Hi People,
I'm trying to deploy Oathkeeper to Kube...
# talk-oathkeeperm
many-mouse-1149
10/19/2022, 6:27 AMHi People,
I'm trying to deploy Oathkeeper to Kubernetes (local) with Helm but it doesn't work.
I'm using Envoy as a proxy, Ingress as a controller, plus I also have Kratos and Hydra installed.
I have an error in the CORS but I don't know exactly where it comes from because I have checked the configuration. Anyway, it seems that the Envoy filter doesn't quite work because there are no entries in the logs neither in the Envoy nor in the Oathkeeper.
These are the errors:
Access to XMLHttpRequest at 'http://localhost/webapigw/components/slide' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
GET http://localhost/webapigw/components/slide net::ERR_FAILED 403
File: envoy.yaml
Copy code
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": <http://type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager|type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager>
stat_prefix: ingress_http
route_config:
name: backend_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/webapigw/assays"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/assays"
cluster: webagg_service
- match:
prefix: "/webapigw/tests"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/tests"
cluster: webagg_service
- match:
prefix: "/webapigw/testcustomizations"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/ifatestcustomizations"
cluster: webagg_service
- match:
prefix: "/webapigw/profiles"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/profiles"
cluster: webagg_service
- match:
prefix: "/webapigw/components/slide"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/slide"
cluster: webagg_service
- match:
prefix: "/webapigw/components/conjugate"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/conjugate"
cluster: webagg_service
- match:
prefix: "/webapigw/components/preIncubationReagent"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/preIncubationReagent"
cluster: webagg_service
- match:
prefix: "/webapigw/components/sampleDiluent"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/sampleDiluent"
cluster: webagg_service
- match:
prefix: "/webapigw/components/control"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/control"
cluster: webagg_service
- match:
prefix: "/webapigw/components/substrate"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/substrate"
cluster: webagg_service
- match:
prefix: "/webapigw/components/stopSolution"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/stopSolution"
cluster: webagg_service
- match:
prefix: "/webapigw/components/mountingMedium"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/mountingMedium"
cluster: webagg_service
- match:
prefix: "/webapigw/components/microPlate"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/microPlate"
cluster: webagg_service
- match:
prefix: "/webapigw/components/calibrator"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/calibrator"
cluster: webagg_service
- match:
prefix: "/webapigw/components/washingSolution"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/washingSolution"
cluster: webagg_service
- match:
prefix: "/webapigw/components/cutOff"
route:
auto_host_rewrite: true
prefix_rewrite: "/api/v1/components/cutOff"
cluster: webagg_service
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": <http://type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz|type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz>
http_service:
path_prefix: /decisions
server_uri:
uri: <http://localhost/authz-api>
cluster: ext-authz
timeout: 0.25s
authorization_request:
allowed_headers:
patterns:
- exact: "cookie"
- exact: "user_agent"
authorization_response:
allowed_client_headers:
patterns:
- exact: "cookie"
allowed_upstream_headers:
patterns:
- exact: "x-user"
failure_mode_allow: false
transport_api_version: V3
- name: envoy.filters.http.router
typed_config:
"@type": <http://type.googleapis.com/envoy.extensions.filters.http.router.v3.Router|type.googleapis.com/envoy.extensions.filters.http.router.v3.Router>
clusters:
- name: webagg_service
connect_timeout: 0.25s
type: logical_dns
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: webagg_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: webagg
port_value: 80
- name: ext-authz
connect_timeout: 0.25s
type: logical_dns
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: ext-authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: oathkeeper-api
port_value: 4456 Copy code
- id: "api:protected"
match:
url: "<http://localhost/webapigw/><**>"
methods:
- GET
- POST
- PUT"
- DELETE
- PATCH
authenticators:
- handler: noop
mutators:
- handler: noop
authorizer:
handler: allow
errors:
- handler: redirect
config:
to: <http://localhost/identity-ui/login>q
quiet-appointment-7418
10/19/2022, 10:33 PMcan you share your values file for helm? I was able to deploy oathkeepr to k8s...
quiet-appointment-7418
10/19/2022, 10:33 PMbtw which helm chart are you using?
10 Views