fix: use watcherx to watch access rule files

[zepatrik]

No description provided.

[codecov]

Codecov Report

Merging #1059 (c49e297) into master (7e7d45e) will increase coverage by 0.08%.
The diff coverage is 82.85%.

❗ Current head c49e297 differs from pull request most recent head b3e8fba. Consider uploading reports for the commit b3e8fba to get more accurate results

@@            Coverage Diff             @@
##           master    #1059      +/-   ##
==========================================
+ Coverage   77.79%   77.87%   +0.08%     
==========================================
  Files          81       80       -1     
  Lines        3967     3924      -43     
==========================================
- Hits         3086     3056      -30     
+ Misses        600      589      -11     
+ Partials      281      279       -2     

Impacted Files	Coverage Δ
driver/registry_memory.go	90.45% <0.00%> (-0.05%)	⬇️
driver/configuration/provider_koanf.go	88.84% <50.00%> (+1.49%)	⬆️
rule/fetcher_default.go	79.16% <84.44%> (+0.39%)	⬆️
...peline/authn/authenticator_oauth2_introspection.go	80.00% <100.00%> (-0.22%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[aeneasr]

Very nice work, despite the complexity the code is easy to follow :) I couldn't find any logic mistakes or issues, so I think this is 👍

We should still observe the behavior on a test environment (k3d) to ensure we did not introduce regressions somehow.

[zepatrik]

OK, I verified it works with some manual tests in k3d using this manifest:

kind: ConfigMap
apiVersion: v1
metadata:
  name: config
data:
  config.yml: |-
    access_rules:
      repositories: 
        - file:///etc/rules/rules.yml
      matching_strategy: regexp
    authenticators:
      anonymous:
        enabled: true
    authorizers:
      allow:
        enabled: true
    mutators:
      noop:
        enabled: true

---

kind: ConfigMap
apiVersion: v1
metadata:
  name: rules
data:
  rules.yml: |-
    - id: test-rule-1-yaml
      upstream:
        preserve_host: true
        strip_path: /api
        url: https://mybackend.com/api
      match:
        url: myproxy.com/api
        methods:
          - GET
          - POST
      authenticators:
        - handler: anonymous
      authorizer:
        handler: allow
      mutators:
        - handler: noop

---

kind: Pod
apiVersion: v1
metadata:
  name: ory-oathkeeper
spec:
  containers:
    - name: oathkeeper
      image: oryd/oathkeeper:dev-alpine
      args:
        - serve
        - -c
        - /etc/configs/config.yml
      ports:
        - containerPort: 4455
        - containerPort: 4456
      env:
        - name: config
          valueFrom:
            configMapKeyRef:
              name: config
              key: config.yml
        - name: rules
          valueFrom:
            configMapKeyRef:
              name: rules
              key: rules.yml
      volumeMounts:
        - name: config
          mountPath: /etc/configs
        - name: rules
          mountPath: /etc/rules
  volumes:
    - name: config
      configMap:
        name: config
    - name: rules
      configMap:
        name: rules

The commands to run this were:

make docker
k3d cluster create --image docker.io/rancher/k3s:v1.21.8-k3s1
k3d image import oryd/oathkeeper:dev-alpine
kubectl apply -f manifests.yml
# do some updates to the config & rules
# apply again

First I was confused because the update did not seem to propagate, but turned out it was because of different log levels for config and access rule update logs 😅