8000 Oathkeeper rules by davidcheung · Pull Request #11 · commitdev/zero-backend-node · GitHub
[go: up one dir, main page]
Skip to content

Oathkeeper rules #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
davidcheung wants to merge 1 commit into from
Closed

Oathkeeper rules #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion templates/.circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ jobs:
cd kubernetes/overlays/<< parameters.config-environment >>
IMAGE=<< parameters.account-id >>.dkr.ecr.<< parameters.region >>.amazonaws.com/<< parameters.repo >>
kustomize edit set image fake-image=${IMAGE}:${VERSION_TAG}
kustomize build . | kubectl apply -f - -n $NAMESPACE
kustomize build . | kubectl apply -f -
if ! kubectl -n $NAMESPACE rollout status deployment/$DEPLOYMENT -w --timeout=180s ; then
echo "$DEPLOYMENT rollout check failed:"
echo "$DEPLOYMENT deployment:"
Expand Down
87 changes: 87 additions & 0 deletions templates/kubernetes/base/auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: kratos-public
spec:
upstream:
url: http://kratos-public.user-auth
stripPath: /.ory/kratos/public
preserveHost: true
match:
#url: http://<backend_service_domain>/.ory/kratos/public/<.*>
methods:
- GET
- POST
- PUT
- DELETE
- PATCH
authenticators:
- handler: noop
authorizer:
handler: allow
mutators:
- handler: noop
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: kratos-form-data
spec:
upstream:
url: http://kratos-admin.user-auth
stripPath: /.ory/kratos
preserveHost: true
match:
#url: http://<backend_service_domain>/.ory/kratos/self-service/<(login|registration|recovery|settings)>/flows<.*>
methods:
- GET
authenticators:
- handler: noop
authorizer:
handler: allow
mutators:
- handler: noop
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: public-backend-endpoints
spec:
version: test
upstream:
url: http://<% .Name %>.<% .Name %>
preserveHost: true
match:
# url: http://<backend_service_domain>/status/<.*>
methods:
- GET
- POST
authenticators:
- handler: noop
authorizer:
handler: allow
mutators:
- handler: noop
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: authenticated-backend-endpoints
spec:
version: test
upstream:
preserveHost: true
url: http://<% .Name %>.<% .Name %>
stripPath: /api
match:
# url: <backend_service_domain>/api/<.*>
methods:
- GET
- POST
authenticators:
- handler: cookie_session
authorizer:
handler: allow
mutators:
- handler: id_token
- handler: header
2 changes: 2 additions & 0 deletions templates/kubernetes/base/kustomization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: <% .Name %>

resources:
- deployment.yml
- service.yml
Expand Down
31 changes: 31 additions & 0 deletions templates/kubernetes/overlays/production/auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: kratos-public
spec:
match:
url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/.ory/kratos/public/<.*>
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: kratos-form-data
spec:
match:
url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/.ory/kratos/self-service/<(login|registration|recovery|settings)>/flows<.*>
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: public-backend-endpoints
spec:
match:
url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/<(?!(api|\.ory\/kratos)).*>
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: authenticated-backend-endpoints
spec:
match:
url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/api/<.*>
1 change: 1 addition & 0 deletions templates/kubernetes/overlays/production/ingress.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: <% .Name %>
namespace: <% .Name %>
annotations:
# nginx ingress
kubernetes.io/ingress.class: nginx
Expand Down
8 changes: 5 additions & 3 deletions templates/kubernetes/overlays/production/kustomization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,13 @@ kind: Kustomization

patchesStrategicMerge:
- deployment.yml

<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
<% end %>
resources:
- ../../base
- ingress.yml
- pdb.yml
<%if eq (index .Params `userAuth`) "yes" %>#<% end %>- ingress.yml
<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
<% end %>

configMapGenerator:
- name: <% .Name %>-config
Expand Down
1 change: 1 addition & 0 deletions templates/kubernetes/overlays/production/pdb.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: <% .Name %>
namespace: <% .Name %>
spec:
minAvailable: 2
selector:
Expand Down
31 changes: 31 additions & 0 deletions templates/kubernetes/overlays/staging/auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: kratos-public
spec:
match:
url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/.ory/kratos/public/<.*>
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: kratos-form-data
spec:
match:
url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/.ory/kratos/self-service/<(login|registration|recovery|settings)>/flows<.*>
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: public-backend-endpoints
spec:
match:
url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/<(?!(api|\.ory\/kratos)).*>
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: authenticated-backend-endpoints
spec:
match:
url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/api/<.*>
8000
1 change: 1 addition & 0 deletions templates/kubernetes/overlays/staging/ingress.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: <% .Name %>
namespace: <% .Name %>
annotations:
# nginx ingress
kubernetes.io/ingress.class: nginx
Expand Down
7 changes: 5 additions & 2 deletions templates/kubernetes/overlays/staging/kustomization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,13 @@ kind: Kustomization

patchesStrategicMerge:
- deployment.yml

<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
<% end %>
resources:
- ../../base
- ingress.yml
<%if eq (index .Params `userAuth`) "yes" %>#<% end %>- ingress.yml
<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
<% end %>

configMapGenerator:
- name: <% .Name %>-config
Expand Down
3 changes: 3 additions & 0 deletions zero-module.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,3 +103,6 @@ conditions:
data:
- src/middleware/auth
- src/app/auth
- kubernetes/base/auth.yml
- kubernetes/overlays/staging/auth.yml
- kubernetes/overlays/production/auth.yml
0