ok this works

Signed-off-by: Krzysztof Romanowski <krzysztof.romanowski.kr3@roche.com>

common/dex/overlays/oauth2-proxy/config-map.yaml

@@ -27,6 +27,8 @@ data:
     staticClients:
     # https://github.com/dexidp/dex/pull/1664
     - idEnv: OIDC_CLIENT_ID
-      redirectURIs: ["/oauth2/callback"]
+      redirectURIs:
+        - "*/oauth2/callback"
+        - "https://romanok1-kubeflow.user-apps.eks.uat.rdigtm.roche.com/oauth2/callback"
       name: 'Dex Login Application'
       secretEnv: OIDC_CLIENT_SECRET

common/oidc-client/components/central-dashboard/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patchesStrategicMerge:
+  - patches/deployment.logout-url.yaml

common/oidc-client/components/central-dashboard/patches/deployment.logout-url.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: centraldashboard
+  namespace: kubeflow
+spec:
+  template:
+    spec:
+      containers:
+      - name: centraldashboard
+        env:
+        # This successfully logs out the user but the user is not redirected to
+        # the home page. This is because of custom integration with
+        # oidc-authservice which will provide response with 'afterLogoutURL'.
+        # https://github.com/arrikto/oidc-authservice/blob/0c4ea9a/server.go#L509
+        # https://github.com/kubeflow/kubeflow/blob/c6c4492/components/centraldashboard/public/components/logout-button.js#L50
+        # Please refresh the page after logging out.
+        - name: LOGOUT_URL
+          value: /oauth2/sign_out

common/oidc-client/components/istio-oauth2-proxy/authorizationpolicy.oauth2-proxy-istio-ingressgateway-cloudflare.yaml

@@ -0,0 +1,23 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: oauth2-proxy-istio-ingressgateway
+  namespace: istio-system
+spec:
+  action: CUSTOM
+  provider:
+    name: oauth2-proxy
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  rules:
+  - to:
+    - operation:
+        notPaths:
+        - /favicon*
+        - /webcomponentsjs*
+        - /vendor.bundle.js
+        - /app.bundle.js
+        - /dashboard_lib.bundle.js
+        - /assets*
+        - /app.css

common/oidc-client/components/istio-oauth2-proxy/authorizationpolicy.oauth2-proxy-istio-ingressgateway.yaml

@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: oauth2-proxy-istio-ingressgateway
+  namespace: istio-system
+spec:
+  action: CUSTOM
+  provider:
+    name: oauth2-proxy
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  rules:
+  - {}

common/oidc-client/components/istio-oauth2-proxy/kustomization.yaml

@@ -0,0 +1,25 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - authorizationpolicy.oauth2-proxy-istio-ingressgateway.yaml
+  - requestauthentication.dex-jwt.yaml
+
+# If you're running Kubeflow behind CloudFlare, use 
+# authorizationpolicy.oauth2-proxy-istio-ingressgateway-cloudflare.yaml
+# instead of 
+# authorizationpolicy.oauth2-proxy-istio-ingressgateway.yaml
+
+patchesStrategicMerge:
+  - patches/cm.enable-oauth2-proxy.yaml
+  - patches/deployment.jwt-refresh-interval.yaml
+
+# patches:
+
+# patchesJson6902:
+# - target:
+#     group: apps
+#     version: v1
+#     kind: Deployment
+#     name: example
+#   path: patches/cm.enable-oauth2-proxy.yaml

common/oidc-client/components/istio-oauth2-proxy/patches/cm.enable-oauth2-proxy.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio
+  namespace: istio-system
+data:
+  meshNetworks: 'networks: {}'
+  mesh: |-
+    accessLogFile: /dev/stdout
+    defaultConfig:
+      discoveryAddress: istiod.istio-system.svc:15012
+      proxyMetadata: {}
+      tracing: {}
+    enablePrometheusMerge: true
+    rootNamespace: istio-system
+    tcpKeepalive:
+      interval: 5s
+      probes: 3
+      time: 10s
+    trustDomain: cluster.local
+    extensionProviders:
+    - envoyExtAuthzHttp:
+        headersToDownstreamOnDeny:
+        - content-type
+        - set-cookie
+        headersToUpstreamOnAllow:
+        - authorization
+        - path
+        - x-auth-request-email
+        - x-auth-request-groups
+        - x-auth-request-user
+        includeRequestHeadersInCheck:
+        - authorization
+        - cookie
+        service: oauth2-proxy.oauth2-proxy.svc.cluster.local
+        port: 80
+      name: oauth2-proxy

common/oidc-client/components/istio-oauth2-proxy/patches/deployment.jwt-refresh-interval.yaml

@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod
+  namespace: istio-system
+spec:
+  template:
+    spec:
+      containers:
+        - name: discovery
+          env:
+            - name: PILOT_JWT_PUB_KEY_REFRESH_INTERVAL
+              value: "1m"

common/oidc-client/components/istio-oauth2-proxy/requestauthentication.dex-jwt.yaml

