diff --git a/.github/workflows/dex_test.yaml b/.github/workflows/dex_test.yaml index 4b1b30a9a4..a29330cdec 100644 --- a/.github/workflows/dex_test.yaml +++ b/.github/workflows/dex_test.yaml @@ -26,3 +26,14 @@ jobs: cd common/dex kustomize build overlays/istio | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s + + - name: port forward + run: | + ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & + while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready + + - name: test dex login + run: | + pip3 install requests + ./tests/gh-actions/test_dex_login.py diff --git a/.github/workflows/linting_bash_python_yaml_files.yaml b/.github/workflows/linting_bash_python_yaml_files.yaml index 3d168fde5f..bd38c1eea4 100644 --- a/.github/workflows/linting_bash_python_yaml_files.yaml +++ b/.github/workflows/linting_bash_python_yaml_files.yaml @@ -125,7 +125,7 @@ jobs: fi - name: Display changed files - if: always() # Always run this step + if: always() # Always run this step run: cat changed_files_in_PR.txt || echo "No bash files have changed in this PR." - name: Run ShellCheck on changed files diff --git a/.github/workflows/manifests_example_test.yaml b/.github/workflows/manifests_example_test.yaml index 72579e63b8..55ed3ce040 100644 --- a/.github/workflows/manifests_example_test.yaml +++ b/.github/workflows/manifests_example_test.yaml @@ -1,8 +1,8 @@ name: Unit Test on: - - push - - pull_request +- push +- pull_request jobs: build: @@ -19,4 +19,3 @@ jobs: - name: Unit Test run: | kustomize build example - diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index dc8c85a9da..e56901a44c 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -7,7 +7,7 @@ name: Mark stale issues and pull requests on: schedule: - - cron: '0 0 * * *' # Run every day at midnight + - cron: '0 0 * * *' # Run every day at midnight jobs: stale: @@ -17,40 +17,32 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v5 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - days-before-stale: 60 - days-before-close: 21 - # The message that will be added as a comment to the issues - # when the stale workflow marks it automatically as stale with a label. - stale-issue-message: > - This issue has been automatically marked as stale because it has not had - recent activity. It will be closed if no further activity occurs. Thank you - for your contributions. - # The message that will be added as a comment to the issues - # when the stale workflow closes it automatically after being stale for too long. - close-issue-message: > - This issue has been automatically closed because it has not had recent - activity. Please comment "/reopen" to reopen it. - stale-issue-label: lifecycle/stale - # Exclude them from being marked as stale - exempt-issue-labels: lifecycle/frozen,enhancement,good first issue - # The message that will be added as a comment to the pull requests - # when the stale workflow marks it automatically as stale with a label. - stale-pr-message: > - This pull request has been automatically marked as stale because it has not had - recent activity. It will be closed if no further activity occurs. Thank you - for your contributions. - # The message that will be added as a comment to the pull requests - # when the stale workflow closes it automatically after being stale for too long. - close-pr-message: > - This pull request has been automatically closed because it has not had recent - activity.You can reopen the PR if you want. - stale-pr-label: lifecycle/stale - # Exclude them from being marked as stale - exempt-pr-labels: lifecycle/frozen,enhancement,good first issue - # The issues or the pull requests with a milestone will not be marked as stale automatically - exempt-all-milestones: true - # Learn more about operations: https://github.com/actions/stale#operations-per-run. - operations-per-run: 250 \ No newline at end of file + - uses: actions/stale@v5 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + days-before-stale: 60 + days-before-close: 21 + # The message that will be added as a comment to the issues + # when the stale workflow marks it automatically as stale with a label. + stale-issue-message: > + This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. + # The message that will be added as a comment to the issues + # when the stale workflow closes it automatically after being stale for too long. + close-issue-message: > + This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. + stale-issue-label: lifecycle/stale + # Exclude them from being marked as stale + exempt-issue-labels: lifecycle/frozen,enhancement,good first issue + # The message that will be added as a comment to the pull requests + # when the stale workflow marks it automatically as stale with a label. + stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. \n" + # The message that will be added as a comment to the pull requests + # when the stale workflow closes it automatically after being stale for too long. + close-pr-message: "This pull request has been automatically closed because it has not had recent activity.You can reopen the PR if you want. \n" + stale-pr-label: lifecycle/stale + # Exclude them from being marked as stale + exempt-pr-labels: lifecycle/frozen,enhancement,good first issue + # The issues or the pull requests with a milestone will not be marked as stale automatically + exempt-all-milestones: true + # Learn more about operations: https://github.com/actions/stale#operations-per-run. + operations-per-run: 250 diff --git a/.github/workflows/triage_issues.yaml b/.github/workflows/triage_issues.yaml index 5d4551ce97..14bcb4703b 100644 --- a/.github/workflows/triage_issues.yaml +++ b/.github/workflows/triage_issues.yaml @@ -1,4 +1,4 @@ -# Define a GitHub action workflow to determine whether issues +# Define a GitHub action workflow to determine whether issues # should be added or removed from the Needs Triage Kanban board. name: Check Triage Status of Issue on: @@ -10,10 +10,9 @@ jobs: test: runs-on: ubuntu-latest steps: - - name: Update Kanban - uses: kubeflow/code-intelligence/Issue_Triage/action@master - with: - # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value - ISSUE_NUMBER: ${{ github.event.issue.number }} - GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }} - + - name: Update Kanban + uses: kubeflow/code-intelligence/Issue_Triage/action@master + with: + # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value + ISSUE_NUMBER: ${{ github.event.issue.number }} + GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }} diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index f10d0ee828..99bfa64265 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -3,48 +3,46 @@ name: Image Extracting and Security Scanning on: push: branches: - - master + - master jobs: image-extraction-and-security-scan: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v3 - - # Install kustomize - - name: Install kustomize - run: | - sudo apt update - sudo apt install snapd - sudo snap install kustomize - - # Install trivy - - name: Install trivy - run: | - sudo apt update - sudo snap install trivy - - # Install Python - - name: Setup Python - uses: actions/setup-python@v5 - with: - python-version: '3.12' - - # Install prettytable package - - name: Install prettytable - run: | - pip install prettytable - - - name: Run image extracting and security scanning script - run: | - cd hack - python3 trivy_scan.py - - # - name: Upload trivy scanned_results - # uses: actions/upload-artifact@v4 - # with: - # name: trivy_scanned_results - # path: image_lists/ - - + - name: Checkout code + uses: actions/checkout@v3 + + # Install kustomize + - name: Install kustomize + run: | + sudo apt update + sudo apt install snapd + sudo snap install kustomize + + # Install trivy + - name: Install trivy + run: | + sudo apt update + sudo snap install trivy + + # Install Python + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + + # Install prettytable package + - name: Install prettytable + run: | + pip install prettytable + + - name: Run image extracting and security scanning script + run: | + cd hack + python3 trivy_scan.py + + # - name: Upload trivy scanned_results + # uses: actions/upload-artifact@v4 + # with: + # name: trivy_scanned_results + # path: image_lists/ diff --git a/README.md b/README.md index e88f320ed7..46ba457a36 100644 --- a/README.md +++ b/README.md @@ -224,7 +224,7 @@ The oauth2-proxy extends your Istio Ingress-Gateway capabilities, to be able to ```sh echo "Installing oauth2-proxy..." -kustomize build common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - +kustomize build common/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy ``` @@ -561,6 +561,6 @@ The Kubeflow security working group follows a responsible disclosure policy for ## Frequently Asked Questions - **Q:** What versions of Istio, Knative, Cert-Manager, Argo, ... are compatible with Kubeflow? \ - **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OIDC-AuthService, the versions in `common` are the ones we have validated. + **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OAuth2 Proxy, the versions in `common` are the ones we have validated. - **Q:** Can I use earlier version of Kustomize with Kubeflow manifests? - **A:** No, it is not supported anymore, although it might be possible with manual effort. \ No newline at end of file + **A:** No, it is not supported anymore, although it might be possible with manual effort. diff --git a/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml b/apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml similarity index 62% rename from apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml rename to apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml index 7115c8893a..bdd73a2f6d 100644 --- a/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml +++ b/apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization resources: # Using kserve overlay because it's also used in example installation. -- ../kserve +- ../../upstream/overlays/kserve components: -- ../../../../../common/oidc-client/oauth2-proxy/components/central-dashboard +- ../../../../common/oauth2-proxy/components/central-dashboard diff --git a/common/dex/base/config-map.yaml b/common/dex/base/config-map.yaml index 70ce4002df..a71484f3eb 100644 --- a/common/dex/base/config-map.yaml +++ b/common/dex/base/config-map.yaml @@ -25,6 +25,6 @@ data: staticClients: # https://github.com/dexidp/dex/pull/1664 - idEnv: OIDC_CLIENT_ID - redirectURIs: ["/authservice/oidc/callback"] + redirectURIs: ["/oauth2/callback"] name: 'Dex Login Application' secretEnv: OIDC_CLIENT_SECRET diff --git a/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml index 086e1bdb88..4f9b7365be 100644 --- a/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml +++ b/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml @@ -5,4 +5,4 @@ resources: - ../../base components: -- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches +- ../../../../oauth2-proxy/components/istio-external-auth-patches diff --git a/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml index 086e1bdb88..4f9b7365be 100644 --- a/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml +++ b/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml @@ -5,4 +5,4 @@ resources: - ../../base components: -- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches +- ../../../../oauth2-proxy/components/istio-external-auth-patches diff --git a/common/oidc-client/oauth2-proxy/OWNERS b/common/oauth2-proxy/OWNERS similarity index 100% rename from common/oidc-client/oauth2-proxy/OWNERS rename to common/oauth2-proxy/OWNERS diff --git a/common/oidc-client/README.md b/common/oauth2-proxy/README.md similarity index 99% rename from common/oidc-client/README.md rename to common/oauth2-proxy/README.md index 6a8986d940..12b02fd0ae 100644 --- a/common/oidc-client/README.md +++ b/common/oauth2-proxy/README.md @@ -1,4 +1,4 @@ -# Kubeflow Authentication using OIDC +# Kubeflow Authentication using Oauth2 Proxy ## Istio Envoy Filter @@ -132,4 +132,4 @@ This is based on the following: [^3]: [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) [^4]: [Kubernetes TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) [^5]: [Kubernetes SubjectAccessReview](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v3/) -[^6]: [Kube RBAC Proxy](https://github.com/brancz/kube-rbac-proxy) +[^6]: [Kube RBAC Proxy](https://github.com/brancz/kube-rbac-proxy) \ No newline at end of file diff --git a/common/oidc-client/oauth2-proxy/base/README.md b/common/oauth2-proxy/base/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/base/README.md rename to common/oauth2-proxy/base/README.md diff --git a/common/oauth2-proxy/base/deployment.yaml b/common/oauth2-proxy/base/deployment.yaml new file mode 100644 index 0000000000..eba3f09429 --- /dev/null +++ b/common/oauth2-proxy/base/deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy + labels: + app: oauth2-proxy +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/name: oauth2-proxy + template: + metadata: + labels: + app.kubernetes.io/name: oauth2-proxy + spec: + volumes: + - name: configmain + configMap: + name: oauth2-proxy + defaultMode: 420 + containers: + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:latest + args: + - --http-address=0.0.0.0:4180 + - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + ports: + - name: http + containerPort: 4180 + protocol: TCP + - name: metrics + containerPort: 44180 + protocol: TCP + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: cookie-secret + - name: OAUTH2_PROXY_COOKIE_SECURE + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: FORCE_HTTPS + - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: ALLOW_SELF_SIGNED_ISSUER + - name: OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: ENABLE_M2M_TOKENS + - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: EXTRA_JWT_ISSUERS + volumeMounts: + - name: configmain + mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg + subPath: oauth2_proxy.cfg + livenessProbe: + httpGet: + path: /ping + port: http + scheme: HTTP + readinessProbe: + httpGet: + path: /ping + port: http + scheme: HTTP + resources: {} diff --git a/common/oidc-client/oauth2-proxy/base/kustomization.yaml b/common/oauth2-proxy/base/kustomization.yaml similarity index 96% rename from common/oidc-client/oauth2-proxy/base/kustomization.yaml rename to common/oauth2-proxy/base/kustomization.yaml index 94e959bd27..0e470f0603 100644 --- a/common/oidc-client/oauth2-proxy/base/kustomization.yaml +++ b/common/oauth2-proxy/base/kustomization.yaml @@ -48,7 +48,7 @@ configMapGenerator: # If extra jwt issuers are meant to be used with m2m bearer tokens, # each issuer has to be added with RequestAuthentication so Istio can # verify, trust and use the JWT. See - # 'common/oidc-client/oauth2-proxy/components/istio-m2m' for details. + # 'common/oauth2-proxy/components/istio-m2m' for details. # Examples: # - EXTRA_JWT_ISSUERS=https://kubernetes.default.svc.cluster.local=https://kubernetes.default.svc.cluster.local # - EXTRA_JWT_ISSUERS=https://oidc.eks.region.amazonaws.com/id/1234abcd=https://kubernetes.default.svc diff --git a/common/oidc-client/oauth2-proxy/base/namespace.yaml b/common/oauth2-proxy/base/namespace.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/namespace.yaml rename to common/oauth2-proxy/base/namespace.yaml diff --git a/common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml b/common/oauth2-proxy/base/oauth2-proxy-config.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml rename to common/oauth2-proxy/base/oauth2-proxy-config.yaml diff --git a/common/oidc-client/oauth2-proxy/base/params.yaml b/common/oauth2-proxy/base/params.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/params.yaml rename to common/oauth2-proxy/base/params.yaml diff --git a/common/oidc-client/oauth2-proxy/base/rbac.tokenreviews.yaml b/common/oauth2-proxy/base/rbac.tokenreviews.yaml similarity index 66% rename from common/oidc-client/oauth2-proxy/base/rbac.tokenreviews.yaml rename to common/oauth2-proxy/base/rbac.tokenreviews.yaml index 4da90d4b4e..1b071279e8 100644 --- a/common/oidc-client/oauth2-proxy/base/rbac.tokenreviews.yaml +++ b/common/oauth2-proxy/base/rbac.tokenreviews.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: name: authn-delegator rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 @@ -20,5 +20,5 @@ roleRef: kind: ClusterRole name: authn-delegator subjects: - - kind: ServiceAccount - name: oauth2-proxy +- kind: ServiceAccount + name: oauth2-proxy diff --git a/common/oidc-client/oauth2-proxy/base/service.yaml b/common/oauth2-proxy/base/service.yaml similarity index 76% rename from common/oidc-client/oauth2-proxy/base/service.yaml rename to common/oauth2-proxy/base/service.yaml index b8ee06324d..260213a63a 100644 --- a/common/oidc-client/oauth2-proxy/base/service.yaml +++ b/common/oauth2-proxy/base/service.yaml @@ -7,7 +7,7 @@ spec: selector: app.kubernetes.io/name: oauth2-proxy ports: - - port: 80 - name: http - targetPort: http + - port: 80 + name: http + targetPort: http publishNotReadyAddresses: true diff --git a/common/oidc-client/oauth2-proxy/base/serviceaccount.yaml b/common/oauth2-proxy/base/serviceaccount.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/serviceaccount.yaml rename to common/oauth2-proxy/base/serviceaccount.yaml diff --git a/common/oidc-client/oauth2-proxy/README.md b/common/oauth2-proxy/components/README.md similarity index 97% rename from common/oidc-client/oauth2-proxy/README.md rename to common/oauth2-proxy/components/README.md index caa0aab16f..aedbba080f 100644 --- a/common/oidc-client/oauth2-proxy/README.md +++ b/common/oauth2-proxy/components/README.md @@ -177,9 +177,9 @@ make the following changes to the `example/kustomization.yaml` file: bearer tokens with self-signed in-cluster issuer ``` # from - - ../common/oidc-client/oidc-authservice/base + - ../common//oidc-authservice/base # to - - ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed + - ../common/oauth2-proxy/overlays/m2m-self-signed ``` * change Dex overlay ``` @@ -192,7 +192,7 @@ make the following changes to the `example/kustomization.yaml` file: # from - ../apps/centraldashboard/upstream/overlays/kserve # to - - ../apps/centraldashboard/upstream/overlays/oauth2-proxy + - ../apps/centraldashboard/manuel-patches/overlays/oauth2-proxy ``` All those changes combined can be done with this single command: @@ -208,10 +208,10 @@ index c1a85789..4a50440c 100644 - ../common/istio-1-22/istio-namespace/base -- ../common/istio-1-22/istio-install/base -# OIDC Authservice --- ../common/oidc-client/oidc-authservice/base +-- ../common//oidc-authservice/base +- ../common/istio-1-22/istio-install/overlays/oauth2-proxy +# oauth2-proxy for OIDC -+- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ++- ../common/oauth2-proxy/overlays/m2m-self-signed # Dex -- ../common/dex/overlays/istio +- ../common/dex/overlays/oauth2-proxy @@ -223,7 +223,7 @@ index c1a85789..4a50440c 100644 - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/upstream/overlays/kserve -+- ../apps/centraldashboard/upstream/overlays/oauth2-proxy ++- ../apps/centraldashboard/overlays # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/central-dashboard/kustomization.yaml b/common/oauth2-proxy/components/central-dashboard/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/central-dashboard/kustomization.yaml rename to common/oauth2-proxy/components/central-dashboard/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml b/common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml similarity index 68% rename from common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml rename to common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml index 0d6b504191..bd2605e8d2 100644 --- a/common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml +++ b/common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml @@ -10,9 +10,7 @@ spec: - name: centraldashboard env: # This successfully logs out the user but the user is not redirected to - # the home page. This is because of custom integration with - # oidc-authservice which will provide response with 'afterLogoutURL'. - # https://github.com/arrikto/oidc-authservice/blob/0c4ea9a/server.go#L509 + # the home page. # https://github.com/kubeflow/kubeflow/blob/c6c4492/components/centraldashboard/public/components/logout-button.js#L50 # Please refresh the page after logging out. - name: LOGOUT_URL diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md diff --git a/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml new file mode 100644 index 0000000000..639e96cb49 --- /dev/null +++ b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml @@ -0,0 +1,39 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kubeflow-m2m-oidc-configurator + namespace: istio-system +spec: + schedule: '*/5 * * * *' + concurrencyPolicy: Forbid + jobTemplate: + spec: + backoffLimit: 3 + ttlSecondsAfterFinished: 600 + template: + metadata: + labels: {} + spec: + restartPolicy: OnFailure + serviceAccountName: kubeflow-m2m-oidc-configurator + containers: + - image: docker.io/curlimages/curl + name: kubeflow-m2m-oidc-configurator + command: + - /script.sh + envFrom: + - configMapRef: + name: kubeflow-m2m-oidc-configurator-envs + volumeMounts: + - mountPath: /script.sh + name: script + subPath: script.sh + resources: {} + volumes: + - name: script + configMap: + name: kubeflow-m2m-oidc-configurator-script + defaultMode: 0777 + items: + - key: script.sh + path: script.sh diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml similarity index 69% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml index 305a8fb5c0..9bb2578515 100644 --- a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml +++ b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml @@ -11,13 +11,13 @@ metadata: name: kubeflow-m2m-oidc-configurator namespace: istio-system rules: - - apiGroups: - - security.istio.io - resources: - - requestauthentications - verbs: - - get - - patch +- apiGroups: + - security.istio.io + resources: + - requestauthentications + verbs: + - get + - patch --- apiVersion: rbac.authorization.k8s.io/v1 @@ -30,6 +30,6 @@ roleRef: kind: Role name: kubeflow-m2m-oidc-configurator subjects: - - kind: ServiceAccount - name: kubeflow-m2m-oidc-configurator - namespace: istio-system +- kind: ServiceAccount + name: kubeflow-m2m-oidc-configurator + namespace: istio-system diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh diff --git a/common/oidc-client/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/istio-external-auth-patches/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/README.md rename to common/oauth2-proxy/components/istio-external-auth-patches/README.md diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml rename to common/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml rename to common/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml diff --git a/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml new file mode 100644 index 0000000000..a11dfd1282 --- /dev/null +++ b/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system +spec: + template: + spec: + containers: + - name: discovery + env: + # Istio will refresh the JWT Public Keys provided with + # RequestAuthentication by default every 20 minutes. For deployment + # from scratch this is not ideal because there is a high chance that + # the istiod will be available before dex is available, triggering + # Istio mechanism to use a placeholder jwt until refreshed. + - name: PILOT_JWT_PUB_KEY_REFRESH_INTERVAL + value: "1m" diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/README.md b/common/oauth2-proxy/components/istio-external-auth/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/README.md rename to common/oauth2-proxy/components/istio-external-auth/README.md diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml b/common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml rename to