oidc-authservice: add authservice to manifests #529
Conversation
|
@yanniszark this is awesome! Thanks for being prompt! |
There was a problem hiding this comment.
@yanniszark great work here!
* Use the latest image built from master, so as to include [dexidp/dex#1554](https://github.com/dexidp/dex/pull/1554)
Especially for this cool contribution to dex!
I have had an initial look at the code and have a few comments. I would like to further deploy and test this out for my next pass.
| prefix: /dex/ | ||
| route: | ||
| - destination: | ||
| host: dex.auth.svc.cluster.local |
There was a problem hiding this comment.
Can we parameterize dex.auth.svc.cluster.local to dex.$(namespace).svc.cluster.local?
| @@ -0,0 +1,22 @@ | |||
| # This config is gated on kiali upgrade to 0.21 from 0.16 in istio 1.1.6: | |||
| # https://github.com/kiali/kiali/issues/1154 | |||
| # https://github.com/istio/istio/issues/11131 | |||
There was a problem hiding this comment.
These comments were added because when this virtual-service is deployed through kubectl apply -f, kiali rejects this configuration as invalid for Istio 1.1.6.
I'll test this by deploying once again to see if it persists when we deploy through KfDef and kfctl. Otherwise, we could mention that only kubectl apply -f has this issue and KfDef works fine.
There was a problem hiding this comment.
I can confirm that this issue is not surfacing through KfDef.
There was a problem hiding this comment.
Great! What are the actionable items for this?
There was a problem hiding this comment.
I think we can just change the comment to say that this was observed while deploying through kubectl CLI and it works fine with KfDef.
There was a problem hiding this comment.
@krishnadurai I'm not too familiar with the issue and it seems you have experience with it.
Could you open an issue explaining what happens in order to track this?
| @@ -80,5 +80,5 @@ configurations: | |||
| - params.yaml | |||
| images: | |||
| - name: quay.io/coreos/dex | |||
| newName: quay.io/coreos/dex | |||
| newTag: v2.9.0 | |||
| newName: gcr.io/arrikto/dexidp/dex | |||
There was a problem hiding this comment.
nit: We could move this image to gcr.io/kubeflow-public-images. This can be done after this PR gets merged in.
Can we add a TODO here to replace this with a dex upstream image whenever they release next?
There was a problem hiding this comment.
Agreed.
I don't personally have access to gcr.io/kubeflow-images-public, so it has to be done by someone with the right permissions.
| spec: | ||
| containers: | ||
| - name: authservice | ||
| image: gcr.io/arrikto/kubeflow/oidc-authservice:6ac9400 |
There was a problem hiding this comment.
nit: We could move this image to gcr.io/kubeflow-public-images, after this PR is in.
| kind: EnvoyFilter | ||
| metadata: | ||
| name: authn-filter | ||
| namespace: istio-system |
There was a problem hiding this comment.
nit: Let's strip the namespace off metadata fields.
| apiVersion: v1 | ||
| fieldref: | ||
| fieldpath: data.skip_auth_uri | ||
| - name: userid-header |
There was a problem hiding this comment.
nit: We could use a convention to have these variables named in a consistent manner within this configMap.
Throughout manifests we seem to have different styles camel case, snake case, capitalized names for environment vars. I would be great to have a convention. This is not in relation to this just this PR, we could address this separately.
There was a problem hiding this comment.
I agree, it is unfortunate.
I used snake case for the userid related parameters because that's how they're defined in other applications as well.
| - name: CLIENT_SECRET | ||
| value: $(application_secret) | ||
| - name: STORE_PATH | ||
| value: /var/lib/authservice/data.db |
There was a problem hiding this comment.
