From 84b6f0ad72c0051f3a1a180638432e10e4d0618d Mon Sep 17 00:00:00 2001
From: Emiliano Deustua <edeustua@gmail.com>
Date: Fri, 17 May 2024 15:52:25 -0500
Subject: [PATCH 1/4] fix: Allow self managed rules without maester

Since PR #669, self-managed access rules are impossible to deploy. This commit
fixes that by allowing the deployment controller to load the rules config map
when maester is disabled.
---
 helm/charts/oathkeeper/templates/deployment-controller.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/helm/charts/oathkeeper/templates/deployment-controller.yaml b/helm/charts/oathkeeper/templates/deployment-controller.yaml
index 770f20ed2c..b899c6d9fd 100644
--- a/helm/charts/oathkeeper/templates/deployment-controller.yaml
+++ b/helm/charts/oathkeeper/templates/deployment-controller.yaml
@@ -62,7 +62,7 @@ spec:
             name: {{ include "oathkeeper.fullname" . }}-config
             {{- end }}
         - name: {{ include "oathkeeper.name" . }}-rules-volume
-          {{- if .Values.oathkeeper.managedAccessRules }}
+          {{- if or .Values.oathkeeper.managedAccessRules ( not .Values.maester.enabled ) }}
           configMap:
             name: {{ include "oathkeeper.fullname" . }}-rules
           {{- else }}
@@ -76,7 +76,7 @@ spec:
       serviceAccountName: {{ include "oathkeeper.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
       initContainers:
-      {{- if (not .Values.oathkeeper.managedAccessRules) }}
+      {{- if ( not ( or .Values.oathkeeper.managedAccessRules ( not .Values.maester.enabled ) ) ) }}
         - name: init
           image: "{{ .Values.image.initContainer.repository }}:{{ .Values.image.initContainer.tag }}"
           volumeMounts:

From 439ae0815a94c34a37447ba63c1aec56895a1c79 Mon Sep 17 00:00:00 2001
From: Emiliano Deustua <edeustua@gmail.com>
Date: Mon, 20 May 2024 19:56:25 -0500
Subject: [PATCH 2/4] chore: Disable managedAccessRules to enable our case

---
 hacks/values/oathkeeper.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hacks/values/oathkeeper.yaml b/hacks/values/oathkeeper.yaml
index ce69d72dc2..a604d01157 100644
--- a/hacks/values/oathkeeper.yaml
+++ b/hacks/values/oathkeeper.yaml
@@ -68,6 +68,7 @@ deployment:
       maxSurge: 25%
       maxUnavailable: 25%
 oathkeeper:
+  managedAccessRules: false
   accessRules: |
     [
       {

From 3e254c9b62078fa448cc0ba67fb6b327ffdf9074 Mon Sep 17 00:00:00 2001
From: Emiliano Deustua <edeustua@gmail.com>
Date: Thu, 23 May 2024 13:15:53 -0500
Subject: [PATCH 3/4] feat: Add external access rules hack tests

---
 .../oathkeeper-external-accessrules.yaml      |  36 ++++
 .../oathkeeper-external-accessrules.yaml      | 165 ++++++++++++++++++
 hacks/values/oathkeeper.yaml                  |   1 -
 3 files changed, 201 insertions(+), 1 deletion(-)
 create mode 100644 hacks/manifests/oathkeeper-external-accessrules.yaml
 create mode 100644 hacks/values/oathkeeper-external-accessrules.yaml

diff --git a/hacks/manifests/oathkeeper-external-accessrules.yaml b/hacks/manifests/oathkeeper-external-accessrules.yaml
new file mode 100644
index 0000000000..6c931ca19b
--- /dev/null
+++ b/hacks/manifests/oathkeeper-external-accessrules.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  # The name comes from oathkeeper's subchart.
+  name: {{ include "oathkeeper.fullname" . }}-rules
+data:
+  access-rules.json: |-
+    [
+      {
+        "id": "rule-foobar",
+        "upstream": {
+          "url": "https://httpbin.org/anything"
+        },
+        "match": {
+          "url": "http://<[^/]+>/authenticator/noop/authorizer/allow/mutator/noop",
+          "methods": [
+            "GET",
+            "POST",
+            "PUT",
+            "DELETE",
+            "PATCH"
+          ]
+        },
+        "authenticators": [
+          {
+            "handler": "noop"
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [{
+          "handler": "noop"
+        }]
+      }
+    ]
diff --git a/hacks/values/oathkeeper-external-accessrules.yaml b/hacks/values/oathkeeper-external-accessrules.yaml
new file mode 100644
index 0000000000..a604d01157
--- /dev/null
+++ b/hacks/values/oathkeeper-external-accessrules.yaml
@@ -0,0 +1,165 @@
+---
+demo: false
+maester:
+  enabled: false
+#
+#service:
+#  proxy:
+#    type: NodePort
+#  api:
+#    type: NodePort
+#
+
+image:
+  initContainer:
+    repository: docker.io/library/busybox
+    tag: 1.36
+
+ingress:
+  proxy:
+    enabled: true
+    defaultBackend:
+      service:
+        name: myservice
+        port:
+          number: 80
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      kubernetes.io/tls-acme: "true"
+  api:
+    enabled: true
+priorityClassName: "system-cluster-critical"
+
+pdb:
+  enabled: true
+  spec:
+    maxUnavailable: 25%
+
+deployment:
+  extraInitContainers: |
+    - name: "hello-world"
+      image: "alpine:latest"
+      command: ["/bin/sh"]
+      args: ["-c", "echo hello, world!"]
+  extraContainers: |
+    - name: "sidecar"
+      image: "alpine:latest"
+      command: ["/bin/sh"]
+      args: ["-c", "sleep infinity"]
+  podMetadata:
+    labels:
+      ory.sh/pod_label: oathkeeper
+    annotations:
+      ory.sh/pod_annotation: oathkeeper
+  autoscaling:
+    enabled: true
+    targetCPU:
+      type: Utilization
+      averageUtilization: 80
+    targetMemory:
+      type: Utilization
+      averageUtilization: 80
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 60
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+oathkeeper:
+  managedAccessRules: false
+  accessRules: |
+    [
+      {
+        "id": "rule-foobar",
+        "upstream": {
+          "url": "https://httpbin.org/anything"
+        },
+        "match": {
+          "url": "http://<[^/]+>/authenticator/noop/authorizer/allow/mutator/noop",
+          "methods": [
