Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Oathkeeper image to support alternative token location #6407

Merged
merged 3 commits into from
Nov 26, 2019
Merged

Bump Oathkeeper image to support alternative token location #6407

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ebc5d47
Revert "Revert "Bump Oathkeeper image to support alternative token lo…
kubadz Nov 26, 2019
bf084b6
update hydrator settings in compass charts
kubadz Nov 26, 2019
c4b117a
Set default hydrator URL to the one suggested in code review
kubadz Nov 26, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions resources/compass/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,19 +123,19 @@ global:
api:
url: http://compass-director.compass-system.svc.cluster.local:3000/tenant-mapping
retry:
number: 3
delayInMilliseconds: 2000
number_of_retries: 3
delay_in_milliseconds: 2000
certificateResolverService:
config:
api:
url: http://compass-connector.compass-system.svc.cluster.local:8080/v1/certificate/data/resolve
retry:
number: 3
delayInMilliseconds: 2000
number_of_retries: 3
delay_in_milliseconds: 2000
tokenResolverService:
config:
api:
url: http://compass-connector.compass-system.svc.cluster.local:8080/v1/tokens/resolve
retry:
number: 3
delayInMilliseconds: 2000
number_of_retries: 3
delay_in_milliseconds: 2000
2 changes: 1 addition & 1 deletion resources/ory/charts/oathkeeper/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ spec:
command: [ "oathkeeper", "serve", "--config", "/etc/config/config.yaml" ]
env:
{{- if .Values.oathkeeper.mutatorIdTokenJWKs }}
- name: MUTATORS_ID_TOKEN_JWKS_URL
- name: MUTATORS_ID_TOKEN_CONFIG_JWKS_URL
value: "file:///etc/secrets/mutator.id_token.jwks.json"
{{- end }}
volumeMounts:
Expand Down
2 changes: 1 addition & 1 deletion resources/ory/charts/oathkeeper/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ image:
# ORY Oathkeeper image
repository: oryd/oathkeeper
# ORY Oathkeeper version
tag: v0.18.0
tag: v0.32.1
# Image pull policy
pullPolicy: IfNotPresent

Expand Down
70 changes: 43 additions & 27 deletions resources/ory/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,34 +85,39 @@ oathkeeper:
enabled: true
anonymous:
enabled: true
subject: anonymous
config:
subject: anonymous
cookie_session:
enabled: false
# REQUIRED IF ENABLED - The session store to forward request method/path/headers to for validation
check_session_url: https://session-store-host
# Optionally set a list of cookie names to look for in incoming requests.
# If unset, all requests are forwarded.
# If set, only requests that have at least one of the set cookies will be forwarded, others will be passed to the next authenticator
only:
- sessionid
config:
# REQUIRED IF ENABLED - The session store to forward request method/path/headers to for validation
check_session_url: https://session-store-host
# Optionally set a list of cookie names to look for in incoming requests.
# If unset, all requests are forwarded.
# If set, only requests that have at least one of the set cookies will be forwarded, others will be passed to the next authenticator
only:
- sessionid
oauth2_client_credentials:
enabled: true
# REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint that will be used to validate the client credentials.
token_url: http://ory-hydra-public.kyma-system.svc.cluster.local:4444/oauth2/token
config:
# REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint that will be used to validate the client credentials.
token_url: http://ory-hydra-public.kyma-system.svc.cluster.local:4444/oauth2/token
oauth2_introspection:
# Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
enabled: true
# REQUIRED IF ENABLED - The OAuth 2.0 Token Introspection endpoint.
introspection_url: http://ory-hydra-admin.kyma-system.svc.cluster.local:4445/oauth2/introspect
# Sets the strategy to be used to validate/match the token scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults
# to "none".
scope_strategy: exact
config:
# REQUIRED IF ENABLED - The OAuth 2.0 Token Introspection endpoint.
introspection_url: http://ory-hydra-admin.kyma-system.svc.cluster.local:4445/oauth2/introspect
# Sets the strategy to be used to validate/match the token scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults
# to "none".
scope_strategy: exact
# Enable the "jwt" section to allow for jwt authenticator configured for local Dex Id Tokens.
jwt:
enabled: true
jwks_urls:
config:
jwks_urls:
- http://dex-service.kyma-system.svc.cluster.local:5556/keys
scope_strategy: wildcard
scope_strategy: wildcard
authorizers:
allow:
enabled: true
Expand All @@ -123,21 +128,32 @@ oathkeeper:
enabled: true
id_token:
enabled: true
# REQUIRED IF ENABLED - Sets the "iss" value of the ID Token.
issuer_url: https://oathkeeper.{{ .Values.global.ingress.domainName }}/
# REQUIRED IF ENABLED - Sets the URL where keys should be fetched from. Supports remote locations (http, https) as
# well as local filesystem paths.
# jwks_url: https://fetch-keys/from/this/location.json
# jwks_url: file:///from/this/absolute/location.json
# jwks_url: file://../from/this/relative/location.json
# Sets the time-to-live of the ID token. Defaults to one minute. Valid time units are: s (second), m (minute), h (hour).
ttl: 60s
config:
# REQUIRED IF ENABLED - Sets the "iss" value of the ID Token.
issuer_url: https://oathkeeper.{{ .Values.global.ingress.domainName }}/
# REQUIRED IF ENABLED - Sets the URL where keys should be fetched from. Supports remote locations (http, https) as
# well as local filesystem paths.
jwks_url: "file:///etc/secrets/mutator.id_token.jwks.json"
# jwks_url: https://fetch-keys/from/this/location.json
# jwks_url: file:///from/this/absolute/location.json
# jwks_url: file://../from/this/relative/location.json
# Sets the time-to-live of the ID token. Defaults to one minute. Valid time units are: s (second), m (minute), h (hour).
ttl: 60s
header:
enabled: true
config:
headers:
X-Server: oathkeeper
cookie:
enabled: true
config:
cookies:
processedWith: oathkeeper
hydrator:
enabled: true
config:
api:
url: http://compass-director.compass-system.svc.cluster.local:3000/tenant-mapping
serve:
proxy:
port: 4455
Expand All @@ -152,7 +168,7 @@ oathkeeper:
cpu: 50m
memory: 64Mi
image:
tag: v0.18.0-beta.1
tag: v0.32.1
oathkeeper-maester:
deployment:
annotations:
Expand Down