-
Notifications
You must be signed in to change notification settings - Fork 876
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding oauth2-proxy as optional alternative to oidc-authservice (#2409)
* Adding alternative to oidc-authservice with oauth2-proxy * Adding documentation * Fixing example oidc-authservice * Moving from oauth-proxy to oauth2-proxy folder * Removing dependencies on oidc-authservice * Fixing oauth2-proxy configuration * Renaming folder oauth-proxy to auth2-proxy * Revert "Removing dependencies on oidc-authservice" This reverts commit 681709e. * Improving structures - Creating auth-envoy-filter folder - Creating two overlays (oidc-authservice, oauth2-proxy) - Adding overlays for dex and oauth2-proxy * Restoring example/kustomization.yaml * Update README.md * Update README.md * Grouping the code in common/oidc-client/ folder
- Loading branch information
Showing
27 changed files
with
403 additions
and
63 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -167,24 +167,37 @@ kustomize build common/istio-1-17/istio-namespace/base | kubectl apply -f - | |
kustomize build common/istio-1-17/istio-install/base | kubectl apply -f - | ||
``` | ||
|
||
#### Dex | ||
#### AuthService | ||
|
||
Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `[email protected]`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password). | ||
The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client: | ||
|
||
Install Dex: | ||
```sh | ||
kustomize build common/oidc-client/oidc-authservice/base | kubectl apply -f - | ||
``` | ||
|
||
<details> | ||
<summary>oauth2-proxy alternative</summary> | ||
|
||
You can use [OAuth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) instead of [OIDC AuthService](https://github.com/arrikto/oidc-authservice). To do so, run the following command instead | ||
|
||
```sh | ||
kustomize build common/dex/overlays/istio | kubectl apply -f - | ||
kustomize build common/oidc-client/oauth2-proxy/base | kubectl apply -f - | ||
``` | ||
|
||
#### OIDC AuthService | ||
</details> | ||
|
||
The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client: | ||
#### Dex | ||
|
||
Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `[email protected]`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password). | ||
|
||
Install Dex: | ||
|
||
```sh | ||
kustomize build common/oidc-authservice/base | kubectl apply -f - | ||
kustomize build common/dex/overlays/istio | kubectl apply -f - | ||
``` | ||
|
||
> If you are using `oauth2-proxy` as auth envoy filter, you should be using `common/dex/overlays/oauth2-proxy` instead. | ||
#### Knative | ||
|
||
Knative is used by the KServe official Kubeflow component. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: dex | ||
data: | ||
config.yaml: | | ||
issuer: http://dex.auth.svc.cluster.local:5556/dex | ||
storage: | ||
type: kubernetes | ||
config: | ||
inCluster: true | ||
web: | ||
http: 0.0.0.0:5556 | ||
logger: | ||
level: "debug" | ||
format: text | ||
oauth2: | ||
skipApprovalScreen: true | ||
enablePasswordDB: true | ||
staticPasswords: | ||
- email: [email protected] | ||
hash: $2y$12$4K/VkmDd1q1Orb3xAt82zu8gk7Ad6ReFR4LCP9UeYE90NLiN9Df72 | ||
# https://github.com/dexidp/dex/pull/1601/commits | ||
# FIXME: Use hashFromEnv instead | ||
username: user | ||
userID: "15841185641784" | ||
staticClients: | ||
# https://github.com/dexidp/dex/pull/1664 | ||
- idEnv: OIDC_CLIENT_ID | ||
redirectURIs: ["/oauth2/callback"] | ||
name: 'Dex Login Application' | ||
secretEnv: OIDC_CLIENT_SECRET |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- ../istio | ||
|
||
patches: | ||
- path: config-map.yaml | ||
target: | ||
version: v1 | ||
kind: ConfigMap | ||
name: dex | ||
namespace: auth | ||
|
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Istio Envoy Filter | ||
|
||
> EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot. Use EnvoyFilter to modify values for certain fields, add specific filters, or even add entirely new listeners, clusters, etc.[^1] | ||
Kubeflow will use an Envoy Filter for every incoming request. | ||
|
||
Two solution are configurable [oidc-authservice](https://github.com/arrikto/oidc-authservice) or [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy). | ||
|
||
- [^1]: [Envoy Filter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
approvers: | ||
- axel7083 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: oauth2-proxy-authservice | ||
labels: | ||
app: authservice | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: oauth2-proxy | ||
template: | ||
metadata: | ||
annotations: | ||
sidecar.istio.io/inject: "false" | ||
labels: | ||
app.kubernetes.io/name: oauth2-proxy | ||
spec: | ||
volumes: | ||
- name: configmain | ||
configMap: | ||
name: oauth2-proxy | ||
defaultMode: 420 | ||
- name: configalpha | ||
configMap: | ||
name: oauth2-proxy-alpha | ||
defaultMode: 420 | ||
- name: oauth2-proxy | ||
secret: | ||
secretName: oauth2-proxy | ||
containers: | ||
- name: oauth2-proxy | ||
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 | ||
args: | ||
- '--alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml' | ||
- '--config=/etc/oauth2_proxy/oauth2_proxy.cfg' | ||
- '--silence-ping-logging' | ||
- '--proxy-prefix=/oauth2' | ||
- '--cookie-secure=false' | ||
ports: | ||
- name: http-api | ||
containerPort: 8080 | ||
protocol: TCP | ||
- name: metrics | ||
containerPort: 44180 | ||
protocol: TCP | ||
env: | ||
- name: OAUTH2_PROXY_COOKIE_SECRET | ||
valueFrom: | ||
secretKeyRef: | ||
name: oauth2-proxy | ||
key: COOKIE_SECRET | ||
volumeMounts: | ||
- name: configmain | ||
mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg | ||
subPath: oauth2_proxy.cfg | ||
- name: configalpha | ||
mountPath: /etc/oauth2_proxy/oauth2_proxy.yml | ||
subPath: oauth2_proxy.yml | ||
- name: oauth2-proxy | ||
subPath: CLIENT_SECRET | ||
mountPath: "/etc/oauth2_proxy/CLIENT_SECRET" | ||
livenessProbe: | ||
httpGet: | ||
path: /ping | ||
port: http-api | ||
scheme: HTTP | ||
readinessProbe: | ||
httpGet: | ||
path: /ping | ||
port: http-api | ||
scheme: HTTP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
apiVersion: networking.istio.io/v1alpha3 | ||
kind: EnvoyFilter | ||
metadata: | ||
name: authn-filter | ||
spec: | ||
workloadSelector: | ||
labels: | ||
istio: ingressgateway | ||
configPatches: | ||
- applyTo: HTTP_FILTER | ||
match: | ||
context: GATEWAY | ||
listener: | ||
filterChain: | ||
filter: | ||
name: "envoy.http_connection_manager" | ||
patch: | ||
# For some reason, INSERT_FIRST doesn't work | ||
operation: INSERT_BEFORE | ||
value: | ||
# See: https://www.envoyproxy.io/docs/envoy/v1.17.0/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz | ||
name: "envoy.filters.http.ext_authz" | ||
typed_config: | ||
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz | ||
http_service: | ||
server_uri: | ||
uri: http://$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local | ||
cluster: outbound|8080||$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local | ||
timeout: 10s | ||
authorization_request: | ||
allowed_headers: | ||
patterns: | ||
# XXX: MUST be lowercase! | ||
- exact: "authorization" | ||
- exact: "cookie" | ||
- exact: "x-auth-token" | ||
authorization_response: | ||
allowed_upstream_headers: | ||
patterns: | ||
- exact: "kubeflow-userid" | ||
- exact: "authorization" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- deployment.yaml | ||
- oauth2-proxy-alpha-config.yaml | ||
- oauth2-proxy-config.yaml | ||
- rbac.yaml | ||
- service.yaml | ||
- envoy-filter.yaml | ||
|
||
secretGenerator: | ||
- name: oauth2-proxy | ||
type: Opaque | ||
envs: | ||
- secret_params.env | ||
|
||
namespace: istio-system | ||
|
||
generatorOptions: | ||
disableNameSuffixHash: true | ||
|
||
vars: | ||
- name: AUTHSERVICE_NAMESPACE | ||
objref: | ||
kind: Service | ||
name: authservice | ||
apiVersion: v1 | ||
fieldref: | ||
fieldpath: metadata.namespace | ||
- name: AUTHSERVICE_SERVICE | ||
objref: | ||
kind: Service | ||
name: authservice | ||
apiVersion: v1 | ||
fieldref: | ||
fieldpath: metadata.name | ||
configurations: | ||
- params.yaml | ||
|
||
images: | ||
- name: quay.io/oauth2-proxy/oauth2-proxy | ||
newName: quay.io/oauth2-proxy/oauth2-proxy | ||
newTag: v7.4.0 |
52 changes: 52 additions & 0 deletions
52
common/oidc-client/oauth2-proxy/base/oauth2-proxy-alpha-config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: oauth2-proxy-alpha | ||
labels: | ||
app: oauth2-proxy | ||
data: | ||
oauth2_proxy.yml: |- | ||
injectResponseHeaders: | ||
- name: kubeflow-groups | ||
values: | ||
- claim: groups | ||
- name: kubeflow-userid | ||
values: | ||
- claim: email | ||
metricsServer: | ||
BindAddress: 0.0.0.0:44180 | ||
SecureBindAddress: "" | ||
TLS: null | ||
providers: | ||
# ==== DEX configuration | ||
- clientID: kubeflow-oidc-authservice | ||
clientSecretFile: /etc/oauth2_proxy/CLIENT_SECRET | ||
id: oidc=kubeflow-oidc-authservice | ||
loginURL: /dex/auth | ||
loginURLParameters: | ||
- default: | ||
- force | ||
name: approval_prompt | ||
oidcConfig: | ||
audienceClaims: | ||
- aud | ||
emailClaim: email | ||
groupsClaim: groups | ||
issuerURL: http://dex.auth.svc.cluster.local:5556/dex | ||
jwksURL: http://dex.auth.svc.cluster.local:5556/dex/keys | ||
skipDiscovery: true | ||
userIDClaim: email | ||
scope: openid profile email groups | ||
provider: oidc | ||
redeemURL: http://dex.auth.svc.cluster.local:5556/dex/token | ||
server: | ||
BindAddress: 0.0.0.0:8080 | ||
SecureBindAddress: "" | ||
TLS: null | ||
upstreamConfig: | ||
upstreams: | ||
- id: static://200 | ||
path: / | ||
static: true | ||
staticCode: 200 | ||
binaryData: {} |
11 changes: 11 additions & 0 deletions
11
common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: oauth2-proxy | ||
labels: | ||
app: oauth2-proxy | ||
data: | ||
oauth2_proxy.cfg: >- | ||
email_domains = [ "*" ] | ||
skip_auth_regex=["/dex/.*"] | ||
binaryData: {} |
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
COOKIE_SECRET=7d16fee92f8d11b8940b081b3f8b8acb | ||
CLIENT_SECRET=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: authservice | ||
spec: | ||
type: ClusterIP | ||
selector: | ||
app.kubernetes.io/name: oauth2-proxy | ||
ports: | ||
- port: 8080 | ||
name: http-authservice | ||
targetPort: http-api | ||
publishNotReadyAddresses: true |
File renamed without changes.
Oops, something went wrong.