lively-soccer-24145
01/27/2022, 10:23 AMconfig:
access_rules:
repositories:
- file:///etc/rules/access-rules.json
And also added a custom resource which i can see is picked up by the maester. But when i call the /rules
api, I got the response:
[]
Anything iβve missed?worried-kitchen-94392
01/27/2022, 12:09 PMlively-soccer-24145
01/27/2022, 12:10 PM# -- Mode for oathkeeper controller
# -- Two possible modes are: controller or sidecar
global:
ory:
oathkeeper:
maester:
mode: controller
replicaCount: 1
image:
repository: oryd/oathkeeper
tag: v0.38.9-beta.1
pullPolicy: Always
# -- Image pull secrets
imagePullSecrets: []
nameOverride: "oauthkeeper"
fullnameOverride: "oauthkeeper"
# -- If enabled, a demo deployment with exemplary access rules and JSON Web Key Secrets will be generated.
demo: false
# -- Configures the Kubernetes service
service:
# -- Configures the Kubernetes service for the proxy port.
proxy:
# -- En-/disable the service
enabled: false
# -- The service type
type: ClusterIP
# -- The service port
port: 4455
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations: {}
# <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
# <http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: oathkeeper
# -- Configures the Kubernetes service for the api port.
api:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The service port
port: 4456
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations: {}
# <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
# <http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: oathkeeper
# -- Configure ingress
ingress:
# -- Configure ingress for the proxy port.
proxy:
# -- En-/Disable the proxy ingress.
enabled: true
className: ""
annotations: {}
# <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
# <http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
hosts:
- host: proxy.oathkeeper.localhost
paths:
- path: /
pathType: ImplementationSpecific
# tls: []
# hosts:
# - proxy.oathkeeper.local
# - secretName: oathkeeper-proxy-example-tls
# -- Configuration for custom default service. This service will be used to handle the response when the configured service in the Ingress rule does not have any active endpoints
defaultBackend: {}
# service:
# name: myservice
# port:
# number: 80
api:
# -- En-/Disable the api ingress.
enabled: false
className: ""
annotations: {}
# If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
# <http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
hosts:
- host: api.oathkeeper.localhost
paths:
- path: /
pathType: ImplementationSpecific
# tls: []
# hosts:
# - api.oathkeeper.local
# - secretName: oathkeeper-api-example-tls
# -- Configure ORY Oathkeeper itself
oathkeeper:
# -- The ORY Oathkeeper configuration. For a full list of available settings, check:
# <https://github.com/ory/oathkeeper/blob/master/docs/config.yaml>
config:
access_rules:
repositories:
- file:///etc/rules/access-rules.json
authenticators:
noop:
enabled: true
unauthorized:
enabled: true
bearer_token:
enabled: true
config:
check_session_url: <http://kratos:4455/session/whoami>
preserve_path: true
extra_from: '@this'
subject_from: 'identity.id'
token_from:
header: Authorization
authorizers:
allow:
enabled: true
deny:
enabled: true
mutators:
header:
enabled: true
config:
headers:
X-User: "{{ print .Subject }}"
# You could add some other headers, for example with data from the
# session.
# X-Some-Arbitrary-Data: "{{ print .Extra.some.arbitrary.data }}"
noop:
enabled: true
id_token:
enabled: true
config:
issuer_url: <http://localhost:4455/>
jwks_url: <http://api>..../v1/jwks
# claims:
# - '{"customer-claim": "value"}'
serve:
proxy:
port: 4455
api:
port: 4456
# -- If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator.
mutatorIdTokenJWKs: {}
# -- If set, uses the given access rules.
accessRules: {}
# -- If you enable maester, the following value should be set to "false" to avoid overwriting
# the rules generated by the CDRs. Additionally, the value "accessRules" shouldn't be
# used as it will have no effect once "managedAccessRules" is disabled.
managedAccessRules: false
secret:
# -- switch to false to prevent creating the secret
enabled: true
# -- Provide custom name of existing secret, or custom name of secret to be created
nameOverride: ""
# nameOverride: "myCustomSecret"
# -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
secretAnnotations:
# Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
# pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
<http://helm.sh/hook-weight|helm.sh/hook-weight>: "0"
<http://helm.sh/hook|helm.sh/hook>: "pre-install, pre-upgrade"
<http://helm.sh/hook-delete-policy|helm.sh/hook-delete-policy>: "before-hook-creation"
<http://helm.sh/resource-policy|helm.sh/resource-policy>: "keep"
# -- default mount path for the kubernetes secret
mountPath: /etc/secrets
# -- default filename of JWKS (mounted as secret)
filename: mutator.id_token.jwks.json
deployment:
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.**
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# <https://github.com/kubernetes/kubernetes/issues/57601>
automountServiceAccountToken: false
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# foo: bar
extraEnv: []
# -- Extra volumes you can attach to the pod.
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
# -- Extra volume mounts, allows mounting the extraVolumes to the container.
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
# -- Configuration for tracing providers. Only datadog is currently supported through this block.
# If you need to use a different tracing provider, please manually set the configuration values
# via "oathkeeper.config" or via "deployment.extraEnv".
tracing:
datadog:
