From 747b1413677b52e6fe2687d73ea5dfe25c17a378 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20B=C5=82aszczyk?= Date: Wed, 18 Dec 2019 14:36:14 +0100 Subject: [PATCH 1/2] Filter only if CM field is set --- config/samples/oathkeeper_v1alpha1_rule.yaml | 22 ++++++++++++++++++++ controllers/rule_controller.go | 20 +++++++++++++----- 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/config/samples/oathkeeper_v1alpha1_rule.yaml b/config/samples/oathkeeper_v1alpha1_rule.yaml index 8fda814..79f0ddb 100644 --- a/config/samples/oathkeeper_v1alpha1_rule.yaml +++ b/config/samples/oathkeeper_v1alpha1_rule.yaml @@ -5,6 +5,28 @@ metadata: name: sample-rule-1 namespace: default spec: + description: Sample rule + upstream: + url: "http://abc.ef" + preserveHost: false + match: + methods: ["GET"] + url: ://foo.bar + authenticators: + - handler: anonymous + authorizer: + handler: allow + mutators: + - handler: noop + config: {} +--- +apiVersion: oathkeeper.ory.sh/v1alpha1 +kind: Rule +metadata: + name: sample-rule-2 + namespace: default +spec: + configMapName: some-cm description: Sample rule upstream: url: "http://abc.ef" diff --git a/controllers/rule_controller.go b/controllers/rule_controller.go index f430748..4c897eb 100644 --- a/controllers/rule_controller.go +++ b/controllers/rule_controller.go @@ -58,6 +58,7 @@ func (r *RuleReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { _ = r.Log.WithValues("rule", req.NamespacedName) var rule oathkeeperv1alpha1.Rule + skipValidation := false if err := r.Get(ctx, req.NamespacedName, &rule); err != nil { @@ -123,11 +124,20 @@ func (r *RuleReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { } } - oathkeeperRulesJSON, err := rulesList.FilterNotValid(). - FilterConfigMapName(rule.Spec.ConfigMapName). - ToOathkeeperRules() - if err != nil { - return ctrl.Result{}, err + var err error + var oathkeeperRulesJSON []byte + + if rule.Spec.ConfigMapName != nil { + r.Log.Info(fmt.Sprintf("Found ConfigMap definition in Rule %s/%s: Writing data to \"%s\"", rule.Namespace, rule.Name, *rule.Spec.ConfigMapName)) + oathkeeperRulesJSON, err = rulesList.FilterNotValid().FilterConfigMapName(rule.Spec.ConfigMapName).ToOathkeeperRules() + if err != nil { + return ctrl.Result{}, err + } + } else { + oathkeeperRulesJSON, err = rulesList.FilterNotValid().ToOathkeeperRules() + if err != nil { + return ctrl.Result{}, err + } } if err := r.OperatorMode.CreateOrUpdate(ctx, oathkeeperRulesJSON, &rule); err != nil { From 680e2656719f6eabf358d5139175351ec340e535 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20B=C5=82aszczyk?= Date: Thu, 19 Dec 2019 11:39:10 +0100 Subject: [PATCH 2/2] Next try --- config/samples/oathkeeper_v1alpha1_rule.yaml | 75 +++++++++++++++++++- controllers/rule_controller.go | 10 ++- 2 files changed, 82 insertions(+), 3 deletions(-) diff --git a/config/samples/oathkeeper_v1alpha1_rule.yaml b/config/samples/oathkeeper_v1alpha1_rule.yaml index 79f0ddb..f9cc0f8 100644 --- a/config/samples/oathkeeper_v1alpha1_rule.yaml +++ b/config/samples/oathkeeper_v1alpha1_rule.yaml @@ -1,9 +1,61 @@ --- +apiVersion: v1 +kind: Namespace +metadata: + name: test-ns-1 +--- apiVersion: oathkeeper.ory.sh/v1alpha1 kind: Rule metadata: name: sample-rule-1 - namespace: default + namespace: test-ns-1 +spec: + description: Sample rule + upstream: + url: "http://abc.ef" + preserveHost: false + match: + methods: ["GET"] + url: ://foo.bar + authenticators: + - handler: anonymous + authorizer: + handler: allow + mutators: + - handler: noop + config: {} +--- +apiVersion: oathkeeper.ory.sh/v1alpha1 +kind: Rule +metadata: + name: sample-rule-2 + namespace: test-ns-1 +spec: + description: Sample rule + upstream: + url: "http://abc.ef" + preserveHost: false + match: + methods: ["GET"] + url: ://foo.bar + authenticators: + - handler: anonymous + authorizer: + handler: allow + mutators: + - handler: noop + config: {} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-ns-2 +--- +apiVersion: oathkeeper.ory.sh/v1alpha1 +kind: Rule +metadata: + name: sample-rule-1 + namespace: test-ns-2 spec: description: Sample rule upstream: @@ -24,6 +76,27 @@ apiVersion: oathkeeper.ory.sh/v1alpha1 kind: Rule metadata: name: sample-rule-2 + namespace: test-ns-2 +spec: + description: Sample rule + upstream: + url: "http://abc.ef" + preserveHost: false + match: + methods: ["GET"] + url: ://foo.bar + authenticators: + - handler: anonymous + authorizer: + handler: allow + mutators: + - handler: noop + config: {} +--- +apiVersion: oathkeeper.ory.sh/v1alpha1 +kind: Rule +metadata: + name: sample-rule-cm namespace: default spec: configMapName: some-cm diff --git a/controllers/rule_controller.go b/controllers/rule_controller.go index 4c897eb..306e31d 100644 --- a/controllers/rule_controller.go +++ b/controllers/rule_controller.go @@ -95,8 +95,14 @@ func (r *RuleReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { var rulesList oathkeeperv1alpha1.RuleList - if err := r.List(ctx, &rulesList, client.InNamespace(req.NamespacedName.Namespace)); err != nil { - return ctrl.Result{}, err + if rule.Spec.ConfigMapName != nil { + if err := r.List(ctx, &rulesList, client.InNamespace(req.NamespacedName.Namespace)); err != nil { + return ctrl.Result{}, err + } + } else { + if err := r.List(ctx, &rulesList); err != nil { + return ctrl.Result{}, err + } } // examine DeletionTimestamp to determine if object is under deletion