-
-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: ensure oathkeeper controller deployment correctly account for optionally created resources. #669
fix: ensure oathkeeper controller deployment correctly account for optionally created resources. #669
Conversation
28cbd1a
to
ed6146f
Compare
ed6146f
to
389c1f8
Compare
389c1f8
to
b83e148
Compare
ensures that the controller correctly accounts for optionally created configmap and secret resources corresponding to the following values: - `oathkeeper.managedAccessRules` - `secret.enabled`
b83e148
to
076e657
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi there :) I think this issue was mentioned in the past. I have updated the PR to satisfy kubescape, besides that i think we can merge as is.
The idea was that oathkeeper as a application requires some rules to be present for it to start properly. In an k8s environment we dont want the deployment to be restarted until some CR is created, therefore we created the empty file to satisfy the startup conditions.
Hi there! I recently upgraded the chart and found that it is no longer possible to load a configmap with access rules due to this PR. Was this the intended behavior? If I think what is missing is to check that both |
After some thought I think the write solution might be to set this to only work if maester is enabled. |
Since PR ory#669, self-managed access rules are impossible to deploy. This commit fixes that by allowing the deployment controller to load the rules config map when maester is disabled.
Since PR ory#669, self-managed access rules are impossible to deploy. This commit fixes that by allowing the deployment controller to load the rules config map when maester is disabled.
This fix ensures that the oathkeeper controller deployment template correctly accounts for optional creation of configmap and secrets based on the provided values:
oathkeeper.secret.enabled
secret.enabled
Related Issue or Design Document
n/a (couldn't find an open/closed issue for the controller failing to initialize due to configmap missing for rules)
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
Further comments
this pr assumed that it should be possible to deploy the maester as a controller whilst also allowing it to manage the access rules. if this is incorrect, im happy to adjust the logic to ensure that the configmap for access rules get created unles both
managedAccessRules
isfalse
and the maester mode issidecar
.also please let me know if i need to increment the chart's semver patch for fixes; wasn't clear in the checklist above.