fix: disable maester by default (#687)

ory · Aug 22, 2024 · defbd62 · defbd62
1 parent 204db25
commit defbd62
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 5 deletions.
diff --git a/hacks/values/oathkeeper.yaml b/hacks/values/oathkeeper.yaml
@@ -68,6 +68,7 @@ deployment:
       maxSurge: 25%
       maxUnavailable: 25%
 oathkeeper:
+  managedAccessRules: true
   accessRules: |
     [
       {

diff --git a/helm/charts/oathkeeper/templates/_helpers.tpl b/helm/charts/oathkeeper/templates/_helpers.tpl
@@ -24,6 +24,21 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+Create a config map name for rules.
+If maester is enabled, use the child chart named template to get the value.
+*/}}
+{{- define "oathkeeper.rulesConfigMapName" -}}
+{{- if .Values.maester.enabled -}}
+{{- $childChart := (dict "Name" "oathkeeper-maester") -}}
+{{- include "oathkeeper-maester.getCM" (dict "Values" (index .Values "oathkeeper-maester") "Release" $.Release "Chart" $childChart) }}
+{{- else -}}
+{{ include "oathkeeper.fullname" . }}-rules
+{{- end -}}
+{{- end -}}
+
+
 {{/*
 Create a secret name which can be overridden.
 */}}
@@ -86,9 +101,11 @@ Checksum annotations generated from configmaps and secrets
 {{- if .Values.configmap.hashSumEnabled }}
 {{- $oathkeeperConfigMapFile := ternary "/configmap-config-demo.yaml" "/configmap-config.yaml" (.Values.demo) }}
 checksum/oathkeeper-config: {{ include (print $.Template.BasePath $oathkeeperConfigMapFile) . | sha256sum }}
+{{- if .Values.oathkeeper.managedAccessRules }}
 checksum/oathkeeper-rules: {{ include (print $.Template.BasePath "/configmap-rules.yaml") . | sha256sum }}
 {{- end }}
+{{- end }}
 {{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }}
 checksum/oauthkeeper-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/helm/charts/oathkeeper/templates/configmap-rules.yaml b/helm/charts/oathkeeper/templates/configmap-rules.yaml
@@ -1,4 +1,7 @@
 {{- if .Values.oathkeeper.managedAccessRules }}
+{{- if .Values.maester.enabled -}}
+{{- fail "Both `managedAccessRules` and `maester.enabled` cannot be set to true at the same time" }}
+{{- end -}}
 ---
 apiVersion: v1
 kind: ConfigMap

diff --git a/helm/charts/oathkeeper/templates/deployment-controller.yaml b/helm/charts/oathkeeper/templates/deployment-controller.yaml
@@ -62,9 +62,9 @@ spec:
             name: {{ include "oathkeeper.fullname" . }}-config
             {{- end }}
         - name: {{ include "oathkeeper.name" . }}-rules-volume
-          {{- if .Values.oathkeeper.managedAccessRules }}
+          {{- if or .Values.oathkeeper.managedAccessRules .Values.maester.enabled }}
           configMap:
-            name: {{ include "oathkeeper.fullname" . }}-rules
+            name: {{ include "oathkeeper.rulesConfigMapName" . }}
           {{- else }}
           emptyDir: {}
           {{- end }}
@@ -76,7 +76,7 @@ spec:
       serviceAccountName: {{ include "oathkeeper.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
       initContainers:
-      {{- if (not .Values.oathkeeper.managedAccessRules) }}
+      {{- if and (not .Values.oathkeeper.managedAccessRules) (not .Values.maester.enabled) }}
         - name: init
           image: "{{ .Values.image.initContainer.repository }}:{{ .Values.image.initContainer.tag }}"
           volumeMounts:

diff --git a/helm/charts/oathkeeper/values.yaml b/helm/charts/oathkeeper/values.yaml
@@ -378,7 +378,7 @@ affinity: {}
 
 ## -- Configures controller setup
 maester:
-  enabled: true
+  enabled: false
 
 ## -- PodDistributionBudget configuration
 pdb: