From 4c5301f0ca8cf11fb012cda201c8c346b4e308bd Mon Sep 17 00:00:00 2001 From: Toby Archer Date: Wed, 22 Sep 2021 11:21:04 +0200 Subject: [PATCH] Adding s3, gs, and azblob access_rules.repositories to schema and reference configuration --- .schema/config.schema.json | 8 ++++++-- docs/docs/reference/configuration.md | 14 +++++++++++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/.schema/config.schema.json b/.schema/config.schema.json index bec132978b..d3bf14dbe5 100644 --- a/.schema/config.schema.json +++ b/.schema/config.schema.json @@ -1301,7 +1301,7 @@ "properties": { "repositories": { "title": "Repositories", - "description": "Locations (list of URLs) where access rules should be fetched from on boot. It is expected that the documents at those locations return a JSON or YAML Array containing ORY Oathkeeper Access Rules:\n\n- If the URL Scheme is `file://`, the access rules (an array of access rules is expected) will be fetched from the local file system.\n- If the URL Scheme is `inline://`, the access rules (an array of access rules is expected) are expected to be a base64 encoded (with padding!) JSON/YAML string (base64_encode(`[{\"id\":\"foo-rule\",\"authenticators\":[....]}]`)).\n- If the URL Scheme is `http://` or `https://`, the access rules (an array of access rules is expected) will be fetched from the provided HTTP(s) location.", + "description": "Locations (list of URLs) where access rules should be fetched from on boot. It is expected that the documents at those locations return a JSON or YAML Array containing ORY Oathkeeper Access Rules:\n\n- If the URL Scheme is `file://`, the access rules (an array of access rules is expected) will be fetched from the local file system.\n- If the URL Scheme is `inline://`, the access rules (an array of access rules is expected) are expected to be a base64 encoded (with padding!) JSON/YAML string (base64_encode(`[{\"id\":\"foo-rule\",\"authenticators\":[....]}]`)).\n- If the URL Scheme is `http://` or `https://`, the access rules (an array of access rules is expected) will be fetched from the provided HTTP(s) location.\n- If the URL Scheme is `s3://`, `gs://` or `azblob://`, the access rules (an array of access rules is expected) will be fetched by an object storage (AWS S3, Google Cloud Storage, Azure Blob Storage).\n\nS3 storage also supports S3-compatible endpoints served by Minio or Ceph. See aws.ConfigFromURLParams (https://godoc.org/gocloud.dev/aws#ConfigFromURLParams) for more details on supported URL options for S3.", "type": "array", "items": { "type": "string", @@ -1311,7 +1311,11 @@ [ "file://path/to/rules.json", "inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d", - "https://path-to-my-rules/rules.json" + "https://path-to-my-rules/rules.json", + "s3://my-bucket-name/rules.json", + "s3://my-bucket-name/rules.json?endpoint=minio.my-server.net", + "gs://gcp-bucket-name/rules.json", + "azblob://my-blob-container/rules.json" ] ] }, diff --git a/docs/docs/reference/configuration.md b/docs/docs/reference/configuration.md index 3e797ffb16..61a79c8bf7 100644 --- a/docs/docs/reference/configuration.md +++ b/docs/docs/reference/configuration.md @@ -7,9 +7,6 @@ title: Configuration OPEN AN ISSUE IF YOU WOULD LIKE TO MAKE ADJUSTMENTS HERE AND MAINTAINERS WILL HELP YOU LOCATE THE RIGHT FILE --> -If file `$HOME/.oathkeeper.yaml` exists, it will be used as a configuration file -which supports all configuration settings listed below. - You can load the config file from another source using the `-c path/to/config.yaml` or `--config path/to/config.yaml` flag: `oathkeeper --config path/to/config.yaml`. @@ -70,11 +67,18 @@ access_rules: # - If the URL Scheme is `file://`, the access rules (an array of access rules is expected) will be fetched from the local file system. # - If the URL Scheme is `inline://`, the access rules (an array of access rules is expected) are expected to be a base64 encoded (with padding!) JSON/YAML string (base64_encode(`[{"id":"foo-rule","authenticators":[....]}]`)). # - If the URL Scheme is `http://` or `https://`, the access rules (an array of access rules is expected) will be fetched from the provided HTTP(s) location. + # - If the URL Scheme is `s3://`, `gs://` or `azblob://`, the access rules (an array of access rules is expected) will be fetched by an object storage (AWS S3, Google Cloud Storage, Azure Blob Storage). + # + # S3 storage also supports S3-compatible endpoints served by Minio or Ceph. See aws.ConfigFromURLParams (https://godoc.org/gocloud.dev/aws#ConfigFromURLParams) for more details on supported URL options for S3. # # Examples: # - - file://path/to/rules.json # - inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d # - https://path-to-my-rules/rules.json + # - s3://my-bucket-name/rules.json + # - s3://my-bucket-name/rules.json?endpoint=minio.my-server.net + # - gs://gcp-bucket-name/rules.json + # - azblob://my-blob-container/rules.json # # Set this value using environment variables on # - Linux/macOS: @@ -86,6 +90,10 @@ access_rules: - file://path/to/rules.json - inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d - https://path-to-my-rules/rules.json + - s3://my-bucket-name/rules.json + - s3://my-bucket-name/rules.json?endpoint=minio.my-server.net + - gs://gcp-bucket-name/rules.json + - azblob://my-blob-container/rules.json ## Authenticators ## #