Adding chart for the maester controller (#31)

.circleci/config.yml

@@ -45,6 +45,7 @@ jobs:
             helm init --service-account default --wait
       - run: .circleci/helm-test.sh oathkeeper
       - run: .circleci/helm-test.sh hydra
+      # - run: .circleci/helm-test.sh maester
 
   release:
     docker:

docs/helm/README.md

@@ -11,3 +11,4 @@ Documentation on each individual chart can be found for
 
 - [ORY Hydra Helm Chart](./hydra)
 - [ORY Oathkeeper Helm Chart](./oathkeeper)
+- [ORY Maester Helm Chart](./maester)

docs/helm/maester.md

@@ -0,0 +1,43 @@
+# ORY Maester Helm Chart
+
+ORY Maester is a Kubernetes controller that watches for instances of `rules.oathkeeper.ory.sh/v1alpha1` custom resource (CR) and creates or updates the Oathkeeper ConfigMap with Access Rules found in the CRs. The controller passes the Access Rules as an array in a format recognized by the Oathkeeper.
+By mounting the ConfigMap to the Oathkeeper Pod, you can manage the list of Oathkeeper Rules through `rules.oathkeeper.ory.sh/v1alpha1` CR instances.
+
+
+## Installation
+
+To install ORY Maester with Helm, run:
+
+```bash
+$ helm install ory/maester
+```
+
+## Configuration
+
+These are the most important configuration values used to control ConfigMap creation:
+
+- `configMapName` defines the name of the ConfigMap used to store the list of Access Rules. Defaults to `oathkeeper-rules`
+- `rulesConfigmapNamespace` defines the Namespace in which the ConfigMap is stored. Defaults to the same Namespace as the ORY Maester Helm release.
+- `rulesFileName` defines the name of the single root-level ConfigMap key used to store the entire array of Access Rules. When the ConfigMap is mounted in the Oathkeeper Pod, this becomes also the filename of the "rules file" to the Oathkeeper process. Defaults to `access-rules.json`.
+
+You can set the values in `values.yaml` file or using `--set` syntax of Helm during chart installation.
+
+## Custom Resource Syntax
+
+ORY Maester introduces its own Custom Resource Definition (CRD) of type `rules.oathkeeper.ory.sh/v1alpha1`.
+Each CR instance defines the rules for a single service.
+
+The syntax of the CR **Spec** field reflects the Oathkeeper [Access Rule syntax](https://www.ory.sh/docs/next/oathkeeper/api-access-rules), with the following differences:
+- The `id` field is auto-generated.
+- The `upstream.preserveHost` property is camel cased.
+- The `upstream.stripPath` property is camel cased.
+
+The JSON schema specified in the CRD provides definitions for all available attributes.
+All handlers such as authenticators, the authorizer, and the mutator are passed verbatim without any changes to the target Access Rules list.
+
+The controller provides the following defaults for each Access Rule it creates:
+- If `authenticators` are not defined, it defaults to a single `unauthorized` handler.
+- If `authorizer` is not defined, it defaults to a `deny` handler.
+- If `mutator` is not defined, it defaults to a `noop` handler.
+
+These defaults implement a "disabled by default" policy for increased security.

helm/charts/maester/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/charts/maester/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+appVersion: "v0.0.1"
+description: A Helm chart for deployoing ORY Oathkeeper Rule Controller in Kubernetes
+name: maester
+version: 0.0.1
+keywords:
+  - zero-trust
+  - beyond-corp
+  - access-control
+  - reverse-proxy
+  - nginx
+  - envoy
+  - ambassador
+  - auth-filter
+home: https://www.ory.sh/
+sources:
+  - https://github.com/ory/oathkeeper
+  - https://github.com/ory/k8s
+maintainers: # (optional)
+  - name: ORY Team
+    email: [email protected]
+    url: https://www.ory.sh/

helm/charts/maester/templates/_helpers.tpl

@@ -0,0 +1,45 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "maester.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "maester.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "maester.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "maester.labels" -}}
+app.kubernetes.io/name: {{ include "maester.name" . }}
+helm.sh/chart: {{ include "maester.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}