+            "GET",
+            "POST",
+            "PUT",
+            "DELETE",
+            "PATCH"
+          ]
+        },
+        "authenticators": [
+          {
+            "handler": "noop"
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [{
+          "handler": "noop"
+        }]
+      }
+    ]
+  mutatorIdTokenJWKs: |
+    {
+      "keys": [
+        {
+          "use": "sig",
+          "kty": "RSA",
+          "kid": "67bf0153-a6dc-4f06-9ce4-2f203b79adc8",
+          "alg": "RS256",
+          "n": "z59MFx8ntDR5j_XhETXVJ-e2lYHOJx9jMouhAwqTMQXg07BiHLcLzIGjhPIhQTKdO4BpAbu84Ceg3W-fVmK8-yrnPch-4cgi6UktIxL--iV4yj1p5FSInbBBm1oFJcmn8jqf0picWwRlDUv92cJKblDE1ZdGjO6HqOvGZAZFr-w4xT_jBsQRBCLspZ0_mWDHWsrjFcvZ3AgmERm5kwmJ-YSSeU-v08twcwVkA9UdAgeHgw5Z9vascy1tsrokvsI7Qktk867SL-BJZJ4FWn8lAJCdxOMFGdXyGthr2d9kZqzNBc0Isoay1NtM0K0gt_27jZc456w9-enkEMIu9bM4HYiX3T9i6N2LjnNj2hdARg9WODFj01LCOb240_boXO_iHQU69SCKi6tvQNUw7lf7TapD1Dsz4OZ0tsbAVY5HKRZH-CIo6cseVaaloFI7PYPnRW3gXyOUxfQCIWpg8v6TPNPrNIbwH-gXiUd6-Mngj-MX-CWenuin-Y_-KYYOS880vlOfBGUVTSkpPBnHW4-a2DZLcjyxv2uUsKksFmDqPEQVrugXZQQ6mUGHQNXxOWqJ211kf6SNo0pv9mcLAo07rkPy3Ujqq96C3G_l74c2t2gfXYCv0vYvHQ5E726gf-7H3YK5NO0jH_0EvCMVD25L7eXVuITxaZdxpn3InrK_i2s",
+          "e": "AQAB",
+          "d": "ZygstChEn-Kaq45tHxHyMHuOWkY-WW3c6ZY6j7pHW8oh5Mv0U3QXJqsaxclQAIbXXGL2yWev9md6I8t8DX3Ni7XLYwUlFaVMw0AabxzXFw5bL5DH9iySHFcgocFeYWIKUe4Szp4IwagzVSH2pKVGOf1jbwRUh11UhfdvgO8k3L2vj0Go2Qm9sqJvlfHFUb2mD1RS89dvDUX3M_PmIkpRBWp7JE8Ve1PPMTbydH0EhqebCuCsjmoNUMS3hl-6NhVnQA8Zv4GS6Tq0_IsO-eHGTruLx_FL7YRBYFk7bOrzhZhB3an7skf-voefaOc8JG6rKzSBj4oi2PL-39y7XFSJgi1Ss9NHZsdUQvQUD6nsaXM0epouPCakekYo_jAR-v_of4UBNpodR5nMvXMxXheXg2uz-UiWAzZ9lC1fX0C9IN9XSV99ep_DimqfjYY3ikkhwgUa8UCizL5Tln67HC7hY1ucpfxGZ8D5m_eCtg8fIx8TgCSxbYce2bYIc0jdcGcuEQPoNZbSJgEgNxrNX653MzxGtnLaXafF1uyaszN4FjFX8ToEOOSrKC1fLZSSifMMKv4yNP7BeNL_op1TkMAYa1CTrxgFeUL3ckBmF3sV8guAEDM3aiYX77NZAXk_lX3vxk4BUYQayJxEwH8oyDFB-ZOnEJheuIdUUZZOzRwPfSE",
+          "p": "1miNrKrNkJbyLkh5nZfSi7GtzmyOOGm0oCcpe3jh4zJnBNU34kOV5fCsK1ekEBEV0oEdCp4dqGVnWYoa7Kw9o04aeebSHMtBOZoVnQOIe8usm2xiD_y11uepRmGb1UNT_52PrCwFMsqtuupEJIJtKUFINq0KGtrnfM6UeA7cqVhZ8EDPNjL4c9iJ2JOzPa4jqPmyWe2Ypp_lMyG56yxZemUxZiX9sXqC89F1m0DNQ6Ny-VhWOYlkrTNT5kO17mgpru5yLmfklZhMSBOaKg7qdEmJB8HTlgMl40ulEnjRNLxoFNPboEwkXunFo6MMjEI35rcMDnr-LrIwZ06ia6fiEw",
+          "q": "9-W-4eUTjwjgUfICak-Zxftyo21WdIRh35Ncg9SnvNQx3LrfCgMVGcGB375kbBEwiZIW9Zg7nsllkvPelT5DGxwjYuzOMZH5SQmnX9AhVQ9a0O-fVZIj0pHaod600A0c2gbXtsVkuakmMnZXExxcYjRoU0_4RMfL7IUH8EIf8Safdn6KObA-cvFwfVN2iiFl897lmFK3MRvc8Ul2ZyfV-jZPvFyF5i1ATDy2dcNBavOxsUoSrHytRmPyi6x5S2bq-9PhpeHx4JU8ZVSjUEAt7QKhK86mMaDjwSmWchjhbJhHlIxO9VmUXdTMC0yH2_ebMLk4sUZwZKszpkyshQIcSQ",
+          "dp": "hJSATq4LkQYV2VLNiQqRkfobvJJZ2z5aB9JPj18vZvsKwu1JsisSrO4GuIJoG9tEwDdAiwk8051oq_B_N6xGLQ4lxw1ZDZ8NxR2nkcDWi55lLHJ3rOUaWDpF7RR8dQI-FckLR26tBDxZ80PbQSw5bhJFIjIcFoEYNY_UNO0Tu8-7RZn9x8j64z-Z9YdXhaOBv4Ivq_YEt7wV0WlgerCg39NlGYISfsV_5l62N3t5sgKHHPJn1wpDa-paTf--px5X8CjYCCQMMAjN2p_sa2dvyNqT1m0fdhqaOhPTjjmRO-fpAEAFBfkvYFVz9fzjzHNB9_NmjCm3tY5P6gGw45sbaw",
+          "dq": "cSuadAgfYLo9pktknOIQIplDYaaFxJW3FNlyb-DCXutEhC9vqWN025hC0UFbGRbT4Mon3yELftcUnvzkTZ_qBNNYuE3BaFHqy1Qz7ALZZLqozB_Izsjzv6rEdAd25lBGLqbXDeKZtESrYngyElBtQIwKYJZukf_gce7di-q0KGRogjEMq39xUwo0P5K92BudLrNAf8SrSykcOa8-9aLzBdKLnkNjAY0BAIzrA2ILWGc-ZOCbG9GjTTJNxUQM78ZhWmwFZLR8tvmKY_w6vmU-UihUKeqiZp-7ujBhNV90ch4m94MCfPHTUO7X5AShNWOZnqnAXvX4U4zw_Geeju5CuQ",
+          "qi": "OdvyakUl-NZ2PZHi5N_vDTdC4Ad4LI6JP4InVW-33kGySQom264eZ-nwBFVlZeCx2qgFE0iuRtS1plmZdEMP_cc8kW-PDtTDg3i_8rWutkmX13FThHXpT9M3iTU8qxeizRuvXaHIayplgZT6W8iIl4JWp1lWfLK85jTmsuX2mF-I0E56VOGOy7xlBEnyrrskXgyiOcjFgNy2UTaCNvfUrLxhiWAU-ZoqyEaj4t5bYdcu_xkuwDvdHea9RgHOMve9UoSPsSIAoev1HeTdIrWLOyUEenGqhUAkneRqTDuXkzUYFreV63nhqiHU3WUGKBbJ-4Dgl7kl0FxH7w98WuKscg"
+        }
+      ]
+    }
+  config:
+    mutators:
+      noop:
+        enabled: true
+    authorizers:
+      allow:
+        enabled: true
+      deny:
+        enabled: true
+    authenticators:
+      noop:
+        enabled: true
+
+secret:
+  enabled: true
+
+service:
+  metrics:
+    labels:
+      app.kubernetes.io/element: "metrics"
+      release: "metrics"
+      app: oathkeeper
+
+serviceMonitor:
+  labels:
+    release: "prometheus"
+  tlsConfig:
+    insecureSkipVerify: true
+  relabelings:
+    - action: labeldrop
+      regex: request
+  metricRelabelings:
+    - action: labeldrop
+      regex: request
+  targetLabels:
+    - app
+
+test:
+  labels:
+    test-org: ory
+    test-product: oathkeeper
+    test-service: authorizer
+  busybox:
+    repository: docker.io/library/busybox
+    tag: 1.36
diff --git a/hacks/values/oathkeeper.yaml b/hacks/values/oathkeeper.yaml
index a604d01157..ce69d72dc2 100644
--- a/hacks/values/oathkeeper.yaml
+++ b/hacks/values/oathkeeper.yaml
@@ -68,7 +68,6 @@ deployment:
       maxSurge: 25%
       maxUnavailable: 25%
 oathkeeper:
-  managedAccessRules: false
   accessRules: |
     [
       {

From f6839b0e85b6597b0da798d9e817e00e9533be70 Mon Sep 17 00:00:00 2001
From: Emiliano Deustua <edeustua@gmail.com>
Date: Mon, 10 Jun 2024 11:17:05 -0500
Subject: [PATCH 4/4] fix: Fix formatting

---
 hacks/manifests/oathkeeper-external-accessrules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hacks/manifests/oathkeeper-external-accessrules.yaml b/hacks/manifests/oathkeeper-external-accessrules.yaml
index 6c931ca19b..b13d6744c2 100644
--- a/hacks/manifests/oathkeeper-external-accessrules.yaml
+++ b/hacks/manifests/oathkeeper-external-accessrules.yaml
@@ -2,7 +2,8 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   # The name comes from oathkeeper's subchart.
-  name: {{ include "oathkeeper.fullname" . }}-rules
+  name: '{{ include "oathkeeper.fullname" . }}-rules'
+
 data:
   access-rules.json: |-
     [