From af269bfb9b78b402a9b10f229ba2af8d1972bd2e Mon Sep 17 00:00:00 2001
From: mfreeman451 <mfreeman451@gmail.com>
Date: Tue, 29 Oct 2024 10:03:12 -0500
Subject: [PATCH] sync

---
 go.work.sum                                   |  1 +
 .../base/auth-server-configmaps.yaml          | 37 ++++++++++++++-----
 k8s/eventrunner-api/base/ingress.yaml         | 15 +++-----
 k8s/ory/oathkeeper/oathkeeper-values.yaml     | 13 +++++++
 4 files changed, 47 insertions(+), 19 deletions(-)

diff --git a/go.work.sum b/go.work.sum
index 5715ec8..55c5587 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -779,6 +779,7 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.
 google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241007155032-5fefd90f89a9 h1:+d6UwW1ElERBQ1pMjX1fJHEQIsACGO6EBeaiwKJgbrs=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:T8O3fECQbif8cez15vxAcjbwXxvL2xbnvbQ7ZfiMAMs=
+google.golang.org/genproto/googleapis/bytestream v0.0.0-20241015192408-796eee8c2d53 h1:mVZqGNBNN8C63iGnWgHZSGbT/vG7voylnp4atysmReg=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241015192408-796eee8c2d53/go.mod h1:T8O3fECQbif8cez15vxAcjbwXxvL2xbnvbQ7ZfiMAMs=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
diff --git a/k8s/auth-server/base/auth-server-configmaps.yaml b/k8s/auth-server/base/auth-server-configmaps.yaml
index d37c042..1179b43 100644
--- a/k8s/auth-server/base/auth-server-configmaps.yaml
+++ b/k8s/auth-server/base/auth-server-configmaps.yaml
@@ -7,20 +7,37 @@ data:
   rules.json: |
     [
       {
-        "id": "health-check",
+        "id": "k8s-health",
         "match": {
-          "url": "<.*>",
-          "methods": ["GET"],
-          "headers": {
-            "X-Original-Uri": ["^/\\.well-known/health$"]
+          "url": "<^/health/(ready|alive|live)$>",
+          "methods": ["GET"]
+        },
+        "authenticators": [
+          {
+            "handler": "noop"
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [
+          {
+            "handler": "noop"
           }
+        ],
+        "upstream": {
+          "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455"
+        }
+      },
+      {
+        "id": "wellknown-endpoints",
+        "match": {
+          "url": "<^/decisions/.well-known/(alive|health)>",
+          "methods": ["GET"]
         },
         "authenticators": [
           {
-            "handler": "anonymous",
-            "config": {
-              "subject": "health-check"
-            }
+            "handler": "noop"
           }
         ],
         "authorizer": {
@@ -32,7 +49,7 @@ data:
           }
         ],
         "upstream": {
-          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200",
+          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200/.well-known/alive",
           "preserve_host": true
         }
       }
diff --git a/k8s/eventrunner-api/base/ingress.yaml b/k8s/eventrunner-api/base/ingress.yaml
index 1c06d81..924f7a0 100644
--- a/k8s/eventrunner-api/base/ingress.yaml
+++ b/k8s/eventrunner-api/base/ingress.yaml
@@ -4,24 +4,21 @@ metadata:
   name: eventrunner-api
   namespace: eventrunner
   annotations:
-    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/authenticate"
-    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization,X-User,X-Tenant-ID"
+    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions$request_uri"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization"
     nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header Host $http_host;
       proxy_set_header X-Original-URI $request_uri;
-      proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
       proxy_set_header X-Original-Method $request_method;
-      proxy_set_header Host $http_host;
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      add_header X-Debug-Original-URI $request_uri;
-      add_header X-Debug-Original-URL $scheme://$http_host$request_uri;
-      add_header X-Debug-Auth-URL $http_auth_request_uri;
+      proxy_set_header Content-Length "";
 spec:
   ingressClassName: nginx
   rules:
     - host: api.tunnel.threadr.ai
       http:
         paths:
-          - path: /
+          - path: /.well-known
             pathType: Prefix
             backend:
               service:
diff --git a/k8s/ory/oathkeeper/oathkeeper-values.yaml b/k8s/ory/oathkeeper/oathkeeper-values.yaml
index b4ae131..c412e91 100644
--- a/k8s/ory/oathkeeper/oathkeeper-values.yaml
+++ b/k8s/ory/oathkeeper/oathkeeper-values.yaml
@@ -34,12 +34,25 @@ oathkeeper:
     authenticators:
       anonymous:
         enabled: true
+        config:
+          subject: "guest"
       noop:
         enabled: true
 
     authorizers:
       allow:
         enabled: true
+      deny:
+        enabled: true
+
+    errors:
+      fallback:
+        - json
+      handlers:
+        json:
+          enabled: true
+          config:
+            verbose: true
 
     mutators:
       noop: