https://www.ory.sh/ logo
Join Slack
Powered by
Hi, I have to deploy Oathkeeper in a Kubernetes cl...
# talk-oathkeeper
c
Hi, I have to deploy Oathkeeper in a Kubernetes cluster, and I was looking at the ory/oathkeeper Helm chart. It seems that whatever the chosen mode is (
controller
or 
sidecar
), the 
oathkeeper-maester
is installed. Is there a technical reason why it is needed, even if I don’t want to use Oathkeeper CRDs but just the JSON access rules file? Or is it just that the Helm chart was written like that without the option to disable the installation of 
oathkeeper-maester
?
1
h
Copy code
$ helm install \
    --set 'maester.enabled=false' \
    ory/oathkeeper
c
Hey Nick, thank you, I read that but in the Helm Chart it seems that value is never used except for some name override. But not to actually enable or disable the maester. Did I miss something?
h
The maester subchart is a dependency and condition on said var https://github.com/ory/k8s/blob/master/helm/charts/oathkeeper/Chart.yaml
Interesting that it doesnt seem to work though
CAn you try to use 
global.maester.enabled
instead?
c
Ah I missed that! I could try to use 
globals.maester.enabled
but anyway then there is no condition around the maester container in the sidecar deployment pod: https://github.com/ory/k8s/blob/master/helm/charts/oathkeeper/templates/deployment-sidecar.yaml#L108 So we would have to modify that as well right?
h
Copy code
{{- if eq .Values.global.ory.oathkeeper.maester.mode "sidecar" }}
Just set the mode to controller and you wouldnt get sidecar
c
Hm interesting, actually I understood the mode as to be the oathkeeper mode and not the oathkeeper maester mode. I thought “sidecar mode” meant “oathkeeper proxy and its protected application run in the same pod” rather than “oathkeeper proxy and its maester run in the same pod”. The following code in 
deployment-sidecar.yaml
reinforced this thought (it allows to inject additional containers into the deployment):
Copy code
{{- if .Values.deployment.extraContainers }}
{{ tpl .Values.deployment.extraContainers . | indent 8 }}
        {{- end }}
Can you confirm what the “mode” was meant to mean?
h
Im just a user of the chart so I cant say for certain how its supposed to be used. But can you clarify on your use case? In the meanwhile im going to be a bit annoying and tag @worried-kitchen-94392 as he has supported on the helm charts before, sorry demonsthere
w
Hi there, yeah the 
mode
is supposed to control how the maester controller behaves, but i see how the name cloud be misleading
Regarding the installation, it should be enough to set it like here https://github.com/ory/k8s/blob/master/.circleci/values/oathkeeper.yaml#L4= to disable the maester, but helm will still install the CRDs of the chart, as this is the behaviour of helm
c
Thank you @happy-morning-85531 @worried-kitchen-94392, it is clearer now! Have a good day
18 Views
Open in Slack
PreviousNext
Powered by