merge the master

Signed-off-by: hansinikarunarathne <[email protected]>

.github/workflows/dex_test.yaml

@@ -26,3 +26,14 @@ jobs:
         cd common/dex
         kustomize build overlays/istio | kubectl apply -f -
         kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s
+
+    - name: port forward
+      run: |
+        ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
+        nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 &
+        while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
+
+    - name: test dex login
+      run: |
+        pip3 install requests
+        ./tests/gh-actions/test_dex_login.py

.github/workflows/linting_bash_python_yaml_files.yaml

@@ -125,7 +125,7 @@ jobs:
         fi
 
     - name: Display changed files
-      if: always()  # Always run this step
+      if: always() # Always run this step
       run: cat changed_files_in_PR.txt || echo "No bash files have changed in this PR."
 
     - name: Run ShellCheck on changed files

.github/workflows/manifests_example_test.yaml

@@ -1,8 +1,8 @@
 name: Unit Test
 
 on:
-  - push
-  - pull_request
+- push
+- pull_request
 
 jobs:
   build:
@@ -19,4 +19,3 @@ jobs:
     - name: Unit Test
       run: |
         kustomize build example
-

.github/workflows/stale.yaml

@@ -7,7 +7,7 @@ name: Mark stale issues and pull requests
 
 on:
   schedule:
-    - cron: '0 0 * * *'  # Run every day at midnight
+  - cron: '0 0 * * *' # Run every day at midnight
 
 jobs:
   stale:
@@ -17,40 +17,32 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/stale@v5
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          days-before-stale: 60
-          days-before-close: 21
-          # The message that will be added as a comment to the issues 
-          # when the stale workflow marks it automatically as stale with a label.
-          stale-issue-message: >
-            This issue has been automatically marked as stale because it has not had
-            recent activity. It will be closed if no further activity occurs. Thank you
-            for your contributions.
-          # The message that will be added as a comment to the issues 
-          # when the stale workflow closes it automatically after being stale for too long.
-          close-issue-message: >
-            This issue has been automatically closed because it has not had recent
-            activity. Please comment "/reopen" to reopen it.
-          stale-issue-label: lifecycle/stale
-          # Exclude them from being marked as stale
-          exempt-issue-labels: lifecycle/frozen,enhancement,good first issue
-          # The message that will be added as a comment to the pull requests 
-          # when the stale workflow marks it automatically as stale with a label.
-          stale-pr-message: >
-            This pull request has been automatically marked as stale because it has not had
-            recent activity. It will be closed if no further activity occurs. Thank you
-            for your contributions. 
-          # The message that will be added as a comment to the pull requests 
-          # when the stale workflow closes it automatically after being stale for too long.
-          close-pr-message: >
-            This pull request has been automatically closed because it has not had recent 
-            activity.You can reopen the PR if you want. 
-          stale-pr-label: lifecycle/stale
-          # Exclude them from being marked as stale
-          exempt-pr-labels: lifecycle/frozen,enhancement,good first issue
-          # The issues or the pull requests with a milestone will not be marked as stale automatically
-          exempt-all-milestones: true
-          # Learn more about operations: https://github.com/actions/stale#operations-per-run.
-          operations-per-run: 250
+    - uses: actions/stale@v5
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        days-before-stale: 60
+        days-before-close: 21
+        # The message that will be added as a comment to the issues
+        # when the stale workflow marks it automatically as stale with a label.
+        stale-issue-message: >
+          This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
+        # The message that will be added as a comment to the issues
+        # when the stale workflow closes it automatically after being stale for too long.
+        close-issue-message: >
+          This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.
+        stale-issue-label: lifecycle/stale
+        # Exclude them from being marked as stale
+        exempt-issue-labels: lifecycle/frozen,enhancement,good first issue
+        # The message that will be added as a comment to the pull requests
+        # when the stale workflow marks it automatically as stale with a label.
+        stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. \n"
+        # The message that will be added as a comment to the pull requests
+        # when the stale workflow closes it automatically after being stale for too long.
+        close-pr-message: "This pull request has been automatically closed because it has not had recent  activity.You can reopen the PR if you want. \n"
+        stale-pr-label: lifecycle/stale
+        # Exclude them from being marked as stale
+        exempt-pr-labels: lifecycle/frozen,enhancement,good first issue
+        # The issues or the pull requests with a milestone will not be marked as stale automatically
+        exempt-all-milestones: true
+        # Learn more about operations: https://github.com/actions/stale#operations-per-run.
+        operations-per-run: 250

