From abc72bea09259eeea96646d0414a14539e18d02a Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Tue, 29 Aug 2023 23:16:07 +0200 Subject: [PATCH] Adding oauth2-proxy as optional alternative to oidc-authservice (#2409) * Adding alternative to oidc-authservice with oauth2-proxy * Adding documentation * Fixing example oidc-authservice * Moving from oauth-proxy to oauth2-proxy folder * Removing dependencies on oidc-authservice * Fixing oauth2-proxy configuration * Renaming folder oauth-proxy to auth2-proxy * Revert "Removing dependencies on oidc-authservice" This reverts commit 681709eae222adc0d6b08c07ee768127051e8193. * Improving structures - Creating auth-envoy-filter folder - Creating two overlays (oidc-authservice, oauth2-proxy) - Adding overlays for dex and oauth2-proxy * Restoring example/kustomization.yaml * Update README.md * Update README.md * Grouping the code in common/oidc-client/ folder --- README.md | 27 +++++-- .../dex/overlays/oauth2-proxy/config-map.yaml | 32 +++++++++ .../overlays/oauth2-proxy/kustomization.yaml | 14 ++++ .../oidc-authservice/base/kustomization.yaml | 47 ------------ common/oidc-client/README.md | 9 +++ common/oidc-client/oauth2-proxy/OWNERS | 2 + .../oauth2-proxy/base/deployment.yaml | 72 +++++++++++++++++++ .../oauth2-proxy/base/envoy-filter.yaml | 41 +++++++++++ .../oauth2-proxy/base/kustomization.yaml | 44 ++++++++++++ .../base/oauth2-proxy-alpha-config.yaml | 52 ++++++++++++++ .../base/oauth2-proxy-config.yaml | 11 +++ .../oauth2-proxy}/base/params.yaml | 0 .../oauth2-proxy}/base/rbac.yaml | 0 .../oauth2-proxy/base/secret_params.env | 2 + .../oauth2-proxy/base/service.yaml | 13 ++++ .../oidc-authservice/base/envoy-filter.yaml | 0 .../oidc-authservice/base/kustomization.yaml | 47 ++++++++++++ .../oidc-authservice/base/params.env | 0 .../oidc-authservice/base/params.yaml | 5 ++ .../oidc-authservice/base/pvc.yaml | 0 .../oidc-authservice/base/rbac.yaml | 30 ++++++++ .../oidc-authservice/base/secret_params.env | 0 .../oidc-authservice/base/service.yaml | 6 +- .../oidc-authservice/base/statefulset.yaml | 2 +- .../ibm-storage-config/kustomization.yaml | 6 +- .../ibm-storage-config/statefulset.yaml | 2 +- example/kustomization.yaml | 2 +- 27 files changed, 403 insertions(+), 63 deletions(-) create mode 100644 common/dex/overlays/oauth2-proxy/config-map.yaml create mode 100644 common/dex/overlays/oauth2-proxy/kustomization.yaml delete mode 100644 common/oidc-authservice/base/kustomization.yaml create mode 100644 common/oidc-client/README.md create mode 100644 common/oidc-client/oauth2-proxy/OWNERS create mode 100644 common/oidc-client/oauth2-proxy/base/deployment.yaml create mode 100644 common/oidc-client/oauth2-proxy/base/envoy-filter.yaml create mode 100644 common/oidc-client/oauth2-proxy/base/kustomization.yaml create mode 100644 common/oidc-client/oauth2-proxy/base/oauth2-proxy-alpha-config.yaml create mode 100644 common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml rename common/{oidc-authservice => oidc-client/oauth2-proxy}/base/params.yaml (100%) rename common/{oidc-authservice => oidc-client/oauth2-proxy}/base/rbac.yaml (100%) create mode 100644 common/oidc-client/oauth2-proxy/base/secret_params.env create mode 100644 common/oidc-client/oauth2-proxy/base/service.yaml rename common/{ => oidc-client}/oidc-authservice/base/envoy-filter.yaml (100%) create mode 100644 common/oidc-client/oidc-authservice/base/kustomization.yaml rename common/{ => oidc-client}/oidc-authservice/base/params.env (100%) create mode 100644 common/oidc-client/oidc-authservice/base/params.yaml rename common/{ => oidc-client}/oidc-authservice/base/pvc.yaml (100%) create mode 100644 common/oidc-client/oidc-authservice/base/rbac.yaml rename common/{ => oidc-client}/oidc-authservice/base/secret_params.env (100%) rename common/{ => oidc-client}/oidc-authservice/base/service.yaml (68%) rename common/{ => oidc-client}/oidc-authservice/base/statefulset.yaml (97%) rename common/{ => oidc-client}/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml (71%) rename common/{ => oidc-client}/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml (92%) diff --git a/README.md b/README.md index 8bce1c9476..abc7c2c05b 100644 --- a/README.md +++ b/README.md @@ -167,24 +167,37 @@ kustomize build common/istio-1-17/istio-namespace/base | kubectl apply -f - kustomize build common/istio-1-17/istio-install/base | kubectl apply -f - ``` -#### Dex +#### AuthService -Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `user@example.com`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password). +The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client: -Install Dex: +```sh +kustomize build common/oidc-client/oidc-authservice/base | kubectl apply -f - +``` + +
+ oauth2-proxy alternative + +You can use [OAuth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) instead of [OIDC AuthService](https://github.com/arrikto/oidc-authservice). To do so, run the following command instead ```sh -kustomize build common/dex/overlays/istio | kubectl apply -f - +kustomize build common/oidc-client/oauth2-proxy/base | kubectl apply -f - ``` -#### OIDC AuthService +
-The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client: +#### Dex + +Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `user@example.com`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password). + +Install Dex: ```sh -kustomize build common/oidc-authservice/base | kubectl apply -f - +kustomize build common/dex/overlays/istio | kubectl apply -f - ``` +> If you are using `oauth2-proxy` as auth envoy filter, you should be using `common/dex/overlays/oauth2-proxy` instead. + #### Knative Knative is used by the KServe official Kubeflow component. diff --git a/common/dex/overlays/oauth2-proxy/config-map.yaml b/common/dex/overlays/oauth2-proxy/config-map.yaml new file mode 100644 index 0000000000..15209dfe91 --- /dev/null +++ b/common/dex/overlays/oauth2-proxy/config-map.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: dex +data: + config.yaml: | + issuer: http://dex.auth.svc.cluster.local:5556/dex + storage: + type: kubernetes + config: + inCluster: true + web: + http: 0.0.0.0:5556 + logger: + level: "debug" + format: text + oauth2: + skipApprovalScreen: true + enablePasswordDB: true + staticPasswords: + - email: user@example.com + hash: $2y$12$4K/VkmDd1q1Orb3xAt82zu8gk7Ad6ReFR4LCP9UeYE90NLiN9Df72 + # https://github.com/dexidp/dex/pull/1601/commits + # FIXME: Use hashFromEnv instead + username: user + userID: "15841185641784" + staticClients: + # https://github.com/dexidp/dex/pull/1664 + - idEnv: OIDC_CLIENT_ID + redirectURIs: ["/oauth2/callback"] + name: 'Dex Login Application' + secretEnv: OIDC_CLIENT_SECRET diff --git a/common/dex/overlays/oauth2-proxy/kustomization.yaml b/common/dex/overlays/oauth2-proxy/kustomization.yaml new file mode 100644 index 0000000000..5a9edca48c --- /dev/null +++ b/common/dex/overlays/oauth2-proxy/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../istio + +patches: + - path: config-map.yaml + target: + version: v1 + kind: ConfigMap + name: dex + namespace: auth + diff --git a/common/oidc-authservice/base/kustomization.yaml b/common/oidc-authservice/base/kustomization.yaml deleted file mode 100644 index ac11739f66..0000000000 --- a/common/oidc-authservice/base/kustomization.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- rbac.yaml -- service.yaml -- statefulset.yaml -- envoy-filter.yaml -- pvc.yaml - -namespace: istio-system - -configMapGenerator: -- name: oidc-authservice-parameters - envs: - - params.env - -secretGenerator: -- name: oidc-authservice-client - type: Opaque - envs: - - secret_params.env - -generatorOptions: - disableNameSuffixHash: true - -vars: -- name: AUTHSERVICE_NAMESPACE - objref: - kind: Service - name: authservice - apiVersion: v1 - fieldref: - fieldpath: metadata.namespace -- name: AUTHSERVICE_SERVICE - objref: - kind: Service - name: authservice - apiVersion: v1 - fieldref: - fieldpath: metadata.name -configurations: -- params.yaml -images: -- name: gcr.io/arrikto/kubeflow/oidc-authservice - newName: gcr.io/arrikto/kubeflow/oidc-authservice - newTag: e236439 diff --git a/common/oidc-client/README.md b/common/oidc-client/README.md new file mode 100644 index 0000000000..0fc7ae1028 --- /dev/null +++ b/common/oidc-client/README.md @@ -0,0 +1,9 @@ +# Istio Envoy Filter + +> EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot. Use EnvoyFilter to modify values for certain fields, add specific filters, or even add entirely new listeners, clusters, etc.