diff --git a/k8s/eventrunner-api/base/ingress.yaml b/k8s/eventrunner-api/base/ingress.yaml index 5a2c740..4afba29 100644 --- a/k8s/eventrunner-api/base/ingress.yaml +++ b/k8s/eventrunner-api/base/ingress.yaml @@ -7,8 +7,9 @@ metadata: cert-manager.io/cluster-issuer: threadr-issuer nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/judge" nginx.ingress.kubernetes.io/auth-response-headers: "X-User,X-Tenant-ID,X-Request-Id" - nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/auth-preserve-uri: "true" + nginx.ingress.kubernetes.io/auth-always-set-cookie: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: ingressClassName: nginx tls: diff --git a/k8s/jwks-server/base/jwks-server-configmaps.yaml b/k8s/jwks-server/base/jwks-server-configmaps.yaml index 5b42ac0..165d442 100644 --- a/k8s/jwks-server/base/jwks-server-configmaps.yaml +++ b/k8s/jwks-server/base/jwks-server-configmaps.yaml @@ -7,13 +7,37 @@ data: rules.json: | [ { - "id": "auth-rule", + "id": "oathkeeper-health", + "upstream": { + "preserve_host": true, + "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455" + }, + "match": { + "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455/health/alive", + "methods": ["GET"] + }, + "authenticators": [ + { + "handler": "noop" + } + ], + "authorizer": { + "handler": "allow" + }, + "mutators": [ + { + "handler": "noop" + } + ] + }, + { + "id": "judge-endpoint", "upstream": { "preserve_host": true, "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" }, "match": { - "url": ".*", + "url": "http://oathkeeper-proxy.default.svc.cluster.local/judge", "methods": ["GET"] }, "authenticators": [ @@ -22,7 +46,7 @@ data: "config": { "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], - "required": false + "target_audience": ["eventrunner"] } } ],