hello everyone, We are trying to deploy oathkeeper...
# ory-selfhostingg
green-jewelry-10349
04/23/2024, 5:05 AMhello everyone, We are trying to deploy oathkeeper using helm on k8s (v1.27.9). We have traefik as networking proxy. After deployment, when I try to hit the endpoint It gives Internal Server Error. Can anyone help me with the deployment, who has done it with traefik? If you have nay blog or example for the same that would be a great help. I have attached the values & Ingress file in thread
green-jewelry-10349
04/23/2024, 5:06 AM Copy code
demo: false
maester:
enabled: false
image:
repository: oryd/oathkeeper
tag: "v0.40.7"
pullPolicy: IfNotPresent
initContainer:
repository: docker.io/library/busybox
tag: 1.36
deployment:
customLivenessProbe:
failureThreshold: 5
exec:
command:
- /bin/sh
- -c
- |-
wget -S <http://127.0.0.1:4456/health/alive> -O -
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
customReadinessProbe:
failureThreshold: 5
exec:
command:
- /bin/sh
- -c
- |-
wget -S <http://127.0.0.1:4456/health/alive> -O -
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
customStartupProbe:
failureThreshold: 5
exec:
command:
- /bin/sh
- -c
- |-
wget -S <http://127.0.0.1:4456/health/alive> -O -
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
extraInitContainers: |
- name: "hello-world"
image: "alpine:latest"
command: ["/bin/sh"]
args: ["-c", "echo hello, world!"]
extraContainers: |
- name: "sidecar"
image: "alpine:latest"
command: ["/bin/sh"]
args: ["-c", "sleep infinity"]
podMetadata:
labels:
ory.sh/pod_label: oathkeeper
annotations:
ory.sh/pod_annotation: oathkeeper
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
oathkeeper:
config:
log:
level: debug
format: json_pretty
serve:
proxy:
port: 4455
cors:
enabled: true
api:
port: 4456
cors:
enabled: true
errors:
fallback:
- json
handlers:
redirect:
enabled: true
config:
to: <https://auth.example.com>
when:
- error:
- unauthorized
- forbidden
request:
header:
accept:
- text/html
json:
enabled: true
config:
verbose: true
access_rules:
matching_strategy: glob
repositories:
- file:///etc/rules/access-rules.json
authenticators:
anonymous:
enabled: true
config:
subject: guest
unauthorized:
enabled: true
noop:
enabled: true
authorizers:
allow:
enabled: true
deny:
enabled: true
mutators:
noop:
enabled: true
header:
enabled: true
config:
headers:
X-User-Id: "{{ print .Subject }}"
cookie:
enabled: true
config:
cookies:
user: "{{ print .Subject }}"
accessRules: |-
[
{
"id": "api-1",
"upstream": {
"url": "<http://api-service1.api.svc.cluster.local:8000>",
"preserve_host": true,
},
"match": {
"url": "<https://api.example.com/v1/><.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH"]
},
"authenticators": [
{
"handler": "noop"
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [
{
"handler": "noop"
}
]
},
{
"id": "api-2",
"upstream": {
"url": "<http://api-service2.api.svc.cluster.local:8000>",
"preserve_host": true,
},
"match": {
"url": "<https://api.example.com/v2/><.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH"]
},
"authenticators": [
{
"handler": "noop"
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [
{
"handler": "noop"
}
]
}
]
service:
metrics:
labels:
app.kubernetes.io/element: "metrics"
release: "metrics"
app: oathkeeper
serviceMonitor:
labels:
release: "prometheus"
tlsConfig:
insecureSkipVerify: true
relabelings:
- action: labeldrop
regex: request
metricRelabelings:
- action: labeldrop
regex: request
targetLabels:
- app
test:
labels:
test-org: ory
test-product: oathkeeper
test-service: authorizer
busybox:
repository: docker.io/library/busybox
tag: 1.36green-jewelry-10349
04/23/2024, 5:06 AM Copy code
# Forward authentication to example.com
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: forward-auth
spec:
forwardAuth:
address: <http://oathkeeper-api.ory-oathkeeper.svc.cluster.local:4456/decisions>
trustForwardHeader: true
authResponseHeaders:
- X-Id-Token
- Authorization
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oathkeeper-ingressroute
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`api.example.com`) && PathPrefix(`/`)
priority: 10
middlewares:
- name: forward-auth
namespace: ory-oathkeeper
services:
- name: oathkeeper-proxy
port: 4455
tls:
secretName: api-certificate-secretgreen-jewelry-10349
04/23/2024, 5:11 AMIs there anything that I am missing
16 Views