common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml b/common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml rename to common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml b/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml similarity index 81% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml rename to common/oauth2-proxy/components/istio-external-auth/kustomization.yaml index ec79597930..cf906f840c 100644 --- a/common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml +++ b/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml @@ -5,7 +5,7 @@ resources: - authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml - requestauthentication.dex-jwt.yaml -# If you're running Kubeflow behind CloudFlare, use +# If you're running Kubeflow behind CloudFlare, use # authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml -# instead of +# instead of # authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml diff --git a/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml b/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml new file mode 100644 index 0000000000..55f4565281 --- /dev/null +++ b/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml @@ -0,0 +1,19 @@ +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: dex-jwt + namespace: istio-system +spec: + jwtRules: + # forwardOriginalToken must be set to true so the authorization header will + # be passed between Kubeflow Components and Istio can configure the + # Kubeflow Auth Headers based on this request authorization header. + - forwardOriginalToken: true + issuer: http://dex.auth.svc.cluster.local:5556/dex + # These 5 lines provides integration of istio/oauth2-proxy with + # Kubeflow custom auth headers. + outputClaimToHeaders: + - header: kubeflow-userid + claim: email + - header: kubeflow-groups + claim: groups diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/README.md b/common/oauth2-proxy/components/istio-m2m/README.md similarity index 84% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/README.md rename to common/oauth2-proxy/components/istio-m2m/README.md index 40ec0619b6..750f34de8e 100644 --- a/common/oidc-client/oauth2-proxy/components/istio-m2m/README.md +++ b/common/oauth2-proxy/components/istio-m2m/README.md @@ -13,7 +13,7 @@ the platform-managed Kubernetes OIDC issuer in the `RequestAuthentication` for s and authentication compliance with the platform's security standards. For scenarios where the OIDC issuer is served behind self-signed certificates, the kustomize -overlay using this component should include the `common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer` +overlay using this component should include the `common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer` component. This additional configuration is necessary to handle the self-signed nature of the -certificates. This setup is the default in the Kustomize overlay defined in `common/oidc-client/oauth2-proxy/overlays/m2m-self-signed`, -which is tailored for environments with self-signed OIDC issuers. \ No newline at end of file +certificates. This setup is the default in the Kustomize overlay defined in `common/oauth2-proxy/overlays/m2m-self-signed`, +which is tailored for environments with self-signed OIDC issuers. diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/kustomization.yaml b/common/oauth2-proxy/components/istio-m2m/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/kustomization.yaml rename to common/oauth2-proxy/components/istio-m2m/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/params.yaml b/common/oauth2-proxy/components/istio-m2m/params.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/params.yaml rename to common/oauth2-proxy/components/istio-m2m/params.yaml diff --git a/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml b/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml new file mode 100644 index 0000000000..39563d5ef9 --- /dev/null +++ b/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: m2m-token-issuer + namespace: istio-system +spec: + jwtRules: + - forwardOriginalToken: true + issuer: M2M_TOKEN_ISSUER_PLACEHOLDER + outputClaimToHeaders: + - claim: sub + header: x-auth-request-user + - claim: sub + header: kubeflow-userid diff --git a/common/oidc-client/kubeflow_auth_diagram.svg b/common/oauth2-proxy/components/kubeflow_auth_diagram.svg similarity index 100% rename from common/oidc-client/kubeflow_auth_diagram.svg rename to common/oauth2-proxy/components/kubeflow_auth_diagram.svg diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml b/common/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/README.md b/common/oauth2-proxy/overlays/m2m/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/README.md rename to common/oauth2-proxy/overlays/m2m/README.md diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml b/common/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/kustomization.yaml b/common/oauth2-proxy/overlays/m2m/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/base/deployment.yaml b/common/oidc-client/oauth2-proxy/base/deployment.yaml deleted file mode 100644 index f8ef99b4b7..0000000000 --- a/common/oidc-client/oauth2-proxy/base/deployment.