Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BREAKING CHANGES: This patch changes the default value
managedAccessRules
tofalse
. If the user would like to manage the rules with the helm chart,maester.enabled
should be set tofalse
andmanagedAccessRules
should be set totrue
Related Issue or Design Document
Fixes #512
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
Further comments
Tested with the following configurations:
1- The user would like to manage rules manually. In this configuration the rules configmap and the initContainer to fix the permissions are not added to the deployment. rules volume is an emptydir:
2- The rules are managed by the helm chart
oathkeeper.accessRules
value. Rules configmap is created but the initContainer is not added to the deployment.3- The rules are managed by the maester. Rules configmap is created by the maester chart and the volume name in the oathkeeper deployment is aligned with the maester chart. initContainer is not added to the deployment.
4- Invalid configuration so the helm chart rendering fails with an error message.
I believe the first configuration (where the chart creates an emptydir volume) should be replaced with a configuration where the chart gets an existing configmap name and uses that instead.