Comments (11)
This is a problem created by PR ory/oathkeeper#1061 and so Release v0.40.2, we should have a flag or option to enable the check performed on PR 1061.
@zepatrik @hperl In our case, if we use Oathkeeper Maester, we get a 503 error when launching Oathkeeper Readiness Probe because there are no rules, although we create them later from the controller.
👋 @Demonsthere can you please reopen the issue ?
from k8s.
Hello there,
This behaviour is due to the k8s readiness probe failing and restarting the pod. The probe is failing because no rules are present in the system, that is why the demo mode works, as it deploys sample data.
As Oathkeeper is not k8s native, it expects the rules to be present on start, and treats an an empty rule array as an error state.
from k8s.
How can I instantiate it with a basic rule? Do I have to provide it a basic rule via Helm Values always?
The default helm has the following access rule which might be blank.
config:
access_rules:
repositories:
- file:///etc/rules/access-rules.json
I also created a rule using the CRD to see if it picks it up.
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: test-rule
namespace: default
spec:
match:
url: http://http-bin.example/echo
methods:
- GET
authenticators:
- handler: anonymous
authorizer:
handler: allow
mutators:
- handler: noop
from k8s.
To clear up some confusion :)
- The first code snippet you posted configures where Oathkeeper will look for rules, as that can be defined as a local file, or an url. Please refer to https://www.ory.sh/docs/oathkeeper/reference/configuration for the full config :)
- Rules can be supplied to the chart during installation using this parameter: https://github.com/ory/k8s/blob/master/hacks/values/oathkeeper.yaml#L50 The values in hacks are used for CI testing and represent ready to use examples
- The CRDs will be picked up, but you need to enable the k8s controller to do that. The extra controller is configurable via this option https://github.com/ory/k8s/blob/master/hacks/values/oathkeeper.yaml#L3-L4
Once the CRD is picked up, it will be transformed into an updated cm for the oathkeeper to read
from k8s.
I see your version is 0.40.2
try to downgrade in 0.40.1
from k8s.
Closing as this is an user error, please reopen if you need more guidance :)
from k8s.
I think the bug is not fixed in the actual version (0.40.6)
from k8s.
I see, so this is a upstream issue from oathkeeper itself 🤔 I will talk with the devs, maybe adding a --allow-empty-rules
flag could be added to disable that check, which would be the default option for maester enabled charts
from k8s.
Would be fine by me.
from k8s.
Is there any progress on this issue?
from k8s.
This issue is unrelated to rules, the pod starts fine with no rules.
Please disregard, I was checking /health/alive instead of /health/ready
from k8s.
Related Issues (20)
- helm chart kratos does not implement loading environment variable from file for courier HOT 1
- hydra helm image update to 2.1? HOT 1
- Inconsistency with service account annotations on maester charts
- Extend Test Helm Charts for Hydra, Keto and Oathkeeper to allow user defined labels for test pod HOT 1
- Warning when setting a namespaces location in keto HOT 3
- deploy image of oathkeeper-maester to arm64 HOT 4
- Helm Chart Missing Keto Link
- failed to download "https://k8s.ory.sh/helm/charts/kratos-0.36.0.tgz" at version "0.36.0" HOT 1
- Unable to rotate secretsCookie in k8s helm chart HOT 1
- 0.37 release is wrongly numbered HOT 1
- Hydra helm chart values miss hydra.config examples. HOT 2
- Hydra Maester chart does not allow env variables, but maester v0.0.31 requires it
- Kratos selfservice UI incorrectly supports `BASE_PATH`
- Ory hydra dsn configuration through existing secret causes env var to not be defined HOT 2
- DSN environmental variable is not set optionally HOT 2
- Unable to use NodePort while deploying kratos and kratos-selfservice-ui-node helm charts
- Cannot "inject" values for email templates from files HOT 5
- support hooks HOT 2
- Upgrade Oathkeeper helm chart 0.41 causes 503 HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k8s.