sync

carverauto · Oct 29, 2024 · af269bf · af269bf
1 parent 86f2c83
commit af269bf
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 19 deletions.
diff --git a/go.work.sum b/go.work.sum
@@ -779,6 +779,7 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.
 google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241007155032-5fefd90f89a9 h1:+d6UwW1ElERBQ1pMjX1fJHEQIsACGO6EBeaiwKJgbrs=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:T8O3fECQbif8cez15vxAcjbwXxvL2xbnvbQ7ZfiMAMs=
+google.golang.org/genproto/googleapis/bytestream v0.0.0-20241015192408-796eee8c2d53 h1:mVZqGNBNN8C63iGnWgHZSGbT/vG7voylnp4atysmReg=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241015192408-796eee8c2d53/go.mod h1:T8O3fECQbif8cez15vxAcjbwXxvL2xbnvbQ7ZfiMAMs=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=

diff --git a/k8s/auth-server/base/auth-server-configmaps.yaml b/k8s/auth-server/base/auth-server-configmaps.yaml
@@ -7,20 +7,37 @@ data:
   rules.json: |
     [
       {
-        "id": "health-check",
+        "id": "k8s-health",
         "match": {
-          "url": "<.*>",
-          "methods": ["GET"],
-          "headers": {
-            "X-Original-Uri": ["^/\\.well-known/health$"]
+          "url": "<^/health/(ready|alive|live)$>",
+          "methods": ["GET"]
+        },
+        "authenticators": [
+          {
+            "handler": "noop"
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [
+          {
+            "handler": "noop"
           }
+        ],
+        "upstream": {
+          "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455"
+        }
+      },
+      {
+        "id": "wellknown-endpoints",
+        "match": {
+          "url": "<^/decisions/.well-known/(alive|health)>",
+          "methods": ["GET"]
         },
         "authenticators": [
           {
-            "handler": "anonymous",
-            "config": {
-              "subject": "health-check"
-            }
+            "handler": "noop"
           }
         ],
         "authorizer": {
@@ -32,7 +49,7 @@ data:
           }
         ],
         "upstream": {
-          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200",
+          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200/.well-known/alive",
           "preserve_host": true
         }
       }

diff --git a/k8s/eventrunner-api/base/ingress.yaml b/k8s/eventrunner-api/base/ingress.yaml
@@ -4,24 +4,21 @@ metadata:
   name: eventrunner-api
   namespace: eventrunner
   annotations:
-    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/authenticate"
-    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization,X-User,X-Tenant-ID"
+    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions$request_uri"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization"
     nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header Host $http_host;
       proxy_set_header X-Original-URI $request_uri;
-      proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
       proxy_set_header X-Original-Method $request_method;
-      proxy_set_header Host $http_host;
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      add_header X-Debug-Original-URI $request_uri;
-      add_header X-Debug-Original-URL $scheme://$http_host$request_uri;
-      add_header X-Debug-Auth-URL $http_auth_request_uri;
+      proxy_set_header Content-Length "";
 spec:
   ingressClassName: nginx
   rules:
     - host: api.tunnel.threadr.ai
       http:
         paths:
-          - path: /
+          - path: /.well-known
             pathType: Prefix
             backend:
               service:

diff --git a/k8s/ory/oathkeeper/oathkeeper-values.yaml b/k8s/ory/oathkeeper/oathkeeper-values.yaml
@@ -34,12 +34,25 @@ oathkeeper:
     authenticators:
       anonymous:
         enabled: true
+        config:
+          subject: "guest"
       noop:
         enabled: true
 
     authorizers:
       allow:
         enabled: true
+      deny:
+        enabled: true
+
+    errors:
+      fallback:
+        - json
+      handlers:
+        json:
+          enabled: true
+          config:
+            verbose: true
 
     mutators:
       noop: