feat: Add external access rules hack tests

ory · May 23, 2024 · 3e254c9 · 3e254c9
1 parent 439ae08
commit 3e254c9
Show file tree

Hide file tree

Showing 3 changed files with 201 additions and 1 deletion.
diff --git a/hacks/manifests/oathkeeper-external-accessrules.yaml b/hacks/manifests/oathkeeper-external-accessrules.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  # The name comes from oathkeeper's subchart.
+  name: {{ include "oathkeeper.fullname" . }}-rules
+data:
+  access-rules.json: |-
+    [
+      {
+        "id": "rule-foobar",
+        "upstream": {
+          "url": "https://httpbin.org/anything"
+        },
+        "match": {
+          "url": "http://<[^/]+>/authenticator/noop/authorizer/allow/mutator/noop",
+          "methods": [
+            "GET",
+            "POST",
+            "PUT",
+            "DELETE",
+            "PATCH"
+          ]
+        },
+        "authenticators": [
+          {
+            "handler": "noop"
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [{
+          "handler": "noop"
+        }]
+      }
+    ]
diff --git a/hacks/values/oathkeeper-external-accessrules.yaml b/hacks/values/oathkeeper-external-accessrules.yaml
@@ -0,0 +1,165 @@
+---
+demo: false
+maester:
+  enabled: false
+#
+#service:
+#  proxy:
+#    type: NodePort
+#  api:
+#    type: NodePort
+#
+
+image:
+  initContainer:
+    repository: docker.io/library/busybox
+    tag: 1.36
+
+ingress:
+  proxy:
+    enabled: true
+    defaultBackend:
+      service:
+        name: myservice
+        port:
+          number: 80
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      kubernetes.io/tls-acme: "true"
+  api:
+    enabled: true
+priorityClassName: "system-cluster-critical"
+
+pdb:
+  enabled: true
+  spec:
+    maxUnavailable: 25%
+
+deployment:
+  extraInitContainers: |
+    - name: "hello-world"
+      image: "alpine:latest"
+      command: ["/bin/sh"]
+      args: ["-c", "echo hello, world!"]
+  extraContainers: |
+    - name: "sidecar"
+      image: "alpine:latest"
+      command: ["/bin/sh"]
+      args: ["-c", "sleep infinity"]
+  podMetadata:
+    labels:
+      ory.sh/pod_label: oathkeeper
+    annotations:
+      ory.sh/pod_annotation: oathkeeper
+  autoscaling:
+    enabled: true
+    targetCPU:
+      type: Utilization
+      averageUtilization: 80
+    targetMemory:
+      type: Utilization
+      averageUtilization: 80
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 60
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+oathkeeper:
+  managedAccessRules: false
