feat: improve handling of oathkeeper.mutatorIdTokenJWKs (#671)

ory · Apr 10, 2024 · fb35e56 · fb35e56
1 parent 443c16d
commit fb35e56
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 12 deletions.
diff --git a/hacks/values/oathkeeper.yaml b/hacks/values/oathkeeper.yaml
@@ -130,6 +130,9 @@ oathkeeper:
       noop:
         enabled: true
 
+secret:
+  enabled: true
+
 service:
   metrics:
     labels:

diff --git a/helm/charts/oathkeeper/README.md b/helm/charts/oathkeeper/README.md
@@ -84,7 +84,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes
 | oathkeeper.accessRules | string | `""` | If set, uses the given access rules. |
 | oathkeeper.config | object | `{"access_rules":{"repositories":["file:///etc/rules/access-rules.json"]},"serve":{"api":{"port":4456},"prometheus":{"port":9000},"proxy":{"port":4455}}}` | The ORY Oathkeeper configuration. For a full list of available settings, check:   https://github.com/ory/oathkeeper/blob/master/docs/config.yaml |
 | oathkeeper.managedAccessRules | bool | `true` | If you enable maester, the following value should be set to "false" to avoid overwriting the rules generated by the CDRs. Additionally, the value "accessRules" shouldn't be used as it will have no effect once "managedAccessRules" is disabled. |
-| oathkeeper.mutatorIdTokenJWKs | string | `""` | If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. |
+| oathkeeper.mutatorIdTokenJWKs | string | `""` | If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. Requires secret.enabled to be set `true`. |
 | pdb.enabled | bool | `false` |  |
 | pdb.spec.maxUnavailable | string | `""` |  |
 | pdb.spec.minAvailable | string | `""` |  |
@@ -97,11 +97,11 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes
 | priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | replicaCount | int | `1` | Number of ORY Oathkeeper members |
 | revisionHistoryLimit | int | `5` | Number of revisions kept in history |
-| secret.enabled | bool | `true` | switch to false to prevent creating the secret |
+| secret.enabled | bool | `false` | Switch to false to prevent using mutatorIdTokenJWKs secret |
 | secret.filename | string | `"mutator.id_token.jwks.json"` | default filename of JWKS (mounted as secret) |
 | secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
 | secret.mountPath | string | `"/etc/secrets"` | default mount path for the kubernetes secret |
-| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
+| secret.nameOverride | string | `""` | Provide custom name of existing secret if oathkeeper.mutatorIdTokenJWKs is left empty, or custom name of secret to be created |
 | secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |

diff --git a/helm/charts/oathkeeper/templates/deployment-controller.yaml b/helm/charts/oathkeeper/templates/deployment-controller.yaml
@@ -112,7 +112,7 @@ spec:
               {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            {{- if and .Values.secret.enabled .Values.oathkeeper.mutatorIdTokenJWKs }}
+            {{- if .Values.secret.enabled }}
             - name: MUTATORS_ID_TOKEN_CONFIG_JWKS_URL
               value: "file://{{ .Values.secret.mountPath }}/{{ .Values.secret.filename }}"
             {{- end }}

diff --git a/helm/charts/oathkeeper/templates/deployment-sidecar.yaml b/helm/charts/oathkeeper/templates/deployment-sidecar.yaml
@@ -60,9 +60,11 @@ spec:
             {{- end }}
         - name: {{ include "oathkeeper.name" . }}-rules-volume
           emptyDir: {}
+        {{- if .Values.secret.enabled }}
         - name: {{ include "oathkeeper.name" . }}-secrets-volume
           secret:
             secretName: {{ include "oathkeeper.secretname" . }}
+        {{- end }}
       initContainers:
         - name: init
           image: "{{ .Values.image.initContainer.repository }}:{{ .Values.image.initContainer.tag }}"
@@ -90,7 +92,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: [ "oathkeeper", "serve", "--config", "/etc/config/config.yaml" ]
           env:
-            {{- if .Values.oathkeeper.mutatorIdTokenJWKs }}
+            {{- if .Values.secret.enabled }}
             - name: MUTATORS_ID_TOKEN_CONFIG_JWKS_URL
               value: "file://{{ .Values.secret.mountPath }}/{{ .Values.secret.filename }}"
             {{- end }}
@@ -107,9 +109,11 @@ spec:
             - name: {{ include "oathkeeper.name" . }}-rules-volume
               mountPath: /etc/rules
               readOnly: true
+            {{- if .Values.secret.enabled }}
             - name: {{ include "oathkeeper.name" . }}-secrets-volume
               mountPath: {{ .Values.secret.mountPath }}
               readOnly: true
+            {{- end }}
           ports:
             - name: http-api
               containerPort: {{ .Values.oathkeeper.config.serve.api.port }}

diff --git a/helm/charts/oathkeeper/templates/secrets.yaml b/helm/charts/oathkeeper/templates/secrets.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.secret.enabled -}}
+{{- if and .Values.secret.enabled .Values.oathkeeper.mutatorIdTokenJWKs -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -14,7 +14,7 @@ metadata:
 {{- end }}
 type: Opaque
 data:
-{{- if .Values.oathkeeper.mutatorIdTokenJWKs }}
   "{{ .Values.secret.filename }}": {{ default "" .Values.oathkeeper.mutatorIdTokenJWKs | b64enc | quote }}
-{{- end}}
+{{- else if and (not .Values.secret.enabled) .Values.oathkeeper.mutatorIdTokenJWKs }}
+{{- fail ".Values.secrets.enabled must be set to true with .Values.oathkeeper.mutatorIdTokenJWKs" }}
 {{- end }}
diff --git a/helm/charts/oathkeeper/values.yaml b/helm/charts/oathkeeper/values.yaml
@@ -195,7 +195,7 @@ oathkeeper:
         port: 4456
       prometheus:
         port: 9000
-  # -- If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator.
+  # -- If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. Requires secret.enabled to be set `true`.
   mutatorIdTokenJWKs: ""
   # -- If set, uses the given access rules.
   accessRules: ""
@@ -207,9 +207,9 @@ oathkeeper:
 
 ## -- Secret management
 secret:
-  # -- switch to false to prevent creating the secret
-  enabled: true
-  # -- Provide custom name of existing secret, or custom name of secret to be created
+  # -- Switch to false to prevent using mutatorIdTokenJWKs secret
+  enabled: false
+  # -- Provide custom name of existing secret if oathkeeper.mutatorIdTokenJWKs is left empty, or custom name of secret to be created
   nameOverride: ""
   # nameOverride: "myCustomSecret"
   # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.