https://github.com/ory/oathkeeper-maester
Kuberenetes CRD Controller for Ory Oathkeeper. :warning: Maintained by the community, not an official Ory project!
https://github.com/ory/oathkeeper-maester
Last synced: 2 months ago
JSON representation
Kuberenetes CRD Controller for Ory Oathkeeper. :warning: Maintained by the community, not an official Ory project!
- Host: GitHub
- URL: https://github.com/ory/oathkeeper-maester
- Owner: ory
- License: apache-2.0
- Created: 2019-06-13T09:53:42.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2024-10-14T14:17:06.000Z (8 months ago)
- Last Synced: 2024-10-29T15:59:40.404Z (8 months ago)
- Language: Go
- Homepage:
- Size: 291 KB
- Stars: 33
- Watchers: 13
- Forks: 20
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
- [Ory Oathkeeper Maester](#ory-oathkeeper-maester)
- [Prerequisites](#prerequisites)
- [How to use it](#how-to-use-it)
- [Command-line parameters](#command-line-parameters)
- [Mode options](#mode-options)
- [Global flags](#global-flags)
- [Controller mode flags](#controller-mode-flags)
- [Sidecar mode flags](#sidecar-mode-flags)
- [Environment variables](#environment-variables)
# Ory Oathkeeper Maester
⚠️ ⚠️ ⚠️
> Ory Oathkeeper Maester is developed by the Ory community and is not actively
> maintained by Ory core maintainers due to lack of resources, time, and
> knolwedge. As such please be aware that there might be issues with the system.
> If you have ideas for better testing and development principles please open an
> issue or PR!
⚠️ ⚠️ ⚠️
ORY Maester is a Kubernetes controller that watches for instances of
`rules.oathkeeper.ory.sh/v1alpha1` custom resource (CR) and creates or updates
the Oathkeeper ConfigMap with Access Rules found in the CRs. The controller
passes the Access Rules as an array in a format recognized by the Oathkeeper.
The project is based on
[Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)
## Prerequisites
- recent version of Go language with support for modules (e.g: 1.12.6)
- make
- kubectl
- kustomize
- [kind](https://github.com/kubernetes-sigs/kind) for local integration testing
- [ginkgo](https://onsi.github.io/ginkgo/) for local integration testing
- access to K8s environment: minikube or KIND
(https://github.com/kubernetes-sigs/kind), or a remote K8s cluster
## How to use it
- `make` to build the binary
- `make test` to run tests
- `make test-integration` to run integration tests with local KIND environment
Other targets require a working K8s environment. Set `KUBECONFIG` environment
variable to the proper value.
- `make install` to generate CRD file from go sources and install it in the
cluster
- `make run` to run controller locally
Refer to the Makefile for the details.
## Command-line parameters
Usage example: `./manager [--global-flags] mode [--mode-flags]`
### Mode options
| Name | Description |
| :------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **controller** | This is the **default** mode of operation, in which `oathkeeper-maester` is expected to be deployed as a separate deployment. It uses the kubernetes api-server and ConfigMaps to store data. |
| **sidecar** | Alternative mode of operation, in which the `oathkeeper-maester` is expected to be deployed as a sidecar container to the main application. It uses local filesystem to create the access rules file. |
### Global flags
| Name | Description | Default values |
| :------------------------- | :-------------------------------------------------------------------------------------------------------------------- | :------------: |
| **metrics-addr** | The address the metric endpoint binds to | `8080` |
| **enable-leader-election** | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. | `false` |
| **kubeconfig** | Paths to a kubeconfig. Only required if out-of-cluster. | `$KUBECONFIG` |
### Controller mode flags
| Name | Description | Default values |
| :-------------------------- | :------------------------------------------------------- | :-------------------------: |
| **rulesConfigmapName** | Name of the Configmap that stores Oathkeeper rules. | `oathkeeper-rules` |
| **rulesConfigmapNamespace** | Namespace of the Configmap that stores Oathkeeper rules. | `oathkeeper-maester-system` |
| **rulesFileName** | Name of the key in ConfigMap containing the rules.json | `access-rules.json` |
### Sidecar mode flags
| Name | Description | Default values |
| :---------------- | :----------------------------------------------- | :-----------------------------: |
| **rulesFilePath** | Path to the file with converted Oathkeeper rules | `/etc/config/access-rules.json` |
### Environment variables
| Name | Description | Default values |
| :------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------: |
| **NAMESPACE** | Namespace option to scope Oathkeeper maester to one namespace only - useful for running several instances in one cluster. Defaults to "" which means that there is no namespace scope. | `` |