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: oauth2-proxy - labels: - app: oauth2-proxy -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: oauth2-proxy - template: - metadata: - labels: - app.kubernetes.io/name: oauth2-proxy - spec: - volumes: - - name: configmain - configMap: - name: oauth2-proxy - defaultMode: 420 - containers: - - name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:latest - args: - - --http-address=0.0.0.0:4180 - - --config=/etc/oauth2_proxy/oauth2_proxy.cfg - ports: - - name: http - containerPort: 4180 - protocol: TCP - - name: metrics - containerPort: 44180 - protocol: TCP - env: - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: client-id - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: client-secret - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: cookie-secret - - name: OAUTH2_PROXY_COOKIE_SECURE - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: FORCE_HTTPS - - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: ALLOW_SELF_SIGNED_ISSUER - - name: OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: ENABLE_M2M_TOKENS - - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: EXTRA_JWT_ISSUERS - volumeMounts: - - name: configmain - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg - subPath: oauth2_proxy.cfg - livenessProbe: - httpGet: - path: /ping - port: http - scheme: HTTP - readinessProbe: - httpGet: - path: /ping - port: http - scheme: HTTP - resources: {} diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml deleted file mode 100644 index 3d3fc2c281..0000000000 --- a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: kubeflow-m2m-oidc-configurator - namespace: istio-system -spec: - schedule: '*/5 * * * *' - concurrencyPolicy: Forbid - jobTemplate: - spec: - backoffLimit: 3 - ttlSecondsAfterFinished: 600 - template: - metadata: - labels: {} - spec: - restartPolicy: OnFailure - serviceAccountName: kubeflow-m2m-oidc-configurator - containers: - - image: docker.io/curlimages/curl - name: kubeflow-m2m-oidc-configurator - command: - - /script.sh - envFrom: - - configMapRef: - name: kubeflow-m2m-oidc-configurator-envs - volumeMounts: - - mountPath: /script.sh - name: script - subPath: script.sh - resources: {} - volumes: - - name: script - configMap: - name: kubeflow-m2m-oidc-configurator-script - defaultMode: 0777 - items: - - key: script.sh - path: script.sh diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml b/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml deleted file mode 100644 index 96987bc69c..0000000000 --- a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod - namespace: istio-system -spec: - template: - spec: - containers: - - name: discovery - env: - # Istio will refresh the JWT Public Keys provided with - # RequestAuthentication by default every 20 minutes. For deployment - # from scratch this is not ideal because there is a high chance that - # the istiod will be available before dex is available, triggering - # Istio mechanism to use a placeholder jwt until refreshed. - - name: PILOT_JWT_PUB_KEY_REFRESH_INTERVAL - value: "1m" diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/README.md b/common/oidc-client/oauth2-proxy/components/istio-external-auth/README.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml b/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml deleted file mode 100644 index 4da92ad8b5..0000000000 --- a/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: RequestAuthentication -metadata: - name: dex-jwt - namespace: istio-system -spec: - jwtRules: - # forwardOriginalToken must be set to true so the authorization header will - # be passed between Kubeflow Components and Istio can configure the - # Kubeflow Auth Headers based on this request authorization header. - - forwardOriginalToken: true - issuer: http://dex.auth.svc.cluster.local:5556/dex - # These 5 lines provides integration of istio/oauth2-proxy with - # Kubeflow custom auth headers. - outputClaimToHeaders: - - header: kubeflow-userid - claim: email - - header: kubeflow-groups - claim: groups diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml b/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml deleted file mode 100644 index af0b3ecd67..0000000000 --- a/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: RequestAuthentication -metadata: - name: m2m-token-issuer - namespace: istio-system -spec: - jwtRules: - - forwardOriginalToken: true - issuer: M2M_TOKEN_ISSUER_PLACEHOLDER - outputClaimToHeaders: - - claim: sub - header: x-auth-request-user - - claim: sub - header: kubeflow-userid diff --git a/common/oidc-client/oidc-authservice/base/envoy-filter.yaml b/common/oidc-client/oidc-authservice/base/envoy-filter.yaml deleted file mode 100644 index 63e55a878d..0000000000 --- a/common/oidc-client/oidc-authservice/base/envoy-filter.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: authn-filter -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: HTTP_FILTER - match: - context: GATEWAY - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - # For some reason, INSERT_FIRST doesn't work - operation: INSERT_BEFORE - value: - # See: https://www.envoyproxy.io/docs/envoy/v1.17.0/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz - name: "envoy.filters.http.ext_authz" - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - http_service: - server_uri: - uri: http://$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local - cluster: outbound|8080||$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local - timeout: 10s - authorization_request: - allowed_headers: - patterns: - # XXX: MUST be lowercase! - - exact: "authorization" - - exact: "cookie" - - exact: "x-auth-token" - authorization_response: - allowed_upstream_headers: - patterns: - - exact: "kubeflow-userid" diff --git a/common/oidc-client/oidc-authservice/base/kustomization.yaml b/common/oidc-client/oidc-authservice/base/kustomization.yaml deleted file mode 100644 index 9509fb44df..0000000000 --- a/common/oidc-client/oidc-authservice/base/kustomization.