diff --git a/kustomize/common/oidc-authservice/base/configmap.yaml b/kustomize/common/oidc-authservice/base/configmap.yaml new file mode 100644 index 0000000..c6fce0b --- /dev/null +++ b/kustomize/common/oidc-authservice/base/configmap.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: oidc-authservice-parameters + namespace: istio-system +data: + client_secret: 'XXXXXX' + client_id: XXXXXX + namespace: istio-system + oidc_auth_url: https://login.microsoftonline.com/XXXXXX/oauth2/v2.0/authorize + oidc_provider: https://login.microsoftonline.com/XXXXXX/v2.0 + redirect_url: https://kubeflow.example.ca/login/oidc + skip_auth_uri: "" + userid_header: kubeflow-userid + userid_prefix: "" + userid_claim: preferred_username + oidc_scopes: profile email + port: "8080" + store_path: /var/lib/authservice/data.db diff --git a/kustomize/common/oidc-authservice/base/envoy-filter.yaml b/kustomize/common/oidc-authservice/base/envoy-filter.yaml new file mode 100644 index 0000000..0fa1ce9 --- /dev/null +++ b/kustomize/common/oidc-authservice/base/envoy-filter.yaml @@ -0,0 +1,42 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: authn-filter +spec: + workloadSelector: + labels: + istio: ingressgateway-kubeflow + configPatches: + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + #subFilter: # not required. + # name: "" + patch: + # For some reason, INSERT_FIRST doesn't work + operation: INSERT_BEFORE + value: + # See: https://www.envoyproxy.io/docs/envoy/v1.17.0/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz + name: "envoy.filters.http.ext_authz" + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + http_service: + server_uri: + uri: http://$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local + cluster: outbound|8080||$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local + timeout: 10s + authorization_request: + allowed_headers: + patterns: + # XXX: MUST be lowercase! + - exact: "authorization" + - exact: "cookie" + - exact: "x-auth-token" + authorization_response: + allowed_upstream_headers: + patterns: + - exact: "kubeflow-userid" diff --git a/kustomize/common/oidc-authservice/base/kustomization.yaml b/kustomize/common/oidc-authservice/base/kustomization.yaml index c19965c..898747a 100644 --- a/kustomize/common/oidc-authservice/base/kustomization.yaml +++ b/kustomize/common/oidc-authservice/base/kustomization.yaml @@ -3,3 +3,8 @@ kind: Kustomization resources: - github.com/kubeflow/manifests/common/oidc-authservice/base?ref=v1.3.1 + +patchesStrategicMerge: +- configmap.yaml +- envoy-filter.yaml +- statefulset.yaml diff --git a/kustomize/common/oidc-authservice/base/statefulset.yaml b/kustomize/common/oidc-authservice/base/statefulset.yaml new file mode 100644 index 0000000..106cb6c --- /dev/null +++ b/kustomize/common/oidc-authservice/base/statefulset.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: authservice +spec: + replicas: 1 + selector: + matchLabels: + app: authservice + serviceName: authservice + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: authservice + spec: + containers: + - name: authservice + image: k8scc01covidacr.azurecr.io/oidc-authservice:latest + imagePullPolicy: Always + ports: + - name: http-api + containerPort: 8080 + envFrom: + - configMapRef: + name: oidc-authservice-parameters + volumeMounts: + - name: data + mountPath: /var/lib/authservice + readinessProbe: + httpGet: + path: / + port: 8081 + securityContext: + fsGroup: 111 + imagePullSecrets: + - name: k8scc01covidacr-registry-connection + # this secret must exist in our deployment. + volumes: + - name: data + persistentVolumeClaim: + claimName: authservice-pvc