Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ensure oathkeeper controller deployment correctly account for optionally created resources. #669

Merged
merged 2 commits into from
Mar 28, 2024
Merged

fix: ensure oathkeeper controller deployment correctly account for optionally created resources. #669

merged 2 commits into from
Mar 28, 2024

Conversation

cbrendanprice
Copy link
Contributor

@cbrendanprice cbrendanprice commented Mar 27, 2024
edited

This fix ensures that the oathkeeper controller deployment template correctly accounts for optional creation of configmap and secrets based on the provided values:

  • oathkeeper.secret.enabled
  • secret.enabled

Related Issue or Design Document

n/a (couldn't find an open/closed issue for the controller failing to initialize due to configmap missing for rules)

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

this pr assumed that it should be possible to deploy the maester as a controller whilst also allowing it to manage the access rules. if this is incorrect, im happy to adjust the logic to ensure that the configmap for access rules get created unles both managedAccessRules is false and the maester mode is sidecar.

also please let me know if i need to increment the chart's semver patch for fixes; wasn't clear in the checklist above.

@CLAassistant
Copy link

CLAassistant commented Mar 27, 2024
edited

CLA assistant check
All committers have signed the CLA.

@cbrendanprice cbrendanprice force-pushed the fix/oathkeeper-controller-nonmanaged-access-rules branch from 28cbd1a to ed6146f Compare March 27, 2024 18:07
@cbrendanprice cbrendanprice changed the title [Oathkeeper] Fix: Update Controller to account for non-managed access rules. fix(oathkeeper): updates ory deployment controller. Controller to account for non-managed access rules. Mar 27, 2024
@cbrendanprice cbrendanprice changed the title fix(oathkeeper): updates ory deployment controller. Controller to account for non-managed access rules. fix(oathkeeper): updates ory deployment controller to account for non-managed access rules. Mar 27, 2024
@cbrendanprice cbrendanprice changed the title fix(oathkeeper): updates ory deployment controller to account for non-managed access rules. fix(oathkeeper): updates deployment controller to account for non-managed access rules. Mar 27, 2024
@cbrendanprice cbrendanprice changed the title fix(oathkeeper): updates deployment controller to account for non-managed access rules. fix: updates deployment controller to account for non-managed access rules. Mar 27, 2024
@cbrendanprice cbrendanprice changed the title fix: updates deployment controller to account for non-managed access rules. fix: updates oathkeeper controller deployment to account for non-managed access rules. Mar 27, 2024
@cbrendanprice cbrendanprice force-pushed the fix/oathkeeper-controller-nonmanaged-access-rules branch from ed6146f to 389c1f8 Compare March 27, 2024 19:00
@cbrendanprice cbrendanprice changed the title fix: updates oathkeeper controller deployment to account for non-managed access rules. fix: ensure oathkeeper controller deployment correctly account for optionally created resources. Mar 27, 2024
@cbrendanprice cbrendanprice force-pushed the fix/oathkeeper-controller-nonmanaged-access-rules branch from 389c1f8 to b83e148 Compare March 27, 2024 19:40
@cbrendanprice
fix(oathkeeper): updates ory deployment controller.
076e657 
ensures that the controller correctly accounts for optionally created configmap and secret resources corresponding to the following values:
- `oathkeeper.managedAccessRules`
- `secret.enabled`
@cbrendanprice cbrendanprice force-pushed the fix/oathkeeper-controller-nonmanaged-access-rules branch from b83e148 to 076e657 Compare March 27, 2024 19:53
Demonsthere
Demonsthere reviewed Mar 28, 2024
View reviewed changes
Copy link
Collaborator

@Demonsthere Demonsthere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi there :) I think this issue was mentioned in the past. I have updated the PR to satisfy kubescape, besides that i think we can merge as is.
The idea was that oathkeeper as a application requires some rules to be present for it to start properly. In an k8s environment we dont want the deployment to be restarted until some CR is created, therefore we created the empty file to satisfy the startup conditions.

@Demonsthere Demonsthere merged commit ba27ebb into ory:master Mar 28, 2024
11 checks passed
@edeustua
Copy link

edeustua commented May 17, 2024
edited

Hi there! I recently upgraded the chart and found that it is no longer possible to load a configmap with access rules due to this PR. Was this the intended behavior? If managedAccessRules is turned off there is no way to load a custom templated configmap into the deployment. Maybe I'm missing something.

I think what is missing is to check that both managedAccessRules is false and maester mode is sidecar, as proposed.

@edeustua
Copy link

After some thought I think the write solution might be to set this to only work if maester is enabled.

edeustua added a commit to examol-corp/ory-k8s that referenced this pull request May 17, 2024
@edeustua
fix: Allow self managed rules without maester
fe7597f 
Since PR ory#669, self-managed access rules are impossible to deploy. This commit
fixes that by allowing the deployment controller to load the rules config map
when maester is disabled.
edeustua added a commit to examol-corp/ory-k8s that referenced this pull request May 17, 2024
@edeustua
fix: Allow self managed rules without maester
84b6f0a 
Since PR ory#669, self-managed access rules are impossible to deploy. This commit
fixes that by allowing the deployment controller to load the rules config map
when maester is disabled.
@edeustua edeustua mentioned this pull request May 17, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Demonsthere Demonsthere Demonsthere approved these changes

@piotrmsc piotrmsc Awaiting requested review from piotrmsc piotrmsc is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@cbrendanprice @CLAassistant @edeustua @Demonsthere