Oathkeeper is currently not charmed and only available as a rock and docker image.
Solution
This PR adds implementation of the initial charm:
config and sample access rule files
pebble layer
events observation
traefik-k8s ingress relation
unit and integration tests.
Additional context
We are not using the 4455 reverse proxy port, but it's always exposed by oathkeeper, even if you omit the proxy part in config (see the dockerfile). You can verify it by ssh into the pod and running netstat -tulpn. That port will need to be protected with a k8s network policy to deny the traffic, I'll open another PR for that.
Note that some values, like kratos url or access rules, are placeholders/dummy values and will be replaced by juju integrations.
Testing Instructions
Deploy the charm:
juju deploy ./oathkeeper*.charm --resource oci-image=$(yq eval '.resources.oci-image.upstream-source' metadata.yaml)
Find oathkeeper's k8s svc address and curl the ready endpoint:
curl -v <svc-address>:4456/health/ready
It should return {"status":"ok"}
curl -v <svc-address>:4456/rules should return a sample access rule.
Issue
Oathkeeper is currently not charmed and only available as a rock and docker image.
Solution
This PR adds implementation of the initial charm:
Additional context
We are not using the 4455 reverse proxy port, but it's always exposed by oathkeeper, even if you omit the
proxy
part in config (see the dockerfile). You can verify it by ssh into the pod and runningnetstat -tulpn
. That port will need to be protected with a k8s network policy to deny the traffic, I'll open another PR for that.Note that some values, like kratos url or access rules, are placeholders/dummy values and will be replaced by juju integrations.
Testing Instructions
Deploy the charm:
juju deploy ./oathkeeper*.charm --resource oci-image=$(yq eval '.resources.oci-image.upstream-source' metadata.yaml)
Find oathkeeper's k8s svc address and curl the ready endpoint:curl -v <svc-address>:4456/health/ready
It should return
{"status":"ok"}
curl -v <svc-address>:4456/rules
should return a sample access rule.Release Notes
initial charm implementation