Python Operator for Ory Oathkeeper - a cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. For more details and documentation, visit https://www.ory.sh/docs/oathkeeper.
juju deploy oathkeeper --channel edge --trustYou can follow the deployment status with watch -c juju status --color.
Applications that do not conform to OAuth/OIDC standards or don't offer built-in access control can be secured using the Identity and Access Proxy (IAP) solution, which offers a possibility to protect endpoints by intercepting incoming requests and delegating the authn/authz process to the relevant components of the Identity Platform.
Oathkeeper is the main entrypoint to plug the Identity and Access Proxy to your charmed operator. It can be achieved using the juju integrations described below.
Oathkeeper offers integration with
Traefik ForwardAuth
feature via forward_auth interface.
It can be done by deploying the Traefik charmed operator, enabling the experimental feature and adding a juju integration:
juju deploy traefik-k8s traefik-public
juju config traefik-public enable_experimental_forward_auth=True
juju integrate oathkeeper traefik-public::experimental-forward-authOathkeeper can be integrated with downstream charmed operators
using auth_proxy interface.
To have your charm protected by the Identity and Access Proxy, make sure that:
- it is integrated with traefik-k8s using one of the ingress interfaces
- it provides Oathkeeper with necessary data by supporting the integration.
Then complete setting up the proxy:
juju integrate your-charm traefik-public
juju integrate oathkeeper your-charm:auth-proxyOathkeeper connects with the Identity Platform with the use of Kratos charmed operator:
juju integrate oathkeeper kratos
juju config kratos dev=TrueRefer to this tutorial to learn how to deploy and configure the Identity Platform.
The Oathkeeper Operator integrates with Canonical Observability Stack (COS) bundle. It comes with a Grafana dashboard and Loki and Prometheus alert rules for basic common scenarios. To integrate with the COS bundle, after you deploy it, you can run:
juju integrate oathkeeper:grafana-dashboard grafana:grafana-dashboard
juju integrate oathkeeper:metrics-endpoint prometheus:metrics-endpoint
juju integrate loki:logging oathkeeper:loggingTo integrate with tracing, additionally run:
juju deploy tempo-k8s
juju integrate oathkeeper:tracing tempo-k8s:tracingOathkeeper charmed operator offers the following juju actions:
list-ruleslists all access rulesget-ruleallows to get an access rule content by its id.
The rock image used by this charm is hosted on GitHub Container Registry and maintained by Canonical Identity Team.
It is based on this docker image from Ory.
Security issues can be reported through LaunchPad. Please do not file GitHub issues about security issues.
Please see the Juju SDK docs for guidelines on enhancements to this charm following best practice guidelines, and CONTRIBUTING.md for developer guidance.
The Charmed Oathkeeper Operator is free software, distributed under the Apache Software License, version 2.0. See LICENSE for more information.