From fb35e560f5004b1b3cea474bfda13faa5c35213f Mon Sep 17 00:00:00 2001 From: Ferdynand Naczynski Date: Wed, 10 Apr 2024 09:30:29 +0200 Subject: [PATCH] feat: improve handling of `oathkeeper.mutatorIdTokenJWKs` (#671) --- hacks/values/oathkeeper.yaml | 3 +++ helm/charts/oathkeeper/README.md | 6 +++--- .../oathkeeper/templates/deployment-controller.yaml | 2 +- helm/charts/oathkeeper/templates/deployment-sidecar.yaml | 6 +++++- helm/charts/oathkeeper/templates/secrets.yaml | 6 +++--- helm/charts/oathkeeper/values.yaml | 8 ++++---- 6 files changed, 19 insertions(+), 12 deletions(-) diff --git a/hacks/values/oathkeeper.yaml b/hacks/values/oathkeeper.yaml index a8089c08a..ce69d72dc 100644 --- a/hacks/values/oathkeeper.yaml +++ b/hacks/values/oathkeeper.yaml @@ -130,6 +130,9 @@ oathkeeper: noop: enabled: true +secret: + enabled: true + service: metrics: labels: diff --git a/helm/charts/oathkeeper/README.md b/helm/charts/oathkeeper/README.md index 9a9ced920..e3eebed53 100644 --- a/helm/charts/oathkeeper/README.md +++ b/helm/charts/oathkeeper/README.md @@ -84,7 +84,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes | oathkeeper.accessRules | string | `""` | If set, uses the given access rules. | | oathkeeper.config | object | `{"access_rules":{"repositories":["file:///etc/rules/access-rules.json"]},"serve":{"api":{"port":4456},"prometheus":{"port":9000},"proxy":{"port":4455}}}` | The ORY Oathkeeper configuration. For a full list of available settings, check: https://github.com/ory/oathkeeper/blob/master/docs/config.yaml | | oathkeeper.managedAccessRules | bool | `true` | If you enable maester, the following value should be set to "false" to avoid overwriting the rules generated by the CDRs. Additionally, the value "accessRules" shouldn't be used as it will have no effect once "managedAccessRules" is disabled. | -| oathkeeper.mutatorIdTokenJWKs | string | `""` | If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. | +| oathkeeper.mutatorIdTokenJWKs | string | `""` | If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. Requires secret.enabled to be set `true`. | | pdb.enabled | bool | `false` | | | pdb.spec.maxUnavailable | string | `""` | | | pdb.spec.minAvailable | string | `""` | | @@ -97,11 +97,11 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes | priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | | replicaCount | int | `1` | Number of ORY Oathkeeper members | | revisionHistoryLimit | int | `5` | Number of revisions kept in history | -| secret.enabled | bool | `true` | switch to false to prevent creating the secret | +| secret.enabled | bool | `false` | Switch to false to prevent using mutatorIdTokenJWKs secret | | secret.filename | string | `"mutator.id_token.jwks.json"` | default filename of JWKS (mounted as secret) | | secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | secret.mountPath | string | `"/etc/secrets"` | default mount path for the kubernetes secret | -| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | +| secret.nameOverride | string | `""` | Provide custom name of existing secret if oathkeeper.mutatorIdTokenJWKs is left empty, or custom name of secret to be created | | secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. | | securityContext.allowPrivilegeEscalation | bool | `false` | | | securityContext.capabilities.drop[0] | string | `"ALL"` | | diff --git a/helm/charts/oathkeeper/templates/deployment-controller.yaml b/helm/charts/oathkeeper/templates/deployment-controller.yaml index fdd7f13c9..770f20ed2 100644 --- a/helm/charts/oathkeeper/templates/deployment-controller.yaml +++ b/helm/charts/oathkeeper/templates/deployment-controller.yaml @@ -112,7 +112,7 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} env: - {{- if and .Values.secret.enabled .Values.oathkeeper.mutatorIdTokenJWKs }} + {{- if .Values.secret.enabled }} - name: MUTATORS_ID_TOKEN_CONFIG_JWKS_URL value: "file://{{ .Values.secret.mountPath }}/{{ .Values.secret.filename }}" {{- end }} diff --git a/helm/charts/oathkeeper/templates/deployment-sidecar.yaml b/helm/charts/oathkeeper/templates/deployment-sidecar.yaml index f41d693b7..83420be91 100644 --- a/helm/charts/oathkeeper/templates/deployment-sidecar.yaml +++ b/helm/charts/oathkeeper/templates/deployment-sidecar.yaml @@ -60,9 +60,11 @@ spec: {{- end }} - name: {{ include "oathkeeper.name" . }}-rules-volume emptyDir: {} + {{- if .Values.secret.enabled }} - name: {{ include "oathkeeper.name" . }}-secrets-volume secret: secretName: {{ include "oathkeeper.secretname" . }} + {{- end }} initContainers: - name: init image: "{{ .Values.image.initContainer.repository }}:{{ .Values.image.initContainer.tag }}" @@ -90,7 +92,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} command: [ "oathkeeper", "serve", "--config", "/etc/config/config.yaml" ] env: - {{- if .Values.oathkeeper.mutatorIdTokenJWKs }} + {{- if .Values.secret.enabled }} - name: MUTATORS_ID_TOKEN_CONFIG_JWKS_URL value: "file://{{ .Values.secret.mountPath }}/{{ .Values.secret.filename }}" {{- end }} @@ -107,9 +109,11 @@ spec: - name: {{ include "oathkeeper.name" . }}-rules-volume mountPath: /etc/rules readOnly: true + {{- if .Values.secret.enabled }} - name: {{ include "oathkeeper.name" . }}-secrets-volume mountPath: {{ .Values.secret.mountPath }} readOnly: true + {{- end }} ports: - name: http-api containerPort: {{ .Values.oathkeeper.config.serve.api.port }} diff --git a/helm/charts/oathkeeper/templates/secrets.yaml b/helm/charts/oathkeeper/templates/secrets.yaml index 74125fcd1..9fb5d6402 100644 --- a/helm/charts/oathkeeper/templates/secrets.yaml +++ b/helm/charts/oathkeeper/templates/secrets.yaml @@ -1,4 +1,4 @@ -{{- if .Values.secret.enabled -}} +{{- if and .Values.secret.enabled .Values.oathkeeper.mutatorIdTokenJWKs -}} apiVersion: v1 kind: Secret metadata: @@ -14,7 +14,7 @@ metadata: {{- end }} type: Opaque data: -{{- if .Values.oathkeeper.mutatorIdTokenJWKs }} "{{ .Values.secret.filename }}": {{ default "" .Values.oathkeeper.mutatorIdTokenJWKs | b64enc | quote }} -{{- end}} +{{- else if and (not .Values.secret.enabled) .Values.oathkeeper.mutatorIdTokenJWKs }} +{{- fail ".Values.secrets.enabled must be set to true with .Values.oathkeeper.mutatorIdTokenJWKs" }} {{- end }} diff --git a/helm/charts/oathkeeper/values.yaml b/helm/charts/oathkeeper/values.yaml index 7d309f31c..8f9f2ff96 100644 --- a/helm/charts/oathkeeper/values.yaml +++ b/helm/charts/oathkeeper/values.yaml @@ -195,7 +195,7 @@ oathkeeper: port: 4456 prometheus: port: 9000 - # -- If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. + # -- If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. Requires secret.enabled to be set `true`. mutatorIdTokenJWKs: "" # -- If set, uses the given access rules. accessRules: "" @@ -207,9 +207,9 @@ oathkeeper: ## -- Secret management secret: - # -- switch to false to prevent creating the secret - enabled: true - # -- Provide custom name of existing secret, or custom name of secret to be created + # -- Switch to false to prevent using mutatorIdTokenJWKs secret + enabled: false + # -- Provide custom name of existing secret if oathkeeper.mutatorIdTokenJWKs is left empty, or custom name of secret to be created nameOverride: "" # nameOverride: "myCustomSecret" # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.