@yanniszark, I'll need help from you to understand this part. I'm trying to figure out how this DB is getting used by the authservice. The latest code seems to be hosted here: https://github.com/arrikto/ambassador-auth-oidc/commits/feature-kubeflow-rc
Likewise, in the code for authservice, I can see that redis is being used for blacklisting tokens and is an optional component: ajmyyra/ambassador-auth-oidc@a07b7bd
It would be great if you can point me to where and how this DB is getting used by the authservice. Secondly, is this being used for blacklisting tokens?
There was a problem hiding this comment.
@krishnadurai the latest code is in the arrikto/oidc-authservice repo.
Pleaso also see: #267 (comment)
The default DB is BoltDB, an embedded key-value store. Its data lives on a PVC.
The DB is used for 2 things:
- Store state of the OIDC flow (see state parameter of OAuth).
- Store sessions.
| spec: | ||
| serviceAccountName: dex | ||
| containers: | ||
| - image: quay.io/coreos/dex:v2.9.0 |
There was a problem hiding this comment.
We should change this to the newer dex image for consistency.
There was a problem hiding this comment.
This should be fixed by test generation.
There was a problem hiding this comment.
I think the source file for dex deployment has this older value.
There was a problem hiding this comment.
True, but this seems like an issue of the test generation, unrelated to this PR.
The image is changed using the images field of the kustomization file, which is the standard way provided by kustomize.
| httpService: | ||
| serverUri: | ||
| uri: http://authservice.istio-system.svc.cluster.local | ||
| cluster: outbound|8080||authservice.istio-system.svc.cluster.local |
There was a problem hiding this comment.
We should parameterize this to authservice.$(namespace).svc.cluster.local in case istio-system isn't istio deployment's namespace.
| subjects: | ||
| - kind: ServiceAccount | ||
| name: dex # Service account assigned to the dex pod. | ||
| namespace: auth # The namespace dex is running in. |
There was a problem hiding this comment.
I'll remove these and replace them with $(namespace) in a follow-up PR.
yanniszark
force-pushed
the
feature-existing-arrikto-internal-relative-urls-v3
branch
from
3d6e278 to
52aa3e5
Compare
|
Thanks @krishnadurai, great comments. |
There was a problem hiding this comment.
@yanniszark I have tested this on a fresh GCP cluster with the modified existing KfDef. Few points to note:
- Istio ingressgateway is NodePort
- Certificate creation was done manually - will be taken care by the CertManger changes
- The platform existing.go code didn't seem to execute from the latest kfctl
I think these above 3 configurations can be tackled with follow on PRs.
There are a few comments which I've made and need to be addressed in this PR.
| spec: | ||
| serviceAccountName: dex | ||
| containers: | ||
| - image: quay.io/coreos/dex:v2.9.0 |
There was a problem hiding this comment.
I think the source file for dex deployment has this older value.
| name: istio | ||
| - kustomizeConfig: | ||
| overlays: | ||
| - application |
There was a problem hiding this comment.
kustomizeConfig for application and application-crds needs to be on-top here so that we avoid this error:
error: unable to recognize "/tmp/kout": no matches for kind "Application" in version "app.k8s.io/v1beta1"
There was a problem hiding this comment.
Interesting, I didn't get this error.
I wonder why.
Will fix according to your suggestion.
| value: istio-system | ||
| repoRef: | ||
| name: manifests | ||
| path: istio/istio-install |
There was a problem hiding this comment.
In istio-install istio-ingressgateway service is by default set to NodePort. I think the earlier platform config for this config assumes it to be LoadBalancer type.
We can address this later.
There was a problem hiding this comment.
Yes, let's address this later.
| @@ -0,0 +1,22 @@ | |||
| # This config is gated on kiali upgrade to 0.21 from 0.16 in istio 1.1.6: | |||
| # https://github.com/kiali/kiali/issues/1154 | |||
| # https://github.com/istio/istio/issues/11131 | |||
There was a problem hiding this comment.
