Skip to content

Instantly share code, notes, and snippets.

@ReeSilva

ReeSilva/configmap-access-rules.yml

Last active January 16, 2020 22:08
Show Gist options
  • Save ReeSilva/4fbd581368a1f2e52f98eed04ed401da to your computer and use it in GitHub Desktop.
Save ReeSilva/4fbd581368a1f2e52f98eed04ed401da to your computer and use it in GitHub Desktop.
Download ZIP
Oathkeeper + Ambassador files
Raw
configmap-access-rules.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: access-rules
data:
access-rules.json: |
[
{
"id": "oathkeeper-access-rule",
"match": {
"url": "http://10.97.55.93/ory-oathkeeper/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"]
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutator": { "handler": "noop" }
},
{
"id": "hello-access-rule",
"match": {
"url": "http://hello-world.int/<.*>",
"methods": ["GET"]
},
"authenticators": [
{
"handler": "oauth2_introspection",
"config": {
"required_scope": ["openid"]
}
}
],
"authorizer": { "handler": "allow" },
"mutator": { "handler": "noop" }
},
{
"id": "hydra-admin-access-rule",
"match": {
"url": "http://auth-admin.printi.int/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"]
},
"authenticators": [{ "handler": "anonymous" }],
"authorizer": { "handler": "allow" },
"mutator": { "handler": "noop" }
},
{
"id": "hydra-access-rule",
"match": {
"url": "http://auth.printi.int/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"]
},
"authenticators": [{ "handler": "anonymous" }],
"authorizer": { "handler": "allow" },
"mutator": { "handler": "noop" }
},
{
"id": "login-access-rule",
"match": {
"url": "http://login.printi.int/<.*>",
"methods": ["GET"]
},
"authenticators": [{ "handler": "anonymous" }],
"authorizer": { "handler": "allow" },
"mutator": { "handler": "noop" }
}
]
Raw
oathkeeper-api.yml
---
apiVersion: v1
kind: Service
metadata:
name: ory-oathkeeper
namespace: oathkeeper
spec:
type: ClusterIP
selector:
app: ory-oathkeeper
ports:
- port: 80
name: http-ory-oathkeeper
targetPort: http-api
---
apiVersion: getambassador.io/v1
kind: Mapping
metadata:
name: ory-oathkeeper-mapping
namespace: oathkeeper
spec:
prefix: /ory-oathkeeper/
service: ory-oathkeeper.oathkeeper
---
apiVersion: getambassador.io/v1
kind: AuthService
metadata:
name: authentication
namespace: oathkeeper
spec:
auth_service: ory-oathkeeper.oathkeeper
path_prefix: /decisions
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ory-oathkeeper
namespace: oathkeeper
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: ory-oathkeeper
spec:
containers:
- name: ory-oathkeeper
image: oryd/oathkeeper:v0.16.0
imagePullPolicy: Always
command: ["oathkeeper", "serve", "api"]
volumeMounts:
- name: access-rules-volume
mountPath: /etc/access-rules
env:
- name: ACCESS_RULES_REPOSITORIES
value: file:///etc/access-rules/access-rules.json
- name: DATABASE_URL
value: memory
- name: CREDENTIALS_ISSUER_ID_TOKEN_ALGORITHM
value: HS256
- name: CREDENTIALS_ISSUER_ID_TOKEN_HS256_SECRET
valueFrom:
secretKeyRef:
name: ory-oathkeeper
key: CREDENTIALS_ISSUER_ID_TOKEN_HS256_SECRET
- name: AUTHENTICATORS_OAUTH2_INTROSPECTION_INTROSPECTION_URL
valueFrom:
secretKeyRef:
name: ory-oathkeeper
key: AUTHENTICATORS_OAUTH2_INTROSPECTION_INTROSPECTION_URL
- name: AUTHENTICATORS_OAUTH2_INTROSPECTION_INTROSPECTION_SCOPE_STRATEGY
value: hierarchic
- name: AUTHENTICATORS_NOOP_ENABLED
value: "true"
- name: AUTHENTICATORS_OAUTH2_INTROSPECTION_ENABLED
value: "true"
- name: AUTHENTICATORS_ANONYMOUS_ENABLED
value: "true"
- name: AUTHORIZERS_ALLOW_ENABLED
value: "true"
- name: MUTATORS_NOOP_ENABLED
value: "true"
- name: LOG_LEVEL
value: debug
- name: SERVE_API_PORT
value: "4456"
- name: PORT
value: "4456"
- name: SERVE_API_CORS_ENABLED
value: "true"
- name: SERVE_API_CORS_DEBUG
value: "true"
ports:
- name: http-api
containerPort: 4456
resources:
limits:
cpu: "0.1"
memory: 100Mi
volumes:
- name: access-rules-volume
configMap:
name: access-rules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment