Skip to content

Commit

Permalink
Adding oauth2-proxy as optional alternative to oidc-authservice (#2409)
Browse files Browse the repository at this point in the history
* Adding alternative to oidc-authservice with oauth2-proxy

* Adding documentation

* Fixing example oidc-authservice

* Moving from oauth-proxy to oauth2-proxy folder

* Removing dependencies on oidc-authservice

* Fixing oauth2-proxy configuration

* Renaming folder oauth-proxy to auth2-proxy

* Revert "Removing dependencies on oidc-authservice"

This reverts commit 681709e.

* Improving structures
- Creating auth-envoy-filter folder
- Creating two overlays (oidc-authservice, oauth2-proxy)
- Adding overlays for dex and oauth2-proxy

* Restoring example/kustomization.yaml

* Update README.md

* Update README.md

* Grouping the code in common/oidc-client/ folder
  • Loading branch information
axel7083 authored Aug 29, 2023
1 parent fef7d6d commit abc72be
Show file tree
Hide file tree
Showing 27 changed files with 403 additions and 63 deletions.
27 changes: 20 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -167,24 +167,37 @@ kustomize build common/istio-1-17/istio-namespace/base | kubectl apply -f -
kustomize build common/istio-1-17/istio-install/base | kubectl apply -f -
```

#### Dex
#### AuthService

Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `[email protected]`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password).
The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client:

Install Dex:
```sh
kustomize build common/oidc-client/oidc-authservice/base | kubectl apply -f -
```

<details>
<summary>oauth2-proxy alternative</summary>

You can use [OAuth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) instead of [OIDC AuthService](https://github.com/arrikto/oidc-authservice). To do so, run the following command instead

```sh
kustomize build common/dex/overlays/istio | kubectl apply -f -
kustomize build common/oidc-client/oauth2-proxy/base | kubectl apply -f -
```

#### OIDC AuthService
</details>

The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client:
#### Dex

Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `[email protected]`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password).

Install Dex:

```sh
kustomize build common/oidc-authservice/base | kubectl apply -f -
kustomize build common/dex/overlays/istio | kubectl apply -f -
```

> If you are using `oauth2-proxy` as auth envoy filter, you should be using `common/dex/overlays/oauth2-proxy` instead.
#### Knative

Knative is used by the KServe official Kubeflow component.
Expand Down
32 changes: 32 additions & 0 deletions common/dex/overlays/oauth2-proxy/config-map.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: dex
data:
config.yaml: |
issuer: http://dex.auth.svc.cluster.local:5556/dex
storage:
type: kubernetes
config:
inCluster: true
web:
http: 0.0.0.0:5556
logger:
level: "debug"
format: text
oauth2:
skipApprovalScreen: true
enablePasswordDB: true
staticPasswords:
- email: [email protected]
hash: $2y$12$4K/VkmDd1q1Orb3xAt82zu8gk7Ad6ReFR4LCP9UeYE90NLiN9Df72
# https://github.com/dexidp/dex/pull/1601/commits
# FIXME: Use hashFromEnv instead
username: user
userID: "15841185641784"
staticClients:
# https://github.com/dexidp/dex/pull/1664
- idEnv: OIDC_CLIENT_ID
redirectURIs: ["/oauth2/callback"]
name: 'Dex Login Application'
secretEnv: OIDC_CLIENT_SECRET
14 changes: 14 additions & 0 deletions common/dex/overlays/oauth2-proxy/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../istio

patches:
- path: config-map.yaml
target:
version: v1
kind: ConfigMap
name: dex
namespace: auth

47 changes: 0 additions & 47 deletions common/oidc-authservice/base/kustomization.yaml

This file was deleted.

9 changes: 9 additions & 0 deletions common/oidc-client/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Istio Envoy Filter

> EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot. Use EnvoyFilter to modify values for certain fields, add specific filters, or even add entirely new listeners, clusters, etc.[^1]
Kubeflow will use an Envoy Filter for every incoming request.

Two solution are configurable [oidc-authservice](https://github.com/arrikto/oidc-authservice) or [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy).

- [^1]: [Envoy Filter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/)
2 changes: 2 additions & 0 deletions common/oidc-client/oauth2-proxy/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
approvers:
- axel7083
72 changes: 72 additions & 0 deletions common/oidc-client/oauth2-proxy/base/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-authservice
labels:
app: authservice
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: oauth2-proxy
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/name: oauth2-proxy
spec:
volumes:
- name: configmain
configMap:
name: oauth2-proxy
defaultMode: 420
- name: configalpha
configMap:
name: oauth2-proxy-alpha
defaultMode: 420
- name: oauth2-proxy
secret:
secretName: oauth2-proxy
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
args:
- '--alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml'
- '--config=/etc/oauth2_proxy/oauth2_proxy.cfg'
- '--silence-ping-logging'
- '--proxy-prefix=/oauth2'
- '--cookie-secure=false'
ports:
- name: http-api
containerPort: 8080
protocol: TCP
- name: metrics
containerPort: 44180
protocol: TCP
env:
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy
key: COOKIE_SECRET
volumeMounts:
- name: configmain
mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
subPath: oauth2_proxy.cfg
- name: configalpha
mountPath: /etc/oauth2_proxy/oauth2_proxy.yml
subPath: oauth2_proxy.yml
- name: oauth2-proxy
subPath: CLIENT_SECRET
mountPath: "/etc/oauth2_proxy/CLIENT_SECRET"
livenessProbe:
httpGet:
path: /ping
port: http-api
scheme: HTTP
readinessProbe:
httpGet:
path: /ping
port: http-api
scheme: HTTP
41 changes: 41 additions & 0 deletions common/oidc-client/oauth2-proxy/base/envoy-filter.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
# For some reason, INSERT_FIRST doesn't work
operation: INSERT_BEFORE
value:
# See: https://www.envoyproxy.io/docs/envoy/v1.17.0/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz
name: "envoy.filters.http.ext_authz"
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
uri: http://$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local
cluster: outbound|8080||$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local
timeout: 10s
authorization_request:
allowed_headers:
patterns:
# XXX: MUST be lowercase!
- exact: "authorization"
- exact: "cookie"
- exact: "x-auth-token"
authorization_response:
allowed_upstream_headers:
patterns:
- exact: "kubeflow-userid"
- exact: "authorization"
44 changes: 44 additions & 0 deletions common/oidc-client/oauth2-proxy/base/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- deployment.yaml
- oauth2-proxy-alpha-config.yaml
- oauth2-proxy-config.yaml
- rbac.yaml
- service.yaml
- envoy-filter.yaml

secretGenerator:
- name: oauth2-proxy
type: Opaque
envs:
- secret_params.env

namespace: istio-system

generatorOptions:
disableNameSuffixHash: true

vars:
- name: AUTHSERVICE_NAMESPACE
objref:
kind: Service
name: authservice
apiVersion: v1
fieldref:
fieldpath: metadata.namespace
- name: AUTHSERVICE_SERVICE
objref:
kind: Service
name: authservice
apiVersion: v1
fieldref:
fieldpath: metadata.name
configurations:
- params.yaml

images:
- name: quay.io/oauth2-proxy/oauth2-proxy
newName: quay.io/oauth2-proxy/oauth2-proxy
newTag: v7.4.0
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: oauth2-proxy-alpha
labels:
app: oauth2-proxy
data:
oauth2_proxy.yml: |-
injectResponseHeaders:
- name: kubeflow-groups
values:
- claim: groups
- name: kubeflow-userid
values:
- claim: email
metricsServer:
BindAddress: 0.0.0.0:44180
SecureBindAddress: ""
TLS: null
providers:
# ==== DEX configuration
- clientID: kubeflow-oidc-authservice
clientSecretFile: /etc/oauth2_proxy/CLIENT_SECRET
id: oidc=kubeflow-oidc-authservice
loginURL: /dex/auth
loginURLParameters:
- default:
- force
name: approval_prompt
oidcConfig:
audienceClaims:
- aud
emailClaim: email
groupsClaim: groups
issuerURL: http://dex.auth.svc.cluster.local:5556/dex
jwksURL: http://dex.auth.svc.cluster.local:5556/dex/keys
skipDiscovery: true
userIDClaim: email
scope: openid profile email groups
provider: oidc
redeemURL: http://dex.auth.svc.cluster.local:5556/dex/token
server:
BindAddress: 0.0.0.0:8080
SecureBindAddress: ""
TLS: null
upstreamConfig:
upstreams:
- id: static://200
path: /
static: true
staticCode: 200
binaryData: {}
11 changes: 11 additions & 0 deletions common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: oauth2-proxy
labels:
app: oauth2-proxy
data:
oauth2_proxy.cfg: >-
email_domains = [ "*" ]
skip_auth_regex=["/dex/.*"]
binaryData: {}
File renamed without changes.
File renamed without changes.
2 changes: 2 additions & 0 deletions common/oidc-client/oauth2-proxy/base/secret_params.env
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
COOKIE_SECRET=7d16fee92f8d11b8940b081b3f8b8acb
CLIENT_SECRET=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
13 changes: 13 additions & 0 deletions common/oidc-client/oauth2-proxy/base/service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: authservice
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: oauth2-proxy
ports:
- port: 8080
name: http-authservice
targetPort: http-api
publishNotReadyAddresses: true
Loading

0 comments on commit abc72be

Please sign in to comment.