+  accessRules: |
+    [
+      {
+        "id": "rule-foobar",
+        "upstream": {
+          "url": "https://httpbin.org/anything"
+        },
+        "match": {
+          "url": "http://<[^/]+>/authenticator/noop/authorizer/allow/mutator/noop",
+          "methods": [
+            "GET",
+            "POST",
+            "PUT",
+            "DELETE",
+            "PATCH"
+          ]
+        },
+        "authenticators": [
+          {
+            "handler": "noop"
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [{
+          "handler": "noop"
+        }]
+      }
+    ]
+  mutatorIdTokenJWKs: |
+    {
+      "keys": [
+        {
+          "use": "sig",
+          "kty": "RSA",
+          "kid": "67bf0153-a6dc-4f06-9ce4-2f203b79adc8",
+          "alg": "RS256",
+          "n": "z59MFx8ntDR5j_XhETXVJ-e2lYHOJx9jMouhAwqTMQXg07BiHLcLzIGjhPIhQTKdO4BpAbu84Ceg3W-fVmK8-yrnPch-4cgi6UktIxL--iV4yj1p5FSInbBBm1oFJcmn8jqf0picWwRlDUv92cJKblDE1ZdGjO6HqOvGZAZFr-w4xT_jBsQRBCLspZ0_mWDHWsrjFcvZ3AgmERm5kwmJ-YSSeU-v08twcwVkA9UdAgeHgw5Z9vascy1tsrokvsI7Qktk867SL-BJZJ4FWn8lAJCdxOMFGdXyGthr2d9kZqzNBc0Isoay1NtM0K0gt_27jZc456w9-enkEMIu9bM4HYiX3T9i6N2LjnNj2hdARg9WODFj01LCOb240_boXO_iHQU69SCKi6tvQNUw7lf7TapD1Dsz4OZ0tsbAVY5HKRZH-CIo6cseVaaloFI7PYPnRW3gXyOUxfQCIWpg8v6TPNPrNIbwH-gXiUd6-Mngj-MX-CWenuin-Y_-KYYOS880vlOfBGUVTSkpPBnHW4-a2DZLcjyxv2uUsKksFmDqPEQVrugXZQQ6mUGHQNXxOWqJ211kf6SNo0pv9mcLAo07rkPy3Ujqq96C3G_l74c2t2gfXYCv0vYvHQ5E726gf-7H3YK5NO0jH_0EvCMVD25L7eXVuITxaZdxpn3InrK_i2s",
+          "e": "AQAB",
+          "d": "ZygstChEn-Kaq45tHxHyMHuOWkY-WW3c6ZY6j7pHW8oh5Mv0U3QXJqsaxclQAIbXXGL2yWev9md6I8t8DX3Ni7XLYwUlFaVMw0AabxzXFw5bL5DH9iySHFcgocFeYWIKUe4Szp4IwagzVSH2pKVGOf1jbwRUh11UhfdvgO8k3L2vj0Go2Qm9sqJvlfHFUb2mD1RS89dvDUX3M_PmIkpRBWp7JE8Ve1PPMTbydH0EhqebCuCsjmoNUMS3hl-6NhVnQA8Zv4GS6Tq0_IsO-eHGTruLx_FL7YRBYFk7bOrzhZhB3an7skf-voefaOc8JG6rKzSBj4oi2PL-39y7XFSJgi1Ss9NHZsdUQvQUD6nsaXM0epouPCakekYo_jAR-v_of4UBNpodR5nMvXMxXheXg2uz-UiWAzZ9lC1fX0C9IN9XSV99ep_DimqfjYY3ikkhwgUa8UCizL5Tln67HC7hY1ucpfxGZ8D5m_eCtg8fIx8TgCSxbYce2bYIc0jdcGcuEQPoNZbSJgEgNxrNX653MzxGtnLaXafF1uyaszN4FjFX8ToEOOSrKC1fLZSSifMMKv4yNP7BeNL_op1TkMAYa1CTrxgFeUL3ckBmF3sV8guAEDM3aiYX77NZAXk_lX3vxk4BUYQayJxEwH8oyDFB-ZOnEJheuIdUUZZOzRwPfSE",
+          "p": "1miNrKrNkJbyLkh5nZfSi7GtzmyOOGm0oCcpe3jh4zJnBNU34kOV5fCsK1ekEBEV0oEdCp4dqGVnWYoa7Kw9o04aeebSHMtBOZoVnQOIe8usm2xiD_y11uepRmGb1UNT_52PrCwFMsqtuupEJIJtKUFINq0KGtrnfM6UeA7cqVhZ8EDPNjL4c9iJ2JOzPa4jqPmyWe2Ypp_lMyG56yxZemUxZiX9sXqC89F1m0DNQ6Ny-VhWOYlkrTNT5kO17mgpru5yLmfklZhMSBOaKg7qdEmJB8HTlgMl40ulEnjRNLxoFNPboEwkXunFo6MMjEI35rcMDnr-LrIwZ06ia6fiEw",