[^1] + +Kubeflow will use an Envoy Filter for every incoming request. + +Two solution are configurable [oidc-authservice](https://github.com/arrikto/oidc-authservice) or [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy). + +- [^1]: [Envoy Filter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/) \ No newline at end of file diff --git a/common/oidc-client/oauth2-proxy/OWNERS b/common/oidc-client/oauth2-proxy/OWNERS new file mode 100644 index 0000000000..707fd49007 --- /dev/null +++ b/common/oidc-client/oauth2-proxy/OWNERS @@ -0,0 +1,2 @@ +approvers: + - axel7083 \ No newline at end of file diff --git a/common/oidc-client/oauth2-proxy/base/deployment.yaml b/common/oidc-client/oauth2-proxy/base/deployment.yaml new file mode 100644 index 0000000000..b209cd6b54 --- /dev/null +++ b/common/oidc-client/oauth2-proxy/base/deployment.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy-authservice + labels: + app: authservice +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: oauth2-proxy + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app.kubernetes.io/name: oauth2-proxy + spec: + volumes: + - name: configmain + configMap: + name: oauth2-proxy + defaultMode: 420 + - name: configalpha + configMap: + name: oauth2-proxy-alpha + defaultMode: 420 + - name: oauth2-proxy + secret: + secretName: oauth2-proxy + containers: + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + args: + - '--alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml' + - '--config=/etc/oauth2_proxy/oauth2_proxy.cfg' + - '--silence-ping-logging' + - '--proxy-prefix=/oauth2' + - '--cookie-secure=false' + ports: + - name: http-api + containerPort: 8080 + protocol: TCP + - name: metrics + containerPort: 44180 + protocol: TCP + env: + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: COOKIE_SECRET + volumeMounts: + - name: configmain + mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg + subPath: oauth2_proxy.cfg + - name: configalpha + mountPath: /etc/oauth2_proxy/oauth2_proxy.yml + subPath: oauth2_proxy.yml + - name: oauth2-proxy + subPath: CLIENT_SECRET + mountPath: "/etc/oauth2_proxy/CLIENT_SECRET" + livenessProbe: + httpGet: + path: /ping + port: http-api + scheme: HTTP + readinessProbe: + httpGet: + path: /ping + port: http-api + scheme: HTTP diff --git a/common/oidc-client/oauth2-proxy/base/envoy-filter.yaml b/common/oidc-client/oauth2-proxy/base/envoy-filter.yaml new file mode 100644 index 0000000000..d9cf9080d9 --- /dev/null +++ b/common/oidc-client/oauth2-proxy/base/envoy-filter.yaml @@ -0,0 +1,41 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: authn-filter +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + # For some reason, INSERT_FIRST doesn't work + operation: INSERT_BEFORE + value: + # See: https://www.envoyproxy.io/docs/envoy/v1.17.0/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz + name: "envoy.filters.http.ext_authz" + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + http_service: + server_uri: + uri: http://$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local + cluster: outbound|8080||$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local + timeout: 10s + authorization_request: + allowed_headers: + patterns: + # XXX: MUST be lowercase! + - exact: "authorization" + - exact: "cookie" + - exact: "x-auth-token" + authorization_response: + allowed_upstream_headers: + patterns: + - exact: "kubeflow-userid" + - exact: "authorization" diff --git a/common/oidc-client/oauth2-proxy/base/kustomization.yaml b/common/oidc-client/oauth2-proxy/base/kustomization.yaml new file mode 100644 index 0000000000..5459e01fb0 --- /dev/null +++ b/common/oidc-client/oauth2-proxy/base/kustomization.yaml @@ -0,0 +1,44 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- deployment.yaml +- oauth2-proxy-alpha-config.yaml +- oauth2-proxy-config.yaml +- rbac.yaml +- service.yaml +- envoy-filter.yaml + +secretGenerator: +- name: oauth2-proxy + type: Opaque + envs: + - secret_params.env + +namespace: istio-system + +generatorOptions: + disableNameSuffixHash: true + +vars: + - name: AUTHSERVICE_NAMESPACE + objref: + kind: Service + name: authservice + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace + - name: AUTHSERVICE_SERVICE + objref: + kind: Service + name: authservice + apiVersion: v1 + fieldref: + fieldpath: metadata.name +configurations: + - params.yaml + +images: +- name: quay.io/oauth2-proxy/oauth2-proxy + newName: quay.io/oauth2-proxy/oauth2-proxy + newTag: v7.4.0 diff --git a/common/oidc-client/oauth2-proxy/base/oauth2-proxy-alpha-config.yaml b/common/oidc-client/oauth2-proxy/base/oauth2-proxy-alpha-config.yaml new file mode 100644 index 0000000000..bacb93636a --- /dev/null +++ b/common/oidc-client/oauth2-proxy/base/oauth2-proxy-alpha-config.