Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: oathkeeper - allow self managed rules when maester is disabled #685

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix: oathkeeper - allow self managed rules when maester is disabled #685

wants to merge 3 commits into from

Conversation

edeustua
Copy link

Since PR #669, self-managed access rules are impossible to deploy. This commit fixes that by allowing the deployment controller to load the rules config map when maester is disabled.

Related Issue or Design Document

In PR #669, logic was added to the deployment controller such that the access rules configmap would not be loaded when .Values.managedAccessRules was false. This breaks down self-templated access rules when maester is not desired.

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

There might be other ways to address this. Let me know if you have other suggestions. In PR #669, a suggestion was made restrict the logic only when maester's sideloader mode was enabled @cbrendanprice . This might be a solution as well.

@edeustua
fix: Allow self managed rules without maester
84b6f0a 
Since PR ory#669, self-managed access rules are impossible to deploy. This commit
fixes that by allowing the deployment controller to load the rules config map
when maester is disabled.
@CLAassistant
Copy link

CLAassistant commented May 17, 2024
edited

CLA assistant check
All committers have signed the CLA.

@edeustua edeustua changed the title Allow self managed rules without maester disabled in PR #669 fix: Allow self managed rules without maester disabled in PR #669 May 17, 2024
@edeustua edeustua changed the title fix: Allow self managed rules without maester disabled in PR #669 fix: allow self managed rules without maester disabled in PR #669 May 17, 2024
@edeustua edeustua changed the title fix: allow self managed rules without maester disabled in PR #669 fix: allow self managed rules when maester is disabled May 17, 2024
@edeustua edeustua changed the title fix: allow self managed rules when maester is disabled fix(oathkeeper): allow self managed rules when maester is disabled May 17, 2024
@edeustua edeustua changed the title fix(oathkeeper): allow self managed rules when maester is disabled fix: oathkeeper - allow self managed rules when maester is disabled May 17, 2024
@edeustua edeustua marked this pull request as draft May 17, 2024 21:56
@edeustua edeustua marked this pull request as ready for review May 18, 2024 01:09
@Demonsthere
Copy link
Collaborator

Could you please update the hacks/values/oathkeeper.yaml to trigger this case on our CI? I would like to expand the tests to cover a wider array of cases

@edeustua
Copy link
Author

Could you please update the hacks/values/oathkeeper.yaml to trigger this case on our CI? I would like to expand the tests to cover a wider array of cases

Sure thing. I'll do it today.

@edeustua
Copy link
Author

Could you please update the hacks/values/oathkeeper.yaml to trigger this case on our CI? I would like to expand the tests to cover a wider array of cases

Just to further comment on the issue. We use oathkeeper as a subchart of our own chart, and therefore we build the access rules config map before deploying oathkeeper. We do this because we don't want to use maester at this point.

Disabling managedAccessRules in hacks/values/oathkeeper.yaml would prevent the access rules defined in it from deploying properly. Maybe you would like me to add a different test? Let me know.

@Demonsthere
Copy link
Collaborator

My end goal would be to refactor the current setup into hacks/values/$component/values-testcase.yaml and have the CI iterate over all cases in the directory. This is moderately bigger refactor that needs to be done in a separate issue/pr. In this case I think we can emulate the use-case by adding a oathkeeper-rules manifest here, so it will act as a pre-existing cm which has to be consumed by the chart

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Demonsthere Demonsthere Awaiting requested review from Demonsthere Demonsthere is a code owner

@piotrmsc piotrmsc Awaiting requested review from piotrmsc piotrmsc is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@edeustua @CLAassistant @Demonsthere