enabled: false
# -- Sets the datadog DD_ENV environment variable. This value indicates the environment where oathkeeper is running.
# Default value: "none".
# env: production
# -- Sets the datadog DD_VERSION environment variable. This value indicates the version that oathkeeper is running.
# Default value: .Values.image.tag (i.e. the tag used for the docker image).
# version: X.Y.Z
# -- Sets the datadog DD_SERVICE environment variable. This value indicates the name of the service running.
# Default value: "ory/oathkeeper".
# service: ory/oathkeeper
# -- Sets the datadog DD_AGENT_HOST environment variable. This value indicates the host address of the datadog agent.
# If set to true, this configuration will automatically set DD_AGENT_HOST to the field "status.hostIP" of the pod.
# Default value: false.
# useHostIP: true
# -- Configure node tolerations.
tolerations: []
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. type: app
annotations: {}
# If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# e.g. <http://sidecar.istio.io/rewriteAppHTTPProbers|sidecar.istio.io/rewriteAppHTTPProbers>: "true"
# -- Configure node affinity
affinity: {}
# -- Configures controller setup
maester:
enabled: true
# -- PodDistributionBudget configuration
pdb:
enabled: false
spec:
minAvailable: 1
and applied a custom rule:
apiVersion: "<http://oathkeeper.ory.sh/v1alpha1|oathkeeper.ory.sh/v1alpha1>"
kind: Rule
metadata:
name: customer-rules
spec:
authenticators:
- handler: bearer_token
authorizer:
handler: allow
match:
url: "<http://localhost:4456/cristi/test>"
methods:
- "GET"
worried-kitchen-94392
01/27/2022, 12:12 PMworried-kitchen-94392
01/27/2022, 12:13 PMlively-soccer-24145
01/27/2022, 12:14 PMName: customer-rules
Namespace: ory
Labels: <none>
Annotations: <none>
API Version: <http://oathkeeper.ory.sh/v1alpha1|oathkeeper.ory.sh/v1alpha1>
Kind: Rule
Metadata:
Creation Timestamp: 2022-01-27T10:04:16Z
Finalizers:
finalizer.oathkeeper.ory.sh
Generation: 8
Managed Fields:
API Version: <http://oathkeeper.ory.sh/v1alpha1|oathkeeper.ory.sh/v1alpha1>
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:<http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration>:
f:spec:
.:
f:authenticators:
f:authorizer:
.:
f:handler:
f:match:
.:
f:methods:
f:url:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-01-27T10:04:16Z
API Version: <http://oathkeeper.ory.sh/v1alpha1|oathkeeper.ory.sh/v1alpha1>
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"finalizer.oathkeeper.ory.sh":
f:status:
.:
f:validation:
.:
f:valid:
Manager: manager
Operation: Update
Time: 2022-01-27T12:14:04Z
Resource Version: 3525056
UID: 6e6eed19-e2aa-47f7-a2e0-855ee663d8bf
Spec:
Authenticators:
Handler: noop
Authorizer:
Handler: allow
Match:
Methods:
GET
URL: <http://localhost:4456/cristi/test>
Status:
Validation:
Valid: true
Events: <none>
lively-soccer-24145
01/27/2022, 12:14 PMβ 2022-01-27T12:14:04.943Z INFO controllers.Rule updating ConfigMap β
β 2022-01-27T12:14:04.962Z INFO controllers.Rule updating ConfigMap
lively-soccer-24145
01/27/2022, 12:14 PMlively-soccer-24145
01/27/2022, 12:15 PM<http://localhost:4456/rules>
get me []
worried-kitchen-94392
01/27/2022, 12:15 PMworried-kitchen-94392
01/27/2022, 12:19 PMlively-soccer-24145
01/27/2022, 12:19 PMName: oathkeeper-rules
Namespace: ory
Labels: <http://app.kubernetes.io/instance=oathkeeper|app.kubernetes.io/instance=oathkeeper>
<http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
<http://app.kubernetes.io/name=oathkeeper|app.kubernetes.io/name=oathkeeper>
<http://app.kubernetes.io/version=v0.38.9-beta.1|app.kubernetes.io/version=v0.38.9-beta.1>
<http://helm.sh/chart=oathkeeper-0.21.5|helm.sh/chart=oathkeeper-0.21.5>
Annotations: <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: oathkeeper
<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: ory
Data
====
access-rules.json:
----
[
{
"upstream": {
"url": "",
"preserve_host": false
},
"id": "customer-rules.ory",
"match": {
"url": "<http://localhost:4456/cristi/test>",
"methods": [
"GET"
]
},
"authenticators": [
{
"handler": "noop"
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [
{
"handler": "noop"
}
]
}
]
BinaryData
====
Events: <none>
worried-kitchen-94392
01/27/2022, 12:22 PMworried-kitchen-94392
01/27/2022, 12:23 PMlively-soccer-24145
01/27/2022, 12:23 PM--rulesConfigmapName=oathkeeper-rules
--rulesConfigmapNamespace=ory
lively-soccer-24145
01/27/2022, 12:23 PMworried-kitchen-94392
01/27/2022, 12:23 PMlively-soccer-24145
01/27/2022, 12:24 PMlively-soccer-24145
01/27/2022, 12:24 PMworried-kitchen-94392
01/27/2022, 12:24 PMworried-kitchen-94392
01/27/2022, 12:24 PMlively-soccer-24145
01/27/2022, 12:25 PMworried-kitchen-94392
01/27/2022, 12:25 PMworried-kitchen-94392
01/27/2022, 12:25 PM