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: oauth2-proxy-alpha + labels: + app: oauth2-proxy +data: + oauth2_proxy.yml: |- + injectResponseHeaders: + - name: kubeflow-groups + values: + - claim: groups + - name: kubeflow-userid + values: + - claim: email + metricsServer: + BindAddress: 0.0.0.0:44180 + SecureBindAddress: "" + TLS: null + providers: + # ==== DEX configuration + - clientID: kubeflow-oidc-authservice + clientSecretFile: /etc/oauth2_proxy/CLIENT_SECRET + id: oidc=kubeflow-oidc-authservice + loginURL: /dex/auth + loginURLParameters: + - default: + - force + name: approval_prompt + oidcConfig: + audienceClaims: + - aud + emailClaim: email + groupsClaim: groups + issuerURL: http://dex.auth.svc.cluster.local:5556/dex + jwksURL: http://dex.auth.svc.cluster.local:5556/dex/keys + skipDiscovery: true + userIDClaim: email + scope: openid profile email groups + provider: oidc + redeemURL: http://dex.auth.svc.cluster.local:5556/dex/token + server: + BindAddress: 0.0.0.0:8080 + SecureBindAddress: "" + TLS: null + upstreamConfig: + upstreams: + - id: static://200 + path: / + static: true + staticCode: 200 +binaryData: {} diff --git a/common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml b/common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml new file mode 100644 index 0000000000..5940141a2a --- /dev/null +++ b/common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: oauth2-proxy + labels: + app: oauth2-proxy +data: + oauth2_proxy.cfg: >- + email_domains = [ "*" ] + skip_auth_regex=["/dex/.*"] +binaryData: {} diff --git a/common/oidc-authservice/base/params.yaml b/common/oidc-client/oauth2-proxy/base/params.yaml similarity index 100% rename from common/oidc-authservice/base/params.yaml rename to common/oidc-client/oauth2-proxy/base/params.yaml diff --git a/common/oidc-authservice/base/rbac.yaml b/common/oidc-client/oauth2-proxy/base/rbac.yaml similarity index 100% rename from common/oidc-authservice/base/rbac.yaml rename to common/oidc-client/oauth2-proxy/base/rbac.yaml diff --git a/common/oidc-client/oauth2-proxy/base/secret_params.env b/common/oidc-client/oauth2-proxy/base/secret_params.env new file mode 100644 index 0000000000..72317147d9 --- /dev/null +++ b/common/oidc-client/oauth2-proxy/base/secret_params.env @@ -0,0 +1,2 @@ +COOKIE_SECRET=7d16fee92f8d11b8940b081b3f8b8acb +CLIENT_SECRET=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok diff --git a/common/oidc-client/oauth2-proxy/base/service.yaml b/common/oidc-client/oauth2-proxy/base/service.yaml new file mode 100644 index 0000000000..53c86d6f59 --- /dev/null +++ b/common/oidc-client/oauth2-proxy/base/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: authservice +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: oauth2-proxy + ports: + - port: 8080 + name: http-authservice + targetPort: http-api + publishNotReadyAddresses: true \ No newline at end of file diff --git a/common/oidc-authservice/base/envoy-filter.yaml b/common/oidc-client/oidc-authservice/base/envoy-filter.yaml similarity index 100% rename from common/oidc-authservice/base/envoy-filter.yaml rename to common/oidc-client/oidc-authservice/base/envoy-filter.yaml diff --git a/common/oidc-client/oidc-authservice/base/kustomization.yaml b/common/oidc-client/oidc-authservice/base/kustomization.yaml new file mode 100644 index 0000000000..fb7a8fce28 --- /dev/null +++ b/common/oidc-client/oidc-authservice/base/kustomization.yaml @@ -0,0 +1,47 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - rbac.yaml + - service.yaml + - statefulset.yaml + - envoy-filter.yaml + - pvc.yaml + +namespace: istio-system + +configMapGenerator: + - name: oidc-authservice-parameters + envs: + - params.env + +secretGenerator: + - name: oidc-authservice-client + type: Opaque + envs: + - secret_params.env + +generatorOptions: + disableNameSuffixHash: true + +vars: + - name: AUTHSERVICE_NAMESPACE + objref: + kind: Service + name: authservice + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace + - name: AUTHSERVICE_SERVICE + objref: + kind: Service + name: authservice + apiVersion: v1 + fieldref: + fieldpath: metadata.name +configurations: + - params.yaml +images: + - name: gcr.io/arrikto/kubeflow/oidc-authservice + newName: gcr.io/arrikto/kubeflow/oidc-authservice + newTag: e236439 \ No newline at end of file diff --git a/common/oidc-authservice/base/params.env b/common/oidc-client/oidc-authservice/base/params.env