Upgrade to 0.49.0 breaks Oathkeeper templates with Ory functions

Question

Upgrade to 0.49.0 breaks Oathkeeper templates with Ory functions

Closed this issue 3 months ago · 2 comments

David-Wobrock commented 4 months ago

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

We use an Oathkeeper remote_json authorizer with a custom payload, that uses the printIndex function.
See https://github.com/ory/oathkeeper/blob/v0.40.7/x/template.go

However, when doing that and using 0.49.0 we get an error:

Error: template: oathkeeper/charts/oathkeeper/templates/deployment-controller.yaml:41:12: executing "oathkeeper/charts/oathkeeper/templates/deployment-controller.yaml" at <include "oathkeeper.annotations.checksum" .>:
error calling include: template: oathkeeper/charts/oathkeeper/templates/_helpers.tpl:111:31: executing "oathkeeper.annotations.checksum" at <include (print $.Template.BasePath $oathkeeperConfigMapFile) .>:
error calling include: template: oathkeeper/charts/oathkeeper/templates/configmap-config.yaml:14:8: executing "oathkeeper/charts/oathkeeper/templates/configmap-config.yaml" at <include "oathkeeper.configmap" .>:
error calling include: template: oathkeeper/charts/oathkeeper/templates/_helpers.tpl:33:4: executing "oathkeeper.configmap" at <tpl (toYaml $config) .>:
error calling tpl: cannot parse template "BLABLABLA-our-custom-config-BLABLABLA": template: gotpl:96: function "printIndex" not defined

See example config below:

Reproducing the bug

      authorizers:
        remote_json:
          enabled: true
          config:
            remote: http://127.0.0.1:8181/openpolicyagent
            payload: |
              {
                "input": {
                  "http": {
                    "url": "{{ print .MatchContext.URL }}",
                    "domain": "{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}",
                    "path": "{{ printIndex .MatchContext.RegexpCaptureGroups 2 }}"
                  }
                }
              }

Relevant log output

No response

Relevant configuration

No response

Version

0.49.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

Answer 1 · 2024-10-02T11:47:06.000Z

Having exactly the same issue starting of 0.49.0

Answer 2 · 2024-10-10T14:13:08.000Z

oh i think i see the issue, we use the tpl function to allow helm parsing, and since this is using go templates too, it tries to run the functions on helm install/upgrade 🤔
As a workaround i would suggest sideloading the config using a custom config map, as we would need to add an option to enable or disable the templating step