There is a typo <https://k8s.ory.sh/helm/oathkeepe...
# talk-oathkeepera
acoustic-processor-1957
08/31/2022, 9:56 PMThere is a typo https://k8s.ory.sh/helm/oathkeeper.html#:~:text=this%20mode%2C%20the-,Hydra%20Maester,-controller%20runs%20as should be Oathkeeper Maester instead of Hydra Maester
w
worried-kitchen-94392
09/01/2022, 6:46 AMm
many-mouse-1149
10/19/2022, 6:25 AMHi People,
I'm trying to deploy Oathkeeper to Kubernetes (local) with Helm but it doesn't work.
I'm using Envoy as a proxy, Ingress as a controller, plus I also have Kratos and Hydra installed.
I have an error in the CORS but I don't know exactly where it comes from because I have checked the configuration. Anyway, it seems that the Envoy filter doesn't quite work because there are no entries in the logs neither in the Envoy nor in the Oathkeeper.
These are the errors:
Access to XMLHttpRequest at 'http://localhost/webapigw/components/slide' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
GET http://localhost/webapigw/components/slide net::ERR_FAILED 403
File: envoy.yaml
Copy code
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": <http://type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager|type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager>
stat_prefix: ingress_http
route_config:
name: backend_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/webapigw/assays"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/assays"
cluster: webagg_service
- match:
prefix: "/webapigw/tests"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/tests"
cluster: webagg_service
- match:
prefix: "/webapigw/testcustomizations"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/ifatestcustomizations"
cluster: webagg_service
- match:
prefix: "/webapigw/profiles"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/profiles"
cluster: webagg_service
- match:
prefix: "/webapigw/components/slide"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/slide"
cluster: webagg_service
- match:
prefix: "/webapigw/components/conjugate"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/conjugate"
cluster: webagg_service
- match:
prefix: "/webapigw/components/preIncubationReagent"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/preIncubationReagent"
cluster: webagg_service
- match:
prefix: "/webapigw/components/sampleDiluent"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/sampleDiluent"
cluster: webagg_service
- match:
prefix: "/webapigw/components/control"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/control"
cluster: webagg_service
- match:
prefix: "/webapigw/components/substrate"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/substrate"
cluster: webagg_service
- match:
prefix: "/webapigw/components/stopSolution"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/stopSolution"
cluster: webagg_service
- match:
prefix: "/webapigw/components/mountingMedium"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/mountingMedium"
cluster: webagg_service
- match:
prefix: "/webapigw/components/microPlate"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/microPlate"
cluster: webagg_service
- match:
prefix: "/webapigw/components/calibrator"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/calibrator"
cluster: webagg_service
- match:
prefix: "/webapigw/components/washingSolution"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/washingSolution"
cluster: webagg_service
- match:
prefix: "/webapigw/components/cutOff"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/cutOff"
cluster: webagg_service
cors:
allow_origin_string_match:
- prefix: "*"
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": <http://type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz|type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz>
http_service:
path_prefix: /decisions
server_uri:
uri: <http://localhost/authz-api>
cluster: ext-authz
timeout: 0.25s
authorization_request:
allowed_headers:
patterns:
- exact: "cookie"
- exact: "user_agent"
authorization_response:
allowed_client_headers:
patterns:
- exact: "cookie"
allowed_upstream_headers:
patterns:
- exact: "x-user"
failure_mode_allow: false
transport_api_version: V3
- name: envoy.filters.http.router
typed_config:
"@type": <http://type.googleapis.com/envoy.extensions.filters.http.router.v3.Router|type.googleapis.com/envoy.extensions.filters.http.router.v3.Router>
clusters:
- name: webagg_service
connect_timeout: 0.25s
type: logical_dns
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: webagg_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: webagg
port_value: 80
- name: ext-authz
connect_timeout: 0.25s
type: logical_dns
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: ext-authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: oathkeeper-api
port_value: 4456 Copy code
- id: "api:protected"
match:
url: "<http://localhost/webapigw/><**>"
methods:
- GET
- POST
- PUT"
- DELETE
- PATCH
authenticators:
- handler: noop
mutators:
- handler: noop
authorizer:
handler: allow
errors:
- handler: redirect
config:
to: <http://localhost/identity-ui/login>w
worried-kitchen-94392
10/19/2022, 7:07 AMMy best guess would be that you forgot to change the
localhostm
many-mouse-1149
10/19/2022, 7:29 AMBut what configuration exactly? in the Envoy configuration? before deploying oathkeeper everything worked using localhost.
Thanks for your answer.
many-mouse-1149
10/19/2022, 9:04 AMIn the end I was able to solve it. It was a namespace issue. Oathkeeper and Envoy were in differents namespaces. Adding oathkeeper-api.identity now is working. Thanks for your help
3 Views