similarity index 100% rename from common/oidc-authservice/base/params.env rename to common/oidc-client/oidc-authservice/base/params.env diff --git a/common/oidc-client/oidc-authservice/base/params.yaml b/common/oidc-client/oidc-authservice/base/params.yaml new file mode 100644 index 0000000000..fcec4c57c4 --- /dev/null +++ b/common/oidc-client/oidc-authservice/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/configPatches/patch/value/typed_config/http_service/server_uri/uri + kind: EnvoyFilter +- path: spec/configPatches/patch/value/typed_config/http_service/server_uri/cluster + kind: EnvoyFilter diff --git a/common/oidc-authservice/base/pvc.yaml b/common/oidc-client/oidc-authservice/base/pvc.yaml similarity index 100% rename from common/oidc-authservice/base/pvc.yaml rename to common/oidc-client/oidc-authservice/base/pvc.yaml diff --git a/common/oidc-client/oidc-authservice/base/rbac.yaml b/common/oidc-client/oidc-authservice/base/rbac.yaml new file mode 100644 index 0000000000..8399498c1c --- /dev/null +++ b/common/oidc-client/oidc-authservice/base/rbac.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: authservice + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: authn-delegator +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: authn-delegators +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: authn-delegator +subjects: + - kind: ServiceAccount + name: authservice diff --git a/common/oidc-authservice/base/secret_params.env b/common/oidc-client/oidc-authservice/base/secret_params.env similarity index 100% rename from common/oidc-authservice/base/secret_params.env rename to common/oidc-client/oidc-authservice/base/secret_params.env diff --git a/common/oidc-authservice/base/service.yaml b/common/oidc-client/oidc-authservice/base/service.yaml similarity index 68% rename from common/oidc-authservice/base/service.yaml rename to common/oidc-client/oidc-authservice/base/service.yaml index 72dbda041f..8b62830bcf 100644 --- a/common/oidc-authservice/base/service.yaml +++ b/common/oidc-client/oidc-authservice/base/service.yaml @@ -7,7 +7,7 @@ spec: selector: app: authservice ports: - - port: 8080 - name: http-authservice - targetPort: http-api + - port: 8080 + name: http-authservice + targetPort: http-api publishNotReadyAddresses: true \ No newline at end of file diff --git a/common/oidc-authservice/base/statefulset.yaml b/common/oidc-client/oidc-authservice/base/statefulset.yaml similarity index 97% rename from common/oidc-authservice/base/statefulset.yaml rename to common/oidc-client/oidc-authservice/base/statefulset.yaml index af106d9955..05fbc63c96 100644 --- a/common/oidc-authservice/base/statefulset.yaml +++ b/common/oidc-client/oidc-authservice/base/statefulset.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: authservice + name: oidc-authservice spec: replicas: 1 selector: diff --git a/common/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml similarity index 71% rename from common/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml rename to common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml index 4da19269ee..539c28cae4 100644 --- a/common/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml +++ b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml @@ -1,10 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization bases: -- ../../base + - ../../base patchesStrategicMerge: -- statefulset.yaml + - statefulset.yaml images: - name: busybox newTag: "latest" - newName: busybox + newName: busybox \ No newline at end of file diff --git a/common/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml similarity index 92% rename from common/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml rename to common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml index 2bf14f3759..2e29fc100a 100644 --- a/common/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml +++ b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: authservice + name: oidc-authservice spec: template: spec: diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 2657b0cb50..2d66f9da16 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -40,7 +40,7 @@ resources: - ../common/istio-1-17/istio-namespace/base - ../common/istio-1-17/istio-install/base # OIDC Authservice -- ../common/oidc-authservice/base +- ../common/oidc-client/oidc-authservice/base # Dex - ../common/dex/overlays/istio # KNative