Update oathkeeper and maester charts (#37)

.circleci/config.yml

@@ -9,7 +9,6 @@ jobs:
       - run: curl -L https://git.io/get_helm.sh | bash
       - run: helm lint ./helm/charts/oathkeeper/
       - run: helm lint ./helm/charts/hydra/
-      - run: helm lint ./helm/charts/maester/
       - run: helm lint ./helm/charts/example-idp/
 
   test:

docs/helm/hydra.md

@@ -13,16 +13,18 @@ To install ORY Hydra, the following values must be set
 * `hydra.config.urls.consent`
 * `hydra.config.secrets.system`
 
+> **NOTE:** If no `hydra.config.secrets.system` secrets are not supplied, a secret is generated automatically. The generated secret is cryptographically secure, and 32 signs long.
+
 If you wish to install ORY Hydra with an in-memory database, a cryptographically strong secret, a Login and Consent
 provider located at `https://my-idp/` run:
 
 ```bash
 $ helm install \
-    --set hydra.config.secrets.system=$(LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | base64 | head -c 32) \
-    --set hydra.config.dsn=memory \
-    --set hydra.config.urls.self.issuer=https://my-hydra/ \
-    --set hydra.config.urls.login=https://my-idp/login \
-    --set hydra.config.urls.consent=https://my-idp/consent \
+    --set 'hydra.config.secrets.system=$(LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | base64 | head -c 32)' \
+    --set 'hydra.config.dsn=memory' \
+    --set 'hydra.config.urls.self.issuer=https://my-hydra/' \
+    --set 'hydra.config.urls.login=https://my-idp/login' \
+    --set 'hydra.config.urls.consent=https://my-idp/consent' \
     ory/hydra
 ```
 
@@ -31,7 +33,7 @@ You can optionally also set the cookie secrets:
 ```bash
 $ helm install \
     ...
-    hydra.config.secrets.cookie=$(LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | base64 | head -c 32) \
+    'hydra.config.secrets.cookie=$(LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | base64 | head -c 32)' \
     ...
     ory/hydra
 ```
@@ -43,7 +45,7 @@ To run ORY Hydra against a SQL database, set the connection string. For example:
 ```bash
 $ helm install \
     ...
-    --set dsn=postgres://foo:bar@baz:1234/db \
+    --set 'dsn=postgres://foo:bar@baz:1234/db' \
     ory/hydra
 ```
 
@@ -58,7 +60,7 @@ the [`gcloud-sqlproxy`](https://github.com/rimusz/charts/tree/master/stable/gclo
 
 ```bash
 $ helm upgrade pg-sqlproxy rimusz/gcloud-sqlproxy --namespace sqlproxy \
-    --set serviceAccountKey="$(cat service-account.json | base64 | tr -d '\n')" \
+    --set 'serviceAccountKey="$(cat service-account.json | base64 | tr -d '\n')"' \
     ...
 ```
 
@@ -68,7 +70,7 @@ When bringing up ORY Hydra, set the host to `pg-sqlproxy-gcloud-sqlproxy` as doc
 ```bash
 $ helm install \
     ...
-    --set dsn=postgres://foo:bar@pg-sqlproxy-gcloud-sqlproxy:5432/db \
+    --set 'dsn=postgres://foo:bar@pg-sqlproxy-gcloud-sqlproxy:5432/db' \
     ory/hydra
 ```
 
@@ -111,9 +113,9 @@ Let's install the Login and Consent App first
 
 ```bash
 $ helm install \
-    --set hydraAdminUrl=http://hydra-example-admin:4445/ \
-    --set hydraPublicUrl=http://public.hydra.localhost/ \
-    --set ingress.enabled=true \
+    --set 'hydraAdminUrl=http://hydra-example-admin:4445/' \
+    --set 'hydraPublicUrl=http://public.hydra.localhost/' \
+    --set 'ingress.enabled=true' \
     --name hydra-example-idp \
     ory/example-idp
 ```
@@ -131,15 +133,15 @@ for testing and demonstration purposes. Install the ORY Hydra Helm Chart
 
 ```bash
 $ helm install \
-    --set hydra.config.secrets.system=$(LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | base64 | head -c 32) \
-    --set hydra.config.dsn=memory \
-    --set hydra.config.urls.self.issuer=http://public.hydra.localhost/ \
-    --set hydra.config.urls.login=http://example-idp.localhost/login \
-    --set hydra.config.urls.consent=http://example-idp.localhost/consent \
-    --set hydra.config.urls.logout=http://example-idp.localhost/logout \
-    --set ingress.public.enabled=true \
-    --set ingress.admin.enabled=true \
-    --set hydra.dangerousForceHttp=true \
+    --set 'hydra.config.secrets.system=$(LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | base64 | head -c 32)' \
+    --set 'hydra.config.dsn=memory' \
+    --set 'hydra.config.urls.self.issuer=http://public.hydra.localhost/' \
+    --set 'hydra.config.urls.login=http://example-idp.localhost/login' \
+    --set 'hydra.config.urls.consent=http://example-idp.localhost/consent' \
+    --set 'hydra.config.urls.logout=http://example-idp.localhost/logout' \
+    --set 'ingress.public.enabled=true' \
+    --set 'ingress.admin.enabled=true' \
+    --set 'hydra.dangerousForceHttp=true' \
     --name hydra-example \
     ory/hydra
 ```

