Access rule update silently fails

[Atharex]

Oathkeeper maester should be more careful when it comes to applying incorrect access rules.

I have used by mistake the NOOP handler under authorizers and the access rule got successfully applied to k8s, yet it did not work. After searching for errors, I've found in the maester log an INFO line, which made it seem everything was alright and the access rule was applied with the erroneous part ignored.

>>> kubectl logs oathkeeper-maester-6cfcff4b-62qmq -f
2021-01-11T17:58:17.557Z        INFO    setup   running in controller mode
2021-01-11T17:58:19.025Z        INFO    controller-runtime.metrics      metrics server is starting to listen    {"addr": "0.0.0.0:8080"}
2021-01-11T17:58:19.026Z        INFO    setup   using default values for authenticatorsAvailable
2021-01-11T17:58:19.026Z        INFO    setup   using default values for authorizersAvailable
2021-01-11T17:58:19.026Z        INFO    setup   using default values for mutatorsAvailable
2021-01-11T17:58:19.026Z        INFO    setup   starting manager
2021-01-11T17:58:19.027Z        INFO    controller-runtime.manager      starting metrics server {"path": "/metrics"}
2021-01-11T17:58:19.027Z        INFO    controller-runtime.controller   Starting EventSource    {"controller": "rule", "source": "kind source: /, Kind="}
2021-01-11T17:58:19.144Z        INFO    controller-runtime.controller   Starting Controller     {"controller": "rule"}
2021-01-11T17:58:19.144Z        INFO    controller-runtime.controller   Starting workers        {"controller": "rule", "worker count": 1}
2021-01-11T17:58:19.147Z        INFO    controllers.Rule        validation error in Rule ory-auth/ory-auth: "invalid handlers: [authorizer/noop], please check the configuration"
2021-01-11T17:58:19.260Z        INFO    controllers.Rule        updating ConfigMap
2021-01-11T17:58:19.264Z        DEBUG   controller-runtime.controller   Successfully Reconciled {"controller": "rule", "name": "ory-auth", "namespace": "ory-auth"}

However the config map for the access rules was empty. After I've changed the NOOP handler to ALLOW, the maester service returned the exactly same lines of logs, but this time correctly filled out the config map:

2021-01-11T19:38:57.817Z        INFO    controllers.Rule        updating ConfigMap
2021-01-11T19:38:57.827Z        DEBUG   controller-runtime.controller   Successfully Reconciled {"controller": "rule", "name": "ory-auth", "namespace": "ory-auth"}

Maester logging shoud be fixed to throw an ERROR in such cases, to show an incorrect access rule CR is trying to be applied (and it fails)

[aeneasr]

Yes, that can definitely be improved. Open for contributions!

[christian-roggia]

https://github.com/ory/oathkeeper-maester/blob/master/controllers/rule_controller.go#L76