@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: dex-jwt
+  namespace: istio-system
+spec:
+  jwtRules:
+    - forwardOriginalToken: true
+      issuer: http://dex.auth.svc.cluster.local:5556/dex
+      outputClaimToHeaders:
+        - header: kubeflow-userid
+          claim: email
+        - header: kubeflow-groups
+          claim: groups

common/oidc-client/oauth2-proxy/OWNERS

@@ -1,2 +1,3 @@
 approvers:
-  - axel7083
+  - axel7083
+  - kromanow94

common/oidc-client/oauth2-proxy/README.md

@@ -0,0 +1,15 @@
+* This deployment of oauth2-proxy doesn't support OpenShift. To enable
+  integration with OpenShift, use openshift distribution of oauth2-proxy
+  available here: https://github.com/openshift/oauth-proxy
+  * also enable RBAC for token reviews:
+    ```yaml
+
+    ```
+
+* Login routine will use /oauth2 to manage actions
+    * When oauth2-proxy detects need to will redirect to dex and provide
+        * oidc client id
+        * redirect url to kubeflow with path to `/oauth2/callback`
+    * Login starts with /oauth2/callback
+    * if using oauth2-proxy for multiple domains, must ensure path based routing to `/oauth2` routes to oauth2-proxy...???
+* Include VirtualService for logging out (did axel already do that?)

common/oidc-client/oauth2-proxy/base/deployment.yaml

@@ -1,18 +1,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: oauth2-proxy-authservice
+  name: oauth2-proxy
   labels:
-    app: authservice
+    app: oauth2-proxy
 spec:
   replicas: 1
   selector:
     matchLabels:
       app.kubernetes.io/name: oauth2-proxy
   template:
     metadata:
-      annotations:
-        sidecar.istio.io/inject: "false"
       labels:
         app.kubernetes.io/name: oauth2-proxy
     spec:
@@ -21,24 +19,16 @@ spec:
           configMap:
             name: oauth2-proxy
             defaultMode: 420
-        - name: configalpha
-          configMap:
-            name: oauth2-proxy-alpha
-            defaultMode: 420
         - name: oauth2-proxy
           secret:
             secretName: oauth2-proxy
       containers:
         - name: oauth2-proxy
           image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
           args:
-            - '--alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml'
             - '--config=/etc/oauth2_proxy/oauth2_proxy.cfg'
-            - '--silence-ping-logging'
-            - '--proxy-prefix=/oauth2'
-            - '--cookie-secure=false'
           ports:
-            - name: http-api
+            - name: http
               containerPort: 8080
               protocol: TCP
             - name: metrics
@@ -54,19 +44,17 @@ spec:
             - name: configmain
               mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
               subPath: oauth2_proxy.cfg
-            - name: configalpha
-              mountPath: /etc/oauth2_proxy/oauth2_proxy.yml
-              subPath: oauth2_proxy.yml
             - name: oauth2-proxy
               subPath: CLIENT_SECRET
               mountPath: "/etc/oauth2_proxy/CLIENT_SECRET"
           livenessProbe:
             httpGet:
               path: /ping
-              port: http-api
+              port: http
               scheme: HTTP
           readinessProbe:
             httpGet:
               path: /ping
-              port: http-api
+              port: http
               scheme: HTTP
+          resources: {}

common/oidc-client/oauth2-proxy/base/kustomization.yaml

@@ -3,19 +3,24 @@ kind: Kustomization
 
 resources:
 - deployment.yaml
-- oauth2-proxy-alpha-config.yaml
+- namespace.yaml
 - oauth2-proxy-config.yaml
-- rbac.yaml
+- serviceaccount.yaml
 - service.yaml
-- envoy-filter.yaml
+
+# To use oauth2-proxy in OpenShift, use openshift distribution of oauth2-proxy
+# available here: https://github.com/openshift/oauth-proxy
+# and add RBAC to enable creation of tokenreviews
+# Token Reviews for OpenShift
+# - rbac.tokenreviews.yaml
 
 secretGenerator:
 - name: oauth2-proxy
   type: Opaque
   envs:
   - secret_params.env
 
-namespace: istio-system
+namespace: oauth2-proxy
 
 generatorOptions:
   disableNameSuffixHash: true
@@ -24,14 +29,14 @@ vars:
   - name: AUTHSERVICE_NAMESPACE
     objref:
       kind: Service
-      name: authservice
+      name: oauth2-proxy
       apiVersion: v1
     fieldref:
       fieldpath: metadata.namespace
   - name: AUTHSERVICE_SERVICE
     objref:
       kind: Service
-      name: authservice
+      name: oauth2-proxy
       apiVersion: v1
     fieldref:
       fieldpath: metadata.name

common/oidc-client/oauth2-proxy/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: oauth2-proxy