docs/helm/maester.md → docs/helm/oathkeeper-maester.md

@@ -1,22 +1,15 @@
-# ORY Maester Helm Chart
+# ORY Oathkeeper-maester Helm Chart
 
-ORY Maester is a Kubernetes controller that watches for instances of `rules.oathkeeper.ory.sh/v1alpha1` custom resource (CR) and creates or updates the Oathkeeper ConfigMap with Access Rules found in the CRs. The controller passes the Access Rules as an array in a format recognized by the Oathkeeper.
+ORY Oathkeeper-maester is a Kubernetes controller that watches for instances of `rules.oathkeeper.ory.sh/v1alpha1` custom resource (CR) and creates or updates the Oathkeeper ConfigMap with Access Rules found in the CRs. The controller passes the Access Rules as an array in a format recognized by the Oathkeeper.
 By mounting the ConfigMap to the Oathkeeper Pod, you can manage the list of Oathkeeper Rules through `rules.oathkeeper.ory.sh/v1alpha1` CR instances.
 
-
 ## Installation
-
-To install ORY Maester with Helm, run:
-
-```bash
-$ helm install ory/maester
-```
+Oathkeeper-maester is a part of the Oathkeeper chart, and it is installed together with it. 
 
 ## Configuration
 
 These are the most important configuration values used to control ConfigMap creation:
 
-- `configMapName` defines the name of the ConfigMap used to store the list of Access Rules. Defaults to `oathkeeper-rules`
 - `rulesConfigmapNamespace` defines the Namespace in which the ConfigMap is stored. Defaults to the same Namespace as the ORY Maester Helm release.
 - `rulesFileName` defines the name of the single root-level ConfigMap key used to store the entire array of Access Rules. When the ConfigMap is mounted in the Oathkeeper Pod, this becomes also the filename of the "rules file" to the Oathkeeper process. Defaults to `access-rules.json`.
 

docs/helm/oathkeeper.md

@@ -21,7 +21,7 @@ This Helm Chart supports a demo mode which deploys access rules for urls
 that point to [httpbin.org](https://httpbin.org). To install ORY Oathkeeper in demo-mode, run:
 
 ```bash
-$ helm install --set demo=true ory/oathkeeper
+$ helm install --set 'demo=true' ory/oathkeeper
 ```
 
 Be aware that this mode uses JSON Web Keys and other secrets that are publicly accessible via GitHub.
@@ -63,7 +63,7 @@ from disk and deploying it as a Kubernetes Secret:
 
 ```bash
 $ helm install \
-    --set-file oathkeeper.mutatorIdTokenJWKs=./path/to/jwks.json \
+    --set-file 'oathkeeper.mutatorIdTokenJWKs=./path/to/jwks.json' \
     ory/oathkeeper
 ```
 
@@ -76,9 +76,18 @@ Instead of fetching access rules from remote locations, you can set your access
 
 ```bash
 $ helm install \
-    --set-file oathkeeper.accessRules=./path/to/access-rules.json \
+    --set-file 'oathkeeper.accessRules=./path/to/access-rules.json' \
     ory/oathkeeper
 ```
 
 Please note that any configuration values set for `oathkeeper.config.access_rules.repositories` using e.g.
 a configuration file will be overwritten by this setting.
+
+### Oathkeeper-maester
+This chart includes a helper chart in the form of [Oathkeeper-maester](https://github.com/ory/k8s/blob/master/docs/helm/oathkeeper-maester.md), a k8s controller, which translates access rules object into a kubernetes native [CustomResource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). This component is enabled by default, and installed together with Oathkeeper, however it can be disabled by setting the proper flag:
+
+```bash
+$ helm install \
+    --set 'maester.enabled=false' \
+    ory/oathkeeper
+```

helm/charts/hydra/templates/deployment.yaml

@@ -72,10 +72,16 @@ spec:
             httpGet:
               path: /health/alive
               port: http-admin
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            failureThreshold: 5
           readinessProbe:
             httpGet:
               path: /health/ready
               port: http-admin
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            failureThreshold: 5
           env:
             {{- $issuer := include "hydra.config.urls.issuer" . -}}
             {{- if $issuer }}
@@ -98,16 +104,16 @@ spec:
                   name: {{ include "hydra.fullname" . }}
                   key: secretsCookie
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+      {{- with .Values.deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     {{- with .Values.affinity }}
     affinity:
       {{- toYaml . | nindent 8 }}
     {{- end }}
-    {{- with .Values.tolerations }}
+    {{- with .Values.deployment.tolerations }}
     tolerations:
       {{- toYaml . | nindent 8 }}
     {{- end }}

