-
-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: disable maester by default #687
Conversation
f24a17b
to
9fab8cc
Compare
Any info on this one? Whats the hold up? 🤔 edit: relates to #669 |
I've created this fix only for a PoC and we're not using the chart or the product anymore. I'd be happy if the maintainers take the ownership of this changeset. |
Hi there! |
I think that (change in the default behavior) can be avoided if I set
in the default values of the chart. Should I go ahead and change the defaults so that the change is somewhat backwards compatible? The only case it is not is when both of these values are set to |
@kenankule yes please :) I think it even would make sense to add a check for this case (both are set to true) and fail the installation with an error message when that happens. |
- Disable maester by default. Currently both maester and managedAccessRules are enabled and these two settings are contradicting with each other. - Fail if both managedAccessRules and maester are enabled. - Align rules configmap name with the maester if the maester is enabled.
9fab8cc
to
6788f47
Compare
I've changed the defaults, rebased the branch and pushed. Also edited the changeset description. The validation you've requested is already implemented :
|
@Demonsthere any ETA for the next release? :)) |
This patch changes the default value
maester.enabled
tofalse
. If the user would like to manage the rules with the maester controller,maester.enabled
should be set totrue
andmanagedAccessRules
should be set tofalse
Related Issue or Design Document
Fixes #512
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
Further comments
Tested with the following configurations:
1- The user would like to manage rules manually. In this configuration the rules configmap and the initContainer to fix the permissions are not added to the deployment. rules volume is an emptydir:
2- The rules are managed by the helm chart
oathkeeper.accessRules
value. Rules configmap is created but the initContainer is not added to the deployment.3- The rules are managed by the maester. Rules configmap is created by the maester chart and the volume name in the oathkeeper deployment is aligned with the maester chart. initContainer is not added to the deployment.
4- Invalid configuration so the helm chart rendering fails with an error message.
I believe the first configuration (where the chart creates an emptydir volume) should be replaced with a configuration where the chart gets an existing configmap name and uses that instead.