Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move away from AuthService #2469

Closed
kimwnasptd opened this issue Jun 13, 2023 · 5 comments · Fixed by #2544
Closed

Move away from AuthService #2469

kimwnasptd opened this issue Jun 13, 2023 · 5 comments · Fixed by #2544

Comments

@kimwnasptd
Copy link
Member

My current understanding is that the gcr.io/arrikto oci registry will be taken down at some point*.

I can think of the following moving pieces for this process:

  1. Moving away from this component for the KF 1.8 release
  2. Understand whether we need to patch previous versions of Kubeflow
  3. Existing installations that are using AuthService

From my current understanding there won't be any migration of the image from the side of the AuthService project.

The first information that we need is for how long will he gcr.io/arrikto registry be up. After we have this we can have more concrete next steps. Hopefully I'll have some more news on this relatively soon*.

The way that I think this play out though is that we'll need to mirror images in the Kubeflow project and do patches on some* KF installations so that the mirrored image will be used instead. And of course moving away in KF 1.8 either way.

cc @kubeflow/wg-manifests-leads @DnPlas @annajung @jbottum
@DnPlas
Copy link
Contributor

DnPlas commented Jun 19, 2023
edited
Loading

Thanks @kimwnasptd, I have some questions and comments.

  1. Moving away from the current Authservice implementation in the upcoming 1.8 release would mean that:
  • We may need to provide steps for upgrading Kubeflow 1.7 to 1.8.
  • We already have a solution for replacing Authservice, do you mind sharing details about it? What would be the impact on Kubeflow components in terms of changes in manifests and/or code?
  • Would this change impact the current release timeline?
  1. Mirroring the existing image and patching some KF installations - For this I'd add that only the image(s) will be kept, and not the source code, which means that we won't be giving any support or releasing new versions of them, right? Lastly, I agree on this one, though I think we have to do it regardless of how long the image registry is up.
  • Have we decided how many releases back we could or want to patch?
  • Have we decided which container registry we are going to push these images to?

@kimwnasptd
Copy link
Member Author

@DnPlas

Moving away from the current Authservice implementation in the upcoming 1.8 release would mean that:

  1. Yes we'll provide upgrade instructions on how to migrate to oauth2-proxy for users that come from a 1.6, and have AuthService in their cluster
    • I'd expect the oauth2-proxy and AuthService manifests to be completely separated, so it'll be a matter of removing AuthService manifests and applying oauth2-proxy manifests
  2. The 1.8 manifests will be using a completely different component oauth2-proxy
    • There shouldn't be any differences to other components
  3. I wouldn't expect it to affect the release timeline

Mirroring the existing image and patching some KF installations - For this I'd add that only the image(s) will be kept, and not the source code, which means that we won't be giving any support or releasing new versions of them, right? Lastly, I agree on this one, though I think we have to do it regardless of how long the image registry is up.

Yes, we'll just mirror the images. No further support for bugfixes on the actual component.

This was referenced Jul 13, 2023
Merged
Merged
@lehrig lehrig mentioned this issue Oct 17, 2024
Open
54 tasks
DnPlas added a commit to DnPlas/manifests that referenced this issue Sep 4, 2023
@DnPlas
chore: replace arrikto/kubeflow container registry with kubeflowmanif…
c5cc0bd 
…estswg

Use the kubeflow manifests WG mirrored container images for pulling oidc-authservice.

Part of kubeflow#2469
@DnPlas DnPlas mentioned this issue Sep 4, 2023
Merged
DnPlas added a commit to DnPlas/manifests that referenced this issue Sep 5, 2023
@DnPlas
chore: replace arrikto/kubeflow container registry with kubeflowmanif…
ce69821 
…estswg

Use the kubeflow manifests WG mirrored container images for pulling oidc-authservice.

Part of kubeflow#2469
DnPlas added a commit to DnPlas/manifests that referenced this issue Sep 5, 2023
@DnPlas
chore: replace arrikto/kubeflow container registry with kubeflowmanif…
28d90be 
…estswg

Use the kubeflow manifests WG mirrored container images for pulling oidc-authservice.

Part of kubeflow#2469
google-oss-prow bot pushed a commit that referenced this issue Sep 7, 2023
@DnPlas
chore: replace arrikto/kubeflow container registry with kubeflowmanif…
c43feba 
…estswg (#2521)

Use the kubeflow manifests WG mirrored container images for pulling oidc-authservice.

Part of #2469
@juliusvonkohout juliusvonkohout mentioned this issue Nov 30, 2023
Merged
10 tasks
@juliusvonkohout juliusvonkohout mentioned this issue Jan 11, 2024
Closed
@juliusvonkohout juliusvonkohout linked a pull request Jan 11, 2024 that will close this issue
oauth2-proxy with istio mesh config and m2m bearer tokens #2544
Merged
10 tasks
@DnPlas DnPlas mentioned this issue Jan 19, 2024
Merged
@ca-scribner ca-scribner mentioned this issue Jan 21, 2024
Open
@tomaszstachera
Copy link

@kimwnasptd we are using Kubeflow 1.7 that is using oidc-authservice. Currently we cannot pull docker pull gcr.io/arrikto/kubeflow/oidc-authservice:e236439 image. Will it be hosted somewhere?

docker pull gcr.io/arrikto/kubeflow/oidc-authservice:e236439
Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

@juliusvonkohout
Copy link
Member

@kimwnasptd we are using Kubeflow 1.7 that is using oidc-authservice. Currently we cannot pull docker pull gcr.io/arrikto/kubeflow/oidc-authservice:e236439 image. Will it be hosted somewhere?

docker pull gcr.io/arrikto/kubeflow/oidc-authservice:e236439
Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

If you switch to Kubeflow 1.8.1 you will have a working oidc-authservice image. The registries switched. But I strongly recommend 1.9 where we removed it altogether and switched to oauth2-proxy.

@kubeflow kubeflow locked and limited conversation to collaborators Aug 21, 2024
@juliusvonkohout
Copy link
Member

juliusvonkohout commented Aug 21, 2024
edited
Loading 

Images:
  - name: gcr.io/arrikto/kubeflow/oidc-authservice
    newName: docker.io/kubeflowmanifestswg/oidc-authservice
    newTag: e236439

But this is just a workaround. Please Upgrade to Kubeflow 1.8.1/1.9

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

oauth2-proxy with istio mesh config and m2m bearer tokens kromanow94/kubeflow-manifests
4 participants
@kimwnasptd @DnPlas @juliusvonkohout @tomaszstachera