Merge pull request #39 from carverauto/updates/use_gofr_oauth

🔧 WIP ory crap
carverauto · Oct 30, 2024 · f88195a · f88195a
2 parents 2124ca8 + 8eda34d
commit f88195a
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 21 deletions.
diff --git a/k8s/auth-server/base/auth-server-configmaps.yaml b/k8s/auth-server/base/auth-server-configmaps.yaml
@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: oathkeeper-rules-data
+  name: oathkeeper-rules
   namespace: eventrunner
 data:
   rules.json: |
     [
       {
-        "id": "k8s-health",
+        "id": "health-check",
         "match": {
           "url": "<^/health/(ready|alive|live)$>",
           "methods": ["GET"]
@@ -26,18 +26,19 @@ data:
           }
         ],
         "upstream": {
-          "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455"
+          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200",
+          "preserve_host": true
         }
       },
       {
-        "id": "wellknown-endpoints",
+        "id": "well-known",
         "match": {
-          "url": "<^/decisions/.well-known/(alive|health)>",
+          "url": "<^/decisions($|/.*)$>",
           "methods": ["GET"]
         },
         "authenticators": [
           {
-            "handler": "noop"
+            "handler": "anonymous"
           }
         ],
         "authorizer": {
@@ -47,10 +48,6 @@ data:
           {
             "handler": "noop"
           }
-        ],
-        "upstream": {
-          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200/.well-known/alive",
-          "preserve_host": true
-        }
+        ]
       }
     ]
diff --git a/k8s/auth-server/base/auth-server.yaml b/k8s/auth-server/base/auth-server.yaml
@@ -26,7 +26,7 @@ spec:
       volumes:
         - name: rules-volume
           configMap:
-            name: oathkeeper-rules-data
+            name: oathkeeper-rules
             items:
               - key: rules.json
                 path: rules.json

diff --git a/k8s/eventrunner-api/base/ingress.yaml b/k8s/eventrunner-api/base/ingress.yaml
@@ -4,21 +4,20 @@ metadata:
   name: eventrunner-api
   namespace: eventrunner
   annotations:
-    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions$request_uri"
-    nginx.ingress.kubernetes.io/auth-method: GET
-    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization"
-    nginx.ingress.kubernetes.io/auth-snippet: |
-      proxy_set_header Host $http_host;
+    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-api.default.svc.cluster.local:4456/decisions"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_set_header X-Original-URI $request_uri;
       proxy_set_header X-Original-Method $request_method;
-      proxy_set_header Content-Length "";
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $http_host;
+      proxy_set_header X-Forwarded-Uri $request_uri;
 spec:
   ingressClassName: nginx
   rules:
     - host: api.tunnel.threadr.ai
       http:
         paths:
-          - path: /.well-known
+          - path: /
             pathType: Prefix
             backend:
               service:

diff --git a/k8s/nginx/configmap.yaml b/k8s/nginx/configmap.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+data:
+  proxy-buffer-size: "16k"
+  server-snippet: |
+    location = /auth {
+      internal;
+      proxy_pass http://oathkeeper-api.default.svc.cluster.local:4456/decisions;
+      proxy_pass_request_body off;
+      proxy_set_header Content-Length "";
+      proxy_set_header X-Original-URI $request_uri;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Original-Method $request_method;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host:$server_port;
+    }
diff --git a/k8s/ory/oathkeeper/oathkeeper-values.yaml b/k8s/ory/oathkeeper/oathkeeper-values.yaml
@@ -21,6 +21,7 @@ oathkeeper:
             - X-User
             - X-Tenant-ID
             - X-Request-Id
+            - Content-Type
           allow_credentials: true
           debug: true
       api:
@@ -35,7 +36,7 @@ oathkeeper:
       anonymous:
         enabled: true
         config:
-          subject: "guest"
+          subject: guest
       noop:
         enabled: true
 
@@ -64,4 +65,5 @@ oathkeeper:
 
     log:
       level: debug
-      format: json
+      format: json
+      leak_sensitive_values: true