helm/charts/hydra/templates/secrets.yaml

@@ -5,8 +5,13 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
 {{ include "hydra.labels" . | indent 4 }}
+  annotations:
+    # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
 type: Opaque
 data:
-  secretsSystem: {{ include "hydra.secrets.system" . | required "Value secrets.system can not be empty!" | b64enc | quote }}
-  secretsCookie: {{ include "hydra.secrets.cookie" . | required "Value secrets.cookie can not be empty!" | b64enc | quote }}
+  # Generate a random secret if the user doesn't give one. User given password has priority
+  secretsSystem: {{ ( include "hydra.secrets.system" . | default ( randAlphaNum 32 )) | required "Value secrets.system can not be empty!" | b64enc | quote }}
+  secretsCookie: {{ ( include "hydra.secrets.cookie" . | default ( randAlphaNum 32 )) | required "Value secrets.cookie can not be empty!" | b64enc | quote }}
   dsn: {{ include "hydra.dsn" . | b64enc | quote }}

helm/charts/hydra/values.yaml

@@ -93,26 +93,27 @@ hydra:
   dangerousForceHttp: false
   dangerousAllowInsecureRedirectUrls: false
 
-resources: {}
-#  We usually recommend not to specify default resources and to leave this as a conscious
-#  choice for the user. This also increases chances charts run on environments with little
-#  resources, such as Minikube. If you do want to specify resources, uncomment the following
-#  lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-#  limits:
-#    cpu: 100m
-#    memory: 128Mi
-#  requests:
-#    cpu: 100m
-#  memory: 128Mi
+deployment:
+  resources: {}
+  #  We usually recommend not to specify default resources and to leave this as a conscious
+  #  choice for the user. This also increases chances charts run on environments with little
+  #  resources, such as Minikube. If you do want to specify resources, uncomment the following
+  #  lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  #  limits:
+  #    cpu: 100m
+  #    memory: 128Mi
+  #  requests:
+  #    cpu: 100m
+  #  memory: 128Mi
 
-# Node labels for pod assignment.
-nodeSelector: {}
-# If you do want to specify node labels, uncomment the following
-# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
-#   foo: bar
+  # Node labels for pod assignment.
+  nodeSelector: {}
+  # If you do want to specify node labels, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
+  #   foo: bar
 
-# Configure node tolerations.
-tolerations: []
+  # Configure node tolerations.
+  tolerations: []
 
 # Configure node affinity
 affinity: {}

helm/charts/maester/Chart.yaml → helm/charts/oathkeeper/charts/oathkeeper-master/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 appVersion: "v0.0.1"
 description: A Helm chart for deployoing ORY Oathkeeper Rule Controller in Kubernetes
-name: maester
+name: oathkeeper-maester
 version: 0.0.1
 keywords:
   - zero-trust

helm/charts/maester/templates/_helpers.tpl → helm/charts/oathkeeper/charts/oathkeeper-master/templates/_helpers.tpl

@@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "maester.name" -}}
+{{- define "oathkeeper-maester.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
@@ -11,7 +11,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "maester.fullname" -}}
+{{- define "oathkeeper-maester.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@@ -27,19 +27,32 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "maester.chart" -}}
+{{- define "oathkeeper-maester.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
 Common labels
 */}}
-{{- define "maester.labels" -}}
-app.kubernetes.io/name: {{ include "maester.name" . }}
-helm.sh/chart: {{ include "maester.chart" . }}
+{{- define "oathkeeper-maester.labels" -}}
+app.kubernetes.io/name: {{ include "oathkeeper-maester.name" . }}
+helm.sh/chart: {{ include "oathkeeper-maester.chart" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
+
+{{/*
+Get Oathkeeper rules configmap
+*/}}
+{{- define "oathkeeper-maester.getCM" -}}
+{{- $fullName := include "oathkeeper-maester.fullname" . -}}
+{{- $nameParts := split "-" $fullName }}
+{{- if eq $nameParts._0 $nameParts._1 -}}
+{{- printf "%s-rules" $nameParts._0 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s-rules" $nameParts._0 $nameParts._1 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}

helm/charts/oathkeeper/charts/oathkeeper-master/templates/crd-configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ .Release.Name }}-crd-rules
+  annotations:
+    "helm.sh/hook": "pre-install, pre-upgrade"
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+data:
+  rules.yaml: |-
+{{.Files.Get "files/crd-rules.yaml" | printf "%s" | indent 4}}