I can confirm that this issue is not surfacing through KfDef.
yanniszark
force-pushed
the
feature-existing-arrikto-internal-relative-urls-v3
branch
from
52aa3e5 to
dd0b728
Compare
|
@krishnadurai thanks again for the review. For the comment:
I'm not sure if there's an actionable item there. |
There was a problem hiding this comment.
@yanniszark thanks.
Some of the comments on how we handle namespaces need to be addressed:
- https://github.com/kubeflow/manifests/pull/529/files#r335397628
- https://github.com/kubeflow/manifests/pull/529/files#r335528820
- https://github.com/kubeflow/manifests/pull/529/files#r335390356
I'm not sure if there's an actionable item there.
Is there and is it necessary for now, or can we leave it for a subsequent PR?
We could just note that this was observed while deploying through kubectl CLI and KfDef works fine.
| @@ -0,0 +1,22 @@ | |||
| # This config is gated on kiali upgrade to 0.21 from 0.16 in istio 1.1.6: | |||
| # https://github.com/kiali/kiali/issues/1154 | |||
| # https://github.com/istio/istio/issues/11131 | |||
There was a problem hiding this comment.
I think we can just change the comment to say that this was observed while deploying through kubectl CLI and it works fine with KfDef.
Signed-off-by: Yannis Zarkadas <[email protected]>
Signed-off-by: Yannis Zarkadas <[email protected]>
Signed-off-by: Yannis Zarkadas <[email protected]>
Signed-off-by: Yannis Zarkadas <[email protected]>
Signed-off-by: Yannis Zarkadas <[email protected]>
Signed-off-by: Yannis Zarkadas <[email protected]>
|
@krishnadurai thanks, I made the changes but forgot to commit. |
yanniszark
force-pushed
the
feature-existing-arrikto-internal-relative-urls-v3
branch
from
dd0b728 to
001e4fa
Compare
Signed-off-by: Yannis Zarkadas <[email protected]>
Signed-off-by: Yannis Zarkadas <[email protected]>
yanniszark
force-pushed
the
feature-existing-arrikto-internal-relative-urls-v3
branch
from
001e4fa to
acc18c8
Compare
|
@yanniszark great work with this PR! /lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: yanniszark The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* istio: oidc-authservice Signed-off-by: Yannis Zarkadas <[email protected]> * dex: add virtualservice Signed-off-by: Yannis Zarkadas <[email protected]> * existing_arrikto kfdef update Signed-off-by: Yannis Zarkadas <[email protected]> * dex: custom image for relative urls Signed-off-by: Yannis Zarkadas <[email protected]> * istio: oidc-authservice: add application overlay Signed-off-by: Yannis Zarkadas <[email protected]> * reorder applications Signed-off-by: Yannis Zarkadas <[email protected]> * parameterize namespace Signed-off-by: Yannis Zarkadas <[email protected]> * regenerate tests Signed-off-by: Yannis Zarkadas <[email protected]> # Conflicts: # kfdef/kfctl_aws.0.7.0.yaml
…529 on v0.7-branch. #529: istio: oidc-authservice (#615) * istio: oidc-authservice Signed-off-by: Yannis Zarkadas <[email protected]> * dex: add virtualservice Signed-off-by: Yannis Zarkadas <[email protected]> * dex: custom image for relative urls Signed-off-by: Yannis Zarkadas <[email protected]> * istio: oidc-authservice: add application overlay Signed-off-by: Yannis Zarkadas <[email protected]> * parameterize namespace Signed-off-by: Yannis Zarkadas <[email protected]> * regenerate tests Signed-off-by: Yannis Zarkadas <[email protected]>
Which issue is resolved by this Pull Request:
Resolves #267
Resolves kubeflow/kubeflow#3839
Description of your changes:
This PR adds the AuthService to manifests.
It also adds those new capabilities to the existing_arrikto config.
Some small changes that were made to the Dex application:
Checklist:
cd manifests/testsmake generatemake test/cc @krishnadurai @elikatsis
This change is