oidc-authservice: add authservice to manifests (#529)

* istio: oidc-authservice

Signed-off-by: Yannis Zarkadas <[email protected]>

* dex: add virtualservice

Signed-off-by: Yannis Zarkadas <[email protected]>

* existing_arrikto kfdef update

Signed-off-by: Yannis Zarkadas <[email protected]>

* dex: custom image for relative urls

Signed-off-by: Yannis Zarkadas <[email protected]>

* istio: oidc-authservice: add application overlay

Signed-off-by: Yannis Zarkadas <[email protected]>

* reorder applications

Signed-off-by: Yannis Zarkadas <[email protected]>

* parameterize namespace

Signed-off-by: Yannis Zarkadas <[email protected]>

* regenerate tests

Signed-off-by: Yannis Zarkadas <[email protected]>

dex-auth/dex-crds/base/kustomization.yaml

@@ -80,5 +80,5 @@ configurations:
 - params.yaml
 images:
 - name: quay.io/coreos/dex
-  newName: quay.io/coreos/dex
-  newTag: v2.9.0
+  newName: gcr.io/arrikto/dexidp/dex
+  newTag: 4bede5eb80822fc3a7fc9edca0ed2605cd339d17

dex-auth/dex-crds/overlays/istio/kustomization.yaml

@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- ../../base
+resources:
+- virtual-service.yaml
+
+configMapGenerator:
+- name: dex-parameters
+  behavior: merge
+  env: params.env
+generatorOptions:
+  disableNameSuffixHash: true
+vars:
+- name: namespace
+  objref:
+    kind: ConfigMap
+    name: dex-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.namespace
+configurations:
+- params.yaml

dex-auth/dex-crds/overlays/istio/params.env

@@ -0,0 +1 @@
+namespace=auth

dex-auth/dex-crds/overlays/istio/params.yaml

@@ -0,0 +1,3 @@
+varReference:
+- path: spec/http/route/destination/host
+  kind: VirtualService

dex-auth/dex-crds/overlays/istio/virtual-service.yaml

@@ -0,0 +1,22 @@
+# This config is gated on kiali upgrade to 0.21 from 0.16 in istio 1.1.6:
+# https://github.com/kiali/kiali/issues/1154
+# https://github.com/istio/istio/issues/11131
+
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: dex
+spec:
+  gateways:
+  - kubeflow/kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+  - match:
+    - uri:
+        prefix: /dex/
+    route:
+    - destination:
+        host: dex.$(namespace).svc.cluster.local
+        port:
+          number: 5556

istio/oidc-authservice/base/deployment.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authservice
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authservice
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+      labels:
+        app: authservice
+    spec:
+      containers:
+      - name: authservice
+        image: gcr.io/arrikto/kubeflow/oidc-authservice:6ac9400
+        imagePullPolicy: Always
+        ports:
+        - name: http-api
+          containerPort: 8080
+        env:
+          - name: USERID_HEADER
+            value: $(userid-header)
+          - name: USERID_PREFIX
+            value: $(userid-prefix)
+          - name: USERID_CLAIM
+            value: email
+          - name: OIDC_PROVIDER
+            value: $(oidc_provider)
+          - name: OIDC_AUTH_URL
+            value: $(oidc_auth_url)
+          - name: OIDC_SCOPES
+            value: "profile email groups"
+          - name: REDIRECT_URL
+            value: $(oidc_redirect_uri)
+          - name: SKIP_AUTH_URI
+            value: $(skip_auth_uri)
+          - name: PORT
+            value: "8080"
+          - name: CLIENT_ID
+            value: $(client_id)
+          - name: CLIENT_SECRET
+            value: $(application_secret)
+          - name: STORE_PATH
+            value: /var/lib/authservice/data.db
+        volumeMounts:
+          - name: data
+            mountPath: /var/lib/authservice
+      securityContext:
+        fsGroup: 111
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+              claimName: authservice-pvc          

istio/oidc-authservice/base/envoy-filter.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: authn-filter
+spec:
+  workloadLabels:
+    istio: ingressgateway
+  filters:
+  - filterConfig:
+      httpService:
+        serverUri:
+          uri: http://authservice.$(namespace).svc.cluster.local
+          cluster: outbound|8080||authservice.$(namespace).svc.cluster.local
+          failureModeAllow: false
+          timeout: 10s
+        authorizationRequest: 
+          allowedHeaders:
+            patterns:
+            - exact: "cookie"
+        authorizationResponse:
+          allowedUpstreamHeaders:
+            patterns:
+            - exact: "kubeflow-userid"
+      statusOnError:
+        code: GatewayTimeout
+    filterName: envoy.ext_authz
+    filterType: HTTP
+    insertPosition:
+      index: FIRST
+    listenerMatch:
+      listenerType: GATEWAY

istio/oidc-authservice/base/kustomization.yaml

@@ -0,0 +1,87 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- service.yaml
+- deployment.yaml
+- envoy-filter.yaml
+- pvc.yaml
+
+namespace: istio-system
+
+configMapGenerator:
+- name: oidc-authservice-parameters
+  env: params.env
+generatorOptions:
+  disableNameSuffixHash: true
+
+vars:
+- name: client_id
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.client_id
+- name: oidc_provider
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.oidc_provider
+- name: oidc_redirect_uri
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.oidc_redirect_uri
+- name: oidc_auth_url
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.oidc_auth_url
+- name: application_secret
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.application_secret
+- name: skip_auth_uri
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.skip_auth_uri
+- name: userid-header
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.userid-header
+- name: userid-prefix
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.userid-prefix
+- name: namespace
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.namespace
+configurations:
+- params.yaml
+images:
+- name: gcr.io/arrikto/kubeflow/oidc-authservice
+  newName: gcr.io/arrikto/kubeflow/oidc-authservice
+  newTag: 6ac9400

istio/oidc-authservice/base/params.env

@@ -0,0 +1,9 @@
+client_id=ldapdexapp
+oidc_provider=
+oidc_redirect_uri=
+oidc_auth_url=
+application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
+skip_auth_uri=
+userid-header=
+userid-prefix=
+namespace=istio-system

istio/oidc-authservice/base/params.yaml

@@ -0,0 +1,7 @@
+varReference:
+- path: spec/template/spec/containers/env/value
+  kind: Deployment
+- path: spec/filters/filterConfig/httpService/serverUri/uri
+  kind: EnvoyFilter
+- path: spec/filters/filterConfig/httpService/serverUri/cluster
+  kind: EnvoyFilter

istio/oidc-authservice/base/pvc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: authservice-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

istio/oidc-authservice/base/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: authservice
+spec:
+  type: ClusterIP
+  selector:
+    app: authservice
+  ports:
+  - port: 8080
+    name: http-authservice
+    targetPort: http-api

istio/oidc-authservice/overlays/application/application.yaml

@@ -0,0 +1,43 @@
+
+apiVersion: app.k8s.io/v1beta1
+kind: Application
+metadata:
+  name: oidc-authservice
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: oidc-authservice
+      app.kubernetes.io/instance: oidc-authservice-v0.7.0
+      app.kubernetes.io/managed-by: kfctl
+      app.kubernetes.io/component: oidc-authservice
+      app.kubernetes.io/part-of: kubeflow
+      app.kubernetes.io/version: v0.7.0
+  componentKinds:
+  - group: apps
+    kind: Deployment
+  - group: core
+    kind: Service
+  - group: core
+    kind: PersistentVolumeClaim
+  - group: networking.istio.io
+    kind: EnvoyFilter
+  descriptor:
+    type: oidc-authservice
+    version: v1beta1
+    description: Provides OIDC-based authentication for Kubeflow Applications, at the Istio Gateway.
+    maintainers:
+    - name: Yannis Zarkadas
+      email: [email protected]
+    owners:
+    - name: Yannis Zarkadas
+      email: [email protected]
+    keywords:
+     - oidc
+     - authservice
+     - authentication  
+    links:
+    - description: About
+      url: https://github.com/kubeflow/kubeflow/tree/master/components/oidc-authservice
+    - description: Docs
+      url: https://www.kubeflow.org/docs/started/k8s/kfctl-existing-arrikto
+  addOwnerRef: true

istio/oidc-authservice/overlays/application/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- ../../base
+resources:
+- application.yaml
+commonLabels:
+  app.kubernetes.io/name: oidc-authservice
+  app.kubernetes.io/instance: oidc-authservice-v0.7.0
+  app.kubernetes.io/managed-by: kfctl
+  app.kubernetes.io/component: oidc-authservice
+  app.kubernetes.io/part-of: kubeflow
+  app.kubernetes.io/version: v0.7.0