diff --git a/resources/ory/charts/oathkeeper/templates/deployment.yaml b/resources/ory/charts/oathkeeper/templates/deployment.yaml index 7c4702f3cfa3..2717da7c59fd 100644 --- a/resources/ory/charts/oathkeeper/templates/deployment.yaml +++ b/resources/ory/charts/oathkeeper/templates/deployment.yaml @@ -49,7 +49,7 @@ spec: command: [ "oathkeeper", "serve", "--config", "/etc/config/config.yaml" ] env: {{- if .Values.oathkeeper.mutatorIdTokenJWKs }} - - name: MUTATORS_ID_TOKEN_JWKS_URL + - name: MUTATORS_ID_TOKEN_CONFIG_JWKS_URL value: "file:///etc/secrets/mutator.id_token.jwks.json" {{- end }} volumeMounts: diff --git a/resources/ory/charts/oathkeeper/values.yaml b/resources/ory/charts/oathkeeper/values.yaml index 0f4a3ee0278e..6a293317d4c8 100644 --- a/resources/ory/charts/oathkeeper/values.yaml +++ b/resources/ory/charts/oathkeeper/values.yaml @@ -5,7 +5,7 @@ image: # ORY Oathkeeper image repository: oryd/oathkeeper # ORY Oathkeeper version - tag: v0.18.0 + tag: v0.32.1 # Image pull policy pullPolicy: IfNotPresent diff --git a/resources/ory/values.yaml b/resources/ory/values.yaml index 21fdc38e6ba5..9adabf94aae8 100644 --- a/resources/ory/values.yaml +++ b/resources/ory/values.yaml @@ -85,34 +85,39 @@ oathkeeper: enabled: true anonymous: enabled: true - subject: anonymous + config: + subject: anonymous cookie_session: enabled: false - # REQUIRED IF ENABLED - The session store to forward request method/path/headers to for validation - check_session_url: https://session-store-host - # Optionally set a list of cookie names to look for in incoming requests. - # If unset, all requests are forwarded. - # If set, only requests that have at least one of the set cookies will be forwarded, others will be passed to the next authenticator - only: - - sessionid + config: + # REQUIRED IF ENABLED - The session store to forward request method/path/headers to for validation + check_session_url: https://session-store-host + # Optionally set a list of cookie names to look for in incoming requests. + # If unset, all requests are forwarded. + # If set, only requests that have at least one of the set cookies will be forwarded, others will be passed to the next authenticator + only: + - sessionid oauth2_client_credentials: enabled: true - # REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint that will be used to validate the client credentials. - token_url: http://ory-hydra-public.kyma-system.svc.cluster.local:4444/oauth2/token + config: + # REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint that will be used to validate the client credentials. + token_url: http://ory-hydra-public.kyma-system.svc.cluster.local:4444/oauth2/token oauth2_introspection: # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. enabled: true - # REQUIRED IF ENABLED - The OAuth 2.0 Token Introspection endpoint. - introspection_url: http://ory-hydra-admin.kyma-system.svc.cluster.local:4445/oauth2/introspect - # Sets the strategy to be used to validate/match the token scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults - # to "none". - scope_strategy: exact + config: + # REQUIRED IF ENABLED - The OAuth 2.0 Token Introspection endpoint. + introspection_url: http://ory-hydra-admin.kyma-system.svc.cluster.local:4445/oauth2/introspect + # Sets the strategy to be used to validate/match the token scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults + # to "none". + scope_strategy: exact # Enable the "jwt" section to allow for jwt authenticator configured for local Dex Id Tokens. jwt: enabled: true - jwks_urls: + config: + jwks_urls: - http://dex-service.kyma-system.svc.cluster.local:5556/keys - scope_strategy: wildcard + scope_strategy: wildcard authorizers: allow: enabled: true @@ -123,21 +128,32 @@ oathkeeper: enabled: true id_token: enabled: true - # REQUIRED IF ENABLED - Sets the "iss" value of the ID Token. - issuer_url: https://oathkeeper.{{ .Values.global.ingress.domainName }}/ - # REQUIRED IF ENABLED - Sets the URL where keys should be fetched from. Supports remote locations (http, https) as - # well as local filesystem paths. - # jwks_url: https://fetch-keys/from/this/location.json - # jwks_url: file:///from/this/absolute/location.json - # jwks_url: file://../from/this/relative/location.json - # Sets the time-to-live of the ID token. Defaults to one minute. Valid time units are: s (second), m (minute), h (hour). - ttl: 60s + config: + # REQUIRED IF ENABLED - Sets the "iss" value of the ID Token. + issuer_url: https://oathkeeper.{{ .Values.global.ingress.domainName }}/ + # REQUIRED IF ENABLED - Sets the URL where keys should be fetched from. Supports remote locations (http, https) as + # well as local filesystem paths. + jwks_url: "file:///etc/secrets/mutator.id_token.jwks.json" + # jwks_url: https://fetch-keys/from/this/location.json + # jwks_url: file:///from/this/absolute/location.json + # jwks_url: file://../from/this/relative/location.json + # Sets the time-to-live of the ID token. Defaults to one minute. Valid time units are: s (second), m (minute), h (hour). + ttl: 60s header: enabled: true + config: + headers: + X-Server: oathkeeper cookie: enabled: true + config: + cookies: + processedWith: oathkeeper hydrator: enabled: true + config: + api: + url: https://example.com serve: proxy: port: 4455 @@ -152,7 +168,7 @@ oathkeeper: cpu: 50m memory: 64Mi image: - tag: v0.18.0-beta.1 + tag: v0.32.1 oathkeeper-maester: deployment: annotations: