diff --git a/hacks/values/oathkeeper.yaml b/hacks/values/oathkeeper.yaml index ce69d72dc2..d45e450a48 100644 --- a/hacks/values/oathkeeper.yaml +++ b/hacks/values/oathkeeper.yaml @@ -68,6 +68,7 @@ deployment: maxSurge: 25% maxUnavailable: 25% oathkeeper: + managedAccessRules: true accessRules: | [ { diff --git a/helm/charts/oathkeeper/templates/_helpers.tpl b/helm/charts/oathkeeper/templates/_helpers.tpl index 3952f2c394..f0fd9f5423 100644 --- a/helm/charts/oathkeeper/templates/_helpers.tpl +++ b/helm/charts/oathkeeper/templates/_helpers.tpl @@ -24,6 +24,21 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} + +{{/* +Create a config map name for rules. +If maester is enabled, use the child chart named template to get the value. +*/}} +{{- define "oathkeeper.rulesConfigMapName" -}} +{{- if .Values.maester.enabled -}} +{{- $childChart := (dict "Name" "oathkeeper-maester") -}} +{{- include "oathkeeper-maester.getCM" (dict "Values" (index .Values "oathkeeper-maester") "Release" $.Release "Chart" $childChart) }} +{{- else -}} +{{ include "oathkeeper.fullname" . }}-rules +{{- end -}} +{{- end -}} + + {{/* Create a secret name which can be overridden. */}} @@ -86,9 +101,11 @@ Checksum annotations generated from configmaps and secrets {{- if .Values.configmap.hashSumEnabled }} {{- $oathkeeperConfigMapFile := ternary "/configmap-config-demo.yaml" "/configmap-config.yaml" (.Values.demo) }} checksum/oathkeeper-config: {{ include (print $.Template.BasePath $oathkeeperConfigMapFile) . | sha256sum }} +{{- if .Values.oathkeeper.managedAccessRules }} checksum/oathkeeper-rules: {{ include (print $.Template.BasePath "/configmap-rules.yaml") . | sha256sum }} {{- end }} +{{- end }} {{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }} checksum/oauthkeeper-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/charts/oathkeeper/templates/configmap-rules.yaml b/helm/charts/oathkeeper/templates/configmap-rules.yaml index 4c46ad7663..c1e7b1f9af 100644 --- a/helm/charts/oathkeeper/templates/configmap-rules.yaml +++ b/helm/charts/oathkeeper/templates/configmap-rules.yaml @@ -1,4 +1,7 @@ {{- if .Values.oathkeeper.managedAccessRules }} +{{- if .Values.maester.enabled -}} +{{- fail "Both `managedAccessRules` and `maester.enabled` cannot be set to true at the same time" }} +{{- end -}} --- apiVersion: v1 kind: ConfigMap diff --git a/helm/charts/oathkeeper/templates/deployment-controller.yaml b/helm/charts/oathkeeper/templates/deployment-controller.yaml index 770f20ed2c..3bcb11d8f0 100644 --- a/helm/charts/oathkeeper/templates/deployment-controller.yaml +++ b/helm/charts/oathkeeper/templates/deployment-controller.yaml @@ -62,9 +62,9 @@ spec: name: {{ include "oathkeeper.fullname" . }}-config {{- end }} - name: {{ include "oathkeeper.name" . }}-rules-volume - {{- if .Values.oathkeeper.managedAccessRules }} + {{- if or .Values.oathkeeper.managedAccessRules .Values.maester.enabled }} configMap: - name: {{ include "oathkeeper.fullname" . }}-rules + name: {{ include "oathkeeper.rulesConfigMapName" . }} {{- else }} emptyDir: {} {{- end }} @@ -76,7 +76,7 @@ spec: serviceAccountName: {{ include "oathkeeper.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} initContainers: - {{- if (not .Values.oathkeeper.managedAccessRules) }} + {{- if and (not .Values.oathkeeper.managedAccessRules) (not .Values.maester.enabled) }} - name: init image: "{{ .Values.image.initContainer.repository }}:{{ .Values.image.initContainer.tag }}" volumeMounts: diff --git a/helm/charts/oathkeeper/values.yaml b/helm/charts/oathkeeper/values.yaml index e99fe8266d..ec1c1d71b0 100644 --- a/helm/charts/oathkeeper/values.yaml +++ b/helm/charts/oathkeeper/values.yaml @@ -378,7 +378,7 @@ affinity: {} ## -- Configures controller setup maester: - enabled: true + enabled: false ## -- PodDistributionBudget configuration pdb: