http://127.0.0.1:4455/>
            #     jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json # Where to find the private key to sign the JWT token (needs to generate a new file <https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy#id-token-mutator>)
            #     claims: |
            #       {
            #         "session": {{ .Extra | toJson }}
            #       }
    accessRules: |-
        [
             {
                 "id": "ory:kratos:public",
                 "upstream": {
                     "preserve_host": true,
                     "url": "<http://kratos:4433>",
                     "strip_path": "/.ory/kratos/public"
                 },
                 "match": {
                     "url": "<http://127.0.0.1:4455/.ory/kratos/public/><**>",
                     "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"]
                 },
                 "authenticators": [
                     {
                         "handler": "noop"
                     }
                 ],
                 "authorizer": {
                     "handler": "allow"
                 },
                 "mutators": [
                     {
                         "handler": "noop"
                     }
                 ]
             },
             {
                 "id": "ory:kratos-selfservice-ui-node:anonymous",
                 "upstream": {
                     "preserve_host": true,
                     "url": "<http://kratos-selfservice-ui-node:4435>"
                 },
                 "match": {
                     "url": "<http://127.0.0.1:4455/><{registration,welcome,recovery,verification,login,error,health/{alive,ready},**.css,**.js,**.png,}>",
                     "methods": ["GET"]
                 },
                 "authenticators": [
                     {
                         "handler": "anonymous"
                     }
                 ],
                 "authorizer": {
                     "handler": "allow"
                 },
                 "mutators": [
                     {
                         "handler": "noop"
                     }
                 ]
             },
             {
                 "id": "ory:kratos-selfservice-ui-node:protected",
                 "upstream": {
                     "preserve_host": true,
                     "url": "<http://kratos-selfservice-ui-node:4435>"
                 },
                 "match": {
                     "url": "<http://127.0.0.1:4455/><{sessions,settings}>",
                     "methods": ["GET"]
                 },
                 "authenticators": [
                     {
                         "handler": "cookie_session"
                     }
                 ],
                 "authorizer": {
                     "handler": "allow"
                 },
                 "mutators": [
                     {
                         "handler": "header",
                         "config": {
                             "headers": {
                                 "X-User": "{{ print .Subject }}",
                                 "X-Session": "{{ .Extra | toJson }}"
                             }
                         }
                     }
                 ],
                 "errors": [
                     {
                         "handler": "redirect",
                         "config": {
                             "to": "<http://127.0.0.1:4455/login>"
                         }
                     }
                 ]
             }
         ]
e
Hello there 🙂 As a general note: • try portoforwarding to oathkeeper-proxy service, and not the pod itself 🙂 • when you create a rule with an url match, you should use url with external address (like foo.bar) and not 127.0.0.1, as the latter will correspond to traffic going in the internal k8s network • When curling oathkeeper you can mock the hostname with 
-H "Host: foo.bar"
❤️ 1
+ as you already noted, the regex interpretation 😄
8 Views
Open in Slack
PreviousNext
Powered by