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - rbac.yaml - - service.yaml - - statefulset.yaml - - envoy-filter.yaml - - pvc.yaml - -namespace: istio-system - -configMapGenerator: - - name: oidc-authservice-parameters - envs: - - params.env - -secretGenerator: - - name: oidc-authservice-client - type: Opaque - envs: - - secret_params.env - -generatorOptions: - disableNameSuffixHash: true - -vars: - - name: AUTHSERVICE_NAMESPACE - objref: - kind: Service - name: authservice - apiVersion: v1 - fieldref: - fieldpath: metadata.namespace - - name: AUTHSERVICE_SERVICE - objref: - kind: Service - name: authservice - apiVersion: v1 - fieldref: - fieldpath: metadata.name -configurations: - - params.yaml -images: - - name: gcr.io/arrikto/kubeflow/oidc-authservice - newName: docker.io/kubeflowmanifestswg/oidc-authservice - newTag: e236439 diff --git a/common/oidc-client/oidc-authservice/base/params.env b/common/oidc-client/oidc-authservice/base/params.env deleted file mode 100644 index ab998157fd..0000000000 --- a/common/oidc-client/oidc-authservice/base/params.env +++ /dev/null @@ -1,11 +0,0 @@ -OIDC_PROVIDER=http://dex.auth.svc.cluster.local:5556/dex -OIDC_AUTH_URL=/dex/auth -OIDC_SCOPES=profile email groups -AUTHSERVICE_URL_PREFIX=/authservice/ -SKIP_AUTH_URLS=/dex -AFTER_LOGOUT_URL=/ -USERID_HEADER=kubeflow-userid -USERID_PREFIX= -USERID_CLAIM=email -PORT="8080" -STORE_PATH=/var/lib/authservice/data.db diff --git a/common/oidc-client/oidc-authservice/base/params.yaml b/common/oidc-client/oidc-authservice/base/params.yaml deleted file mode 100644 index fcec4c57c4..0000000000 --- a/common/oidc-client/oidc-authservice/base/params.yaml +++ /dev/null @@ -1,5 +0,0 @@ -varReference: -- path: spec/configPatches/patch/value/typed_config/http_service/server_uri/uri - kind: EnvoyFilter -- path: spec/configPatches/patch/value/typed_config/http_service/server_uri/cluster - kind: EnvoyFilter diff --git a/common/oidc-client/oidc-authservice/base/pvc.yaml b/common/oidc-client/oidc-authservice/base/pvc.yaml deleted file mode 100644 index da2f06ba3a..0000000000 --- a/common/oidc-client/oidc-authservice/base/pvc.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: authservice-pvc -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/base/rbac.yaml b/common/oidc-client/oidc-authservice/base/rbac.yaml deleted file mode 100644 index 8399498c1c..0000000000 --- a/common/oidc-client/oidc-authservice/base/rbac.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: authservice - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: authn-delegator -rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: authn-delegators -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: authn-delegator -subjects: - - kind: ServiceAccount - name: authservice diff --git a/common/oidc-client/oidc-authservice/base/secret_params.env b/common/oidc-client/oidc-authservice/base/secret_params.env deleted file mode 100644 index dc56c6c90f..0000000000 --- a/common/oidc-client/oidc-authservice/base/secret_params.env +++ /dev/null @@ -1,2 +0,0 @@ -CLIENT_ID=kubeflow-oidc-authservice -CLIENT_SECRET=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok diff --git a/common/oidc-client/oidc-authservice/base/service.yaml b/common/oidc-client/oidc-authservice/base/service.yaml deleted file mode 100644 index 8b62830bcf..0000000000 --- a/common/oidc-client/oidc-authservice/base/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: authservice -spec: - type: ClusterIP - selector: - app: authservice - ports: - - port: 8080 - name: http-authservice - targetPort: http-api - publishNotReadyAddresses: true \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/base/statefulset.yaml b/common/oidc-client/oidc-authservice/base/statefulset.yaml deleted file mode 100644 index 05fbc63c96..0000000000 --- a/common/oidc-client/oidc-authservice/base/statefulset.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: oidc-authservice -spec: - replicas: 1 - selector: - matchLabels: - app: authservice - serviceName: authservice - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: authservice - spec: - serviceAccountName: authservice - containers: - - name: authservice - image: gcr.io/arrikto/kubeflow/oidc-authservice:e236439 - imagePullPolicy: Always - ports: - - name: http-api - containerPort: 8080 - envFrom: - - secretRef: - name: oidc-authservice-client - - configMapRef: - name: oidc-authservice-parameters - volumeMounts: - - name: data - mountPath: /var/lib/authservice - readinessProbe: - httpGet: - path: / - port: 8081 - securityContext: - fsGroup: 111 - volumes: - - name: data - persistentVolumeClaim: - claimName: authservice-pvc diff --git a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml deleted file mode 100644 index 539c28cae4..0000000000 --- a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -bases: - - ../../base -patchesStrategicMerge: - - statefulset.yaml -images: - - name: busybox - newTag: "latest" - newName: busybox \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml deleted file mode 100644 index 2e29fc100a..0000000000 --- a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: oidc-authservice -spec: - template: - spec: - initContainers: - - name: fix-permission - image: busybox - command: ['sh', '-c'] - args: ['chmod -R 777 /var/lib/authservice;'] - volumeMounts: - - mountPath: /var/lib/authservice - name: data diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 3e028a16df..0308d5e602 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -41,7 +41,7 @@ resources: - ../common/istio-1-22/istio-namespace/base - ../common/istio-1-22/istio-install/overlays/oauth2-proxy # oauth2-proxy -- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed +- ../common/oauth2-proxy/overlays/m2m-self-signed # Dex - ../common/dex/overlays/oauth2-proxy # KNative @@ -64,7 +64,7 @@ resources: # Katib - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/upstream/overlays/oauth2-proxy +- ../apps/centraldashboard/overlays/oauth2-proxy # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py index ff7706bb1b..91da390394 100644 --- a/hack/trivy_scan.py +++ b/hack/trivy_scan.py @@ -34,8 +34,8 @@ "automl": "../apps/katib/upstream/installs", "pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env", "training": "../apps/training-operator/upstream/overlays", - "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base", - "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/upstream/overlays/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", + "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base", + "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/overlays ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", "serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow", "model-registry": "../apps/model-registry/upstream", } @@ -403,4 +403,4 @@ def extract_images(version): log("Output saved to:", output_file) log("Severity counts with images respect to WGs are saved in the",ALL_SEVERITY_COUNTS) -log("Scanned Json reports on images are saved in",SCAN_REPORTS_DIR) \ No newline at end of file +log("Scanned Json reports on images are saved in",SCAN_REPORTS_DIR) diff --git a/proposals/20240606-jwt-handling.md b/proposals/20240606-jwt-handling.md index 19db305f74..76839c4288 100644 --- a/proposals/20240606-jwt-handling.md +++ b/proposals/20240606-jwt-handling.md @@ -62,7 +62,7 @@ With the above implementation we move all the logic of handling the JWTs to the This proposal aims to put more focus on keeping and validating `id_tokens` but also bridging to the existing functionality of the backends, to avoid extensive changes. ### Implementation The technical details for the above proposal translate to the following -1. Common Kubeflow manifests, for all components, for configuring Istio for supporting multiple issuers ([Dex](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml) and [K8s-m2m](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml)), via `RequestAuthentication` objects +1. Common Kubeflow manifests, for all components, for configuring Istio for supporting multiple issuers ([Dex](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml) and [K8s-m2m](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml)), via `RequestAuthentication` objects 2. `AuthorizationPolicy` objects of components, for allowing access from Istio IngressGateway, will need to be extended for also requiring a JWT 3. Backends that need to be accessible from other user-namespaces will need to have an `AuthorizationPolicy` that allows any request, only if it has a JWT 4. Backends don't need any logic for validating the JWTs and their existence diff --git a/tests/gh-actions/install_istio_with_ext_auth.sh b/tests/gh-actions/install_istio_with_ext_auth.sh index e77839eb10..871fec394d 100755 --- a/tests/gh-actions/install_istio_with_ext_auth.sh +++ b/tests/gh-actions/install_istio_with_ext_auth.sh @@ -12,6 +12,6 @@ kubectl wait --for=condition=Ready pods --all -n istio-system --timeout=300s \ --field-selector=status.phase!=Succeeded echo "Installing oauth2-proxy..." -cd common/oidc-client +cd common/ kustomize build oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy diff --git a/tests/gh-actions/test_dex_login.py b/tests/gh-actions/test_dex_login.py new file mode 100644 index 0000000000..b027d5ba92 --- /dev/null +++ b/tests/gh-actions/test_dex_login.py @@ -0,0 +1,108 @@ +import re +import requests +import sys +from urllib.parse import urlsplit + +def get_istio_auth_session(url: str, username: str, password: str) -> dict: + """ + Determine if the specified URL is secured by Dex and try to obtain a session cookie. + WARNING: only Dex `staticPasswords` and `LDAP` authentication are currently supported + (we default default to using `staticPasswords` if both are enabled) + + :param url: Kubeflow server URL, including protocol + :param username: Dex `staticPasswords` or `LDAP` username + :param password: Dex `staticPasswords` or `LDAP` password + :return: auth session information + """ + # define the default return object + auth_session = { + "endpoint_url": url, # KF endpoint URL + "redirect_url": None, # KF redirect URL, if applicable + "dex_login_url": None, # Dex login URL (for POST of credentials) + "is_secured": None, # True if KF endpoint is secured + "session_cookie": None # Resulting session cookies in the form "key1=value1; key2=value2" + } + + # use a persistent session (for cookies) + with requests.Session() as s: + + ################ + # Determine if Endpoint is Secured + ################ + resp = s.get(url, allow_redirects=True) + if resp.status_code != 200: + raise RuntimeError( + f"HTTP status code '{resp.status_code}' for GET against: {url}" + ) + + auth_session["redirect_url"] = resp.url + + # if we were NOT redirected, then the endpoint is UNSECURED + if len(resp.history) == 0: + auth_session["is_secured"] = False + return auth_session + else: + auth_session["is_secured"] = True + + ################ + # Get Dex Login URL + ################ + redirect_url_obj = urlsplit(auth_session["redirect_url"]) + + # if we are at `/auth?=xxxx` path, we need to select an auth type + if re.search(r"/auth$", redirect_url_obj.path): + + ####### + # TIP: choose the default auth type by including ONE of the following + ####### + + # OPTION 1: set "staticPasswords" as default auth type + redirect_url_obj = redirect_url_obj._replace( + path=re.sub(r"/auth$", "/auth/local", redirect_url_obj.path) + ) + # OPTION 2: set "ldap" as default auth type + # redirect_url_obj = redirect_url_obj._replace( + # path=re.sub(r"/auth$", "/auth/ldap", redirect_url_obj.path) + # ) + + # if we are at `/auth/xxxx/login` path, then no further action is needed (we can use it for login POST) + if re.search(r"/auth/.*/login$", redirect_url_obj.path): + auth_session["dex_login_url"] = redirect_url_obj.geturl() + + # else, we need to be redirected to the actual login page + else: + # this GET should redirect us to the `/auth/xxxx/login` path + resp = s.get(redirect_url_obj.geturl(), allow_redirects=True) + if resp.status_code != 200: + raise RuntimeError( + f"HTTP status code '{resp.status_code}' for GET against: {redirect_url_obj.geturl()}" + ) + + # set the login url + auth_session["dex_login_url"] = resp.url + + ################ + # Attempt Dex Login + ################ + resp = s.post( + auth_session["dex_login_url"], + data={"login": username, "password": password}, + allow_redirects=True + ) + + return resp.status_code + +KUBEFLOW_ENDPOINT = "http://localhost:8080" +KUBEFLOW_USERNAME = "user@example.com" +KUBEFLOW_PASSWORD = "12341234" + +resp = get_istio_auth_session( + url=KUBEFLOW_ENDPOINT, + username=KUBEFLOW_USERNAME, + password=KUBEFLOW_PASSWORD +) + +if resp == 200: + sys.exit(0) +else: + sys.exit(1)