Oathkeeper fails to start if secret is disabled

Question

Oathkeeper fails to start if secret is disabled

Closed this issue 2 years ago · 2 comments

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
This issue affects my Ory Network project.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When using the oathkeeper chart if I disabled the secret generation, the oathkeeper container refuse to start since the secret is mounted by default as a volume but does not exist.

Reproducing the bug

Set the following values.yaml for the oathkeeper chart:

secret:
  enabled: true

Then try to deploy to Kubernetes to see that the deployment fails

Relevant log output

No response

Relevant configuration

secret:
  enabled: true

Version

0.27.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

Answer 1 · 2023-02-06T13:21:58.000Z

Hello there!
I think this might rather be a documentation issue. We enforce that a secret will be present, whether created by the chart or by the user.
The logic used by all of the charts is as follows:

secret:
  # -- switch to false to prevent creating the secret
  enabled: true
  # -- Provide custom name of existing secret, or custom name of secret to be created
  nameOverride: ""

default option - the chart creates a secret with default name

secret:
  # -- switch to false to prevent creating the secret
  enabled: true
  # -- Provide custom name of existing secret, or custom name of secret to be created
  nameOverride: "my-secret"

custom name - the chart creates a secret with specified name

secret:
  # -- switch to false to prevent creating the secret
  enabled: false
  # -- Provide custom name of existing secret, or custom name of secret to be created
  nameOverride: ""

custom secret - we expect a secret with the default name will be present and can be used

secret:
  # -- switch to false to prevent creating the secret
  enabled: false
  # -- Provide custom name of existing secret, or custom name of secret to be created
  nameOverride: "my-secret"

custom name and secret - the chart expects that a secret with the custom name will be present and can be used

Answer 2 · 2023-02-13T09:53:27.000Z

Indeed, I will close this as a won't fix