Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix!: use maester rules by default #687

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix!: use maester rules by default #687

wants to merge 1 commit into from

Conversation

kenankule
Copy link

@kenankule kenankule commented May 23, 2024
edited

BREAKING CHANGES: This patch changes the default value managedAccessRules to false. If the user would like to manage the rules with the helm chart, maester.enabled should be set to false and managedAccessRules should be set to true

Related Issue or Design Document

Fixes #512

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

Tested with the following configurations:

1- The user would like to manage rules manually. In this configuration the rules configmap and the initContainer to fix the permissions are not added to the deployment. rules volume is an emptydir:

oathkeeper:
  managedAccessRules: false
maester:
  enabled: false

2- The rules are managed by the helm chart oathkeeper.accessRules value. Rules configmap is created but the initContainer is not added to the deployment.

oathkeeper:
  managedAccessRules: true
maester:
  enabled: false

3- The rules are managed by the maester. Rules configmap is created by the maester chart and the volume name in the oathkeeper deployment is aligned with the maester chart. initContainer is not added to the deployment.

oathkeeper:
  managedAccessRules: false
maester:
  enabled: true

4- Invalid configuration so the helm chart rendering fails with an error message.

oathkeeper:
  managedAccessRules: true
maester:
  enabled: true

I believe the first configuration (where the chart creates an emptydir volume) should be replaced with a configuration where the chart gets an existing configmap name and uses that instead.

@CLAassistant
Copy link

CLAassistant commented May 23, 2024
edited

CLA assistant check
All committers have signed the CLA.

@kenankule
fix!: use maester rules by default
9fab8cc 
- Disable managedAccessRules by default. Currently both maester and
  managedAccessRules are enabled and these two settings are contradicting with
each other.

- Fail if both managedAccessRules and maester are enabled.

- Align rules configmap name with the maester if the maester is enabled.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Demonsthere Demonsthere Awaiting requested review from Demonsthere Demonsthere is a code owner

@piotrmsc piotrmsc Awaiting requested review from piotrmsc piotrmsc is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configmap Names for AccessRules are misaligned between oathkeeper and oathkeeper-maester
2 participants
@kenankule @CLAassistant