+          "q": "9-W-4eUTjwjgUfICak-Zxftyo21WdIRh35Ncg9SnvNQx3LrfCgMVGcGB375kbBEwiZIW9Zg7nsllkvPelT5DGxwjYuzOMZH5SQmnX9AhVQ9a0O-fVZIj0pHaod600A0c2gbXtsVkuakmMnZXExxcYjRoU0_4RMfL7IUH8EIf8Safdn6KObA-cvFwfVN2iiFl897lmFK3MRvc8Ul2ZyfV-jZPvFyF5i1ATDy2dcNBavOxsUoSrHytRmPyi6x5S2bq-9PhpeHx4JU8ZVSjUEAt7QKhK86mMaDjwSmWchjhbJhHlIxO9VmUXdTMC0yH2_ebMLk4sUZwZKszpkyshQIcSQ",
+          "dp": "hJSATq4LkQYV2VLNiQqRkfobvJJZ2z5aB9JPj18vZvsKwu1JsisSrO4GuIJoG9tEwDdAiwk8051oq_B_N6xGLQ4lxw1ZDZ8NxR2nkcDWi55lLHJ3rOUaWDpF7RR8dQI-FckLR26tBDxZ80PbQSw5bhJFIjIcFoEYNY_UNO0Tu8-7RZn9x8j64z-Z9YdXhaOBv4Ivq_YEt7wV0WlgerCg39NlGYISfsV_5l62N3t5sgKHHPJn1wpDa-paTf--px5X8CjYCCQMMAjN2p_sa2dvyNqT1m0fdhqaOhPTjjmRO-fpAEAFBfkvYFVz9fzjzHNB9_NmjCm3tY5P6gGw45sbaw",
+          "dq": "cSuadAgfYLo9pktknOIQIplDYaaFxJW3FNlyb-DCXutEhC9vqWN025hC0UFbGRbT4Mon3yELftcUnvzkTZ_qBNNYuE3BaFHqy1Qz7ALZZLqozB_Izsjzv6rEdAd25lBGLqbXDeKZtESrYngyElBtQIwKYJZukf_gce7di-q0KGRogjEMq39xUwo0P5K92BudLrNAf8SrSykcOa8-9aLzBdKLnkNjAY0BAIzrA2ILWGc-ZOCbG9GjTTJNxUQM78ZhWmwFZLR8tvmKY_w6vmU-UihUKeqiZp-7ujBhNV90ch4m94MCfPHTUO7X5AShNWOZnqnAXvX4U4zw_Geeju5CuQ",
+          "qi": "OdvyakUl-NZ2PZHi5N_vDTdC4Ad4LI6JP4InVW-33kGySQom264eZ-nwBFVlZeCx2qgFE0iuRtS1plmZdEMP_cc8kW-PDtTDg3i_8rWutkmX13FThHXpT9M3iTU8qxeizRuvXaHIayplgZT6W8iIl4JWp1lWfLK85jTmsuX2mF-I0E56VOGOy7xlBEnyrrskXgyiOcjFgNy2UTaCNvfUrLxhiWAU-ZoqyEaj4t5bYdcu_xkuwDvdHea9RgHOMve9UoSPsSIAoev1HeTdIrWLOyUEenGqhUAkneRqTDuXkzUYFreV63nhqiHU3WUGKBbJ-4Dgl7kl0FxH7w98WuKscg"
+        }
+      ]
+    }
+  config:
+    mutators:
+      noop:
+        enabled: true
+    authorizers:
+      allow:
+        enabled: true
+      deny:
+        enabled: true
+    authenticators:
+      noop:
+        enabled: true
+
+secret:
+  enabled: true
+
+service:
+  metrics:
+    labels:
+      app.kubernetes.io/element: "metrics"
+      release: "metrics"
+      app: oathkeeper
+
+serviceMonitor:
+  labels:
+    release: "prometheus"
+  tlsConfig:
+    insecureSkipVerify: true
+  relabelings:
+    - action: labeldrop
+      regex: request
+  metricRelabelings:
+    - action: labeldrop
+      regex: request
+  targetLabels:
+    - app
+
+test:
+  labels:
+    test-org: ory
+    test-product: oathkeeper
+    test-service: authorizer
+  busybox:
+    repository: docker.io/library/busybox
+    tag: 1.36
diff --git a/hacks/values/oathkeeper.yaml b/hacks/values/oathkeeper.yaml
@@ -68,7 +68,6 @@ deployment:
       maxSurge: 25%
       maxUnavailable: 25%
 oathkeeper:
-  managedAccessRules: false
   accessRules: |
     [
       {