.github/workflows/triage_issues.yaml

@@ -1,4 +1,4 @@
-# Define a GitHub action workflow to determine whether issues 
+# Define a GitHub action workflow to determine whether issues
 # should be added or removed from the Needs Triage Kanban board.
 name: Check Triage Status of Issue
 on:
@@ -10,10 +10,9 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Update Kanban
-        uses: kubeflow/code-intelligence/Issue_Triage/action@master
-        with:
-          # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-          GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }}
-
+    - name: Update Kanban
+      uses: kubeflow/code-intelligence/Issue_Triage/action@master
+      with:
+        # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value
+        ISSUE_NUMBER: ${{ github.event.issue.number }}
+        GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }}

.github/workflows/trivy.yaml

@@ -3,48 +3,46 @@ name: Image Extracting and Security Scanning
 on:
   push:
     branches:
-      - master
+    - master
 
 jobs:
   image-extraction-and-security-scan:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      # Install kustomize
-      - name: Install kustomize
-        run: |
-          sudo apt update
-          sudo apt install snapd
-          sudo snap install kustomize
-
-      # Install trivy
-      - name: Install trivy
-        run: |
-          sudo apt update
-          sudo snap install trivy
-
-      # Install Python
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12' 
-
-      # Install prettytable package
-      - name: Install prettytable
-        run: |
-          pip install prettytable
-
-      - name: Run image extracting and security scanning script
-        run: |
-          cd hack
-          python3 trivy_scan.py
-
-      # - name: Upload trivy scanned_results
-      #   uses: actions/upload-artifact@v4
-      #   with:
-      #     name: trivy_scanned_results
-      #     path: image_lists/
-
-
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    # Install kustomize
+    - name: Install kustomize
+      run: |
+        sudo apt update
+        sudo apt install snapd
+        sudo snap install kustomize
+
+    # Install trivy
+    - name: Install trivy
+      run: |
+        sudo apt update
+        sudo snap install trivy
+
+    # Install Python
+    - name: Setup Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    # Install prettytable package
+    - name: Install prettytable
+      run: |
+        pip install prettytable
+
+    - name: Run image extracting and security scanning script
+      run: |
+        cd hack
+        python3 trivy_scan.py
+
+    # - name: Upload trivy scanned_results
+    #   uses: actions/upload-artifact@v4
+    #   with:
+    #     name: trivy_scanned_results
+    #     path: image_lists/

README.md

@@ -224,7 +224,7 @@ The oauth2-proxy extends your Istio Ingress-Gateway capabilities, to be able to
 
 ```sh
 echo "Installing oauth2-proxy..."
-kustomize build common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f -
+kustomize build common/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f -
 kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
 ```
 
@@ -561,6 +561,6 @@ The Kubeflow security working group follows a responsible disclosure policy for
 ## Frequently Asked Questions
 
 - **Q:** What versions of Istio, Knative, Cert-Manager, Argo, ... are compatible with Kubeflow? \
-  **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OIDC-AuthService, the versions in `common` are the ones we have validated.
+  **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OAuth2 Proxy, the versions in `common` are the ones we have validated.
 - **Q:** Can I use earlier version of Kustomize with Kubeflow manifests?
-  **A:** No, it is not supported anymore, although it might be possible with manual effort.
+  **A:** No, it is not supported anymore, although it might be possible with manual effort.

apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml → apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml

@@ -3,7 +3,7 @@ kind: Kustomization
 
 resources:
 # Using kserve overlay because it's also used in example installation.
-- ../kserve
+-  ../../upstream/overlays/kserve
 
 components:
-- ../../../../../common/oidc-client/oauth2-proxy/components/central-dashboard
+- ../../../../common/oauth2-proxy/components/central-dashboard

common/dex/base/config-map.yaml

@@ -25,6 +25,6 @@ data:
     staticClients:
     # https://github.com/dexidp/dex/pull/1664
     - idEnv: OIDC_CLIENT_ID
-      redirectURIs: ["/authservice/oidc/callback"]
+      redirectURIs: ["/oauth2/callback"]
       name: 'Dex Login Application'
       secretEnv: OIDC_CLIENT_SECRET

common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 - ../../base
 
 components:
-- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches
+- ../../../../oauth2-proxy/components/istio-external-auth-patches

common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 - ../../base
 
 components:
-- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches
+- ../../../../oauth2-proxy/components/istio-external-auth-patches

common/oidc-client/README.md → common/oauth2-proxy/README.md

@@ -1,4 +1,4 @@
-# Kubeflow Authentication using OIDC
+# Kubeflow Authentication using Oauth2 Proxy
 
 ## Istio Envoy Filter
 
@@ -132,4 +132,4 @@ This is based on the following:
 [^3]: [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy)
 [^4]: [Kubernetes TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/)
 [^5]: [Kubernetes SubjectAccessReview](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v3/)
-[^6]: [Kube RBAC Proxy](https://github.com/brancz/kube-rbac-proxy)
+[^6]: [Kube RBAC Proxy](https://github.com/brancz/kube-rbac-proxy)

common/oauth2-proxy/base/deployment.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy
+  labels:
+    app: oauth2-proxy
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: oauth2-proxy
+    spec:
+      volumes:
+      - name: configmain
+        configMap:
+          name: oauth2-proxy
+          defaultMode: 420
+      containers:
+      - name: oauth2-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:latest
+        args:
+        - --http-address=0.0.0.0:4180
+        - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
+        ports:
+        - name: http
+          containerPort: 4180
+          protocol: TCP
+        - name: metrics
+          containerPort: 44180
+          protocol: TCP
+        env:
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: oauth2-proxy
+              key: client-id
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: oauth2-proxy
+              key: client-secret
+        - name: OAUTH2_PROXY_COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: oauth2-proxy
+              key: cookie-secret
+        - name: OAUTH2_PROXY_COOKIE_SECURE
+          valueFrom:
+            configMapKeyRef:
+              name: oauth2-proxy-parameters
+              key: FORCE_HTTPS
+        - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
+          valueFrom:
+            configMapKeyRef:
+              name: oauth2-proxy-parameters
+              key: ALLOW_SELF_SIGNED_ISSUER
+        - name: OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS
+          valueFrom:
+            configMapKeyRef:
+              name: oauth2-proxy-parameters
+              key: ENABLE_M2M_TOKENS
+        - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS
+          valueFrom:
+            configMapKeyRef:
+              name: oauth2-proxy-parameters
+              key: EXTRA_JWT_ISSUERS
+        volumeMounts:
+        - name: configmain
+          mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
+          subPath: oauth2_proxy.cfg
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: http
+            scheme: HTTP
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: http
+            scheme: HTTP
+        resources: {}

common/oidc-client/oauth2-proxy/base/kustomization.yaml → common/oauth2-proxy/base/kustomization.yaml

@@ -48,7 +48,7 @@ configMapGenerator:
   # If extra jwt issuers are meant to be used with m2m bearer tokens,
   # each issuer has to be added with RequestAuthentication so Istio can
   # verify, trust and use the JWT. See
-  # 'common/oidc-client/oauth2-proxy/components/istio-m2m' for details.
+  # 'common/oauth2-proxy/components/istio-m2m' for details.
   # Examples:
   # - EXTRA_JWT_ISSUERS=https://kubernetes.default.svc.cluster.local=https://kubernetes.default.svc.cluster.local
   # - EXTRA_JWT_ISSUERS=https://oidc.eks.region.amazonaws.com/id/1234abcd=https://kubernetes.default.svc