Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
add identity awareness to existing_arrikto
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
  • Loading branch information
yanniszark committed Aug 21, 2019
1 parent 210312c commit 0985a2f
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 1 deletion.
9 changes: 9 additions & 0 deletions bootstrap/config/kfctl_existing_arrikto.yaml
Expand Up @@ -33,6 +33,9 @@ spec:
path: argo
name: argo
- kustomizeConfig:
parameters:
- name: userid-header
value: kubeflow-userid
overlays:
- istio
repoRef:
Expand All @@ -53,6 +56,9 @@ spec:
path: admission-webhook/bootstrap
name: bootstrap
- kustomizeConfig:
parameters:
- name: userid-header
value: kubeflow-userid
overlays:
- istio
- application
Expand Down Expand Up @@ -193,6 +199,9 @@ spec:
path: pipeline/scheduledworkflow
name: scheduledworkflow
- kustomizeConfig:
parameters:
- name: userid-header
value: kubeflow-userid
overlays:
- istio
repoRef:
Expand Down
6 changes: 5 additions & 1 deletion deployment/existing/auth_oidc/authservice.tmpl
Expand Up @@ -41,7 +41,7 @@ spec:
path: tls.crt
containers:
- name: authservice
image: gcr.io/arrikto/kubeflow/oidc-authservice:v0.2
image: gcr.io/arrikto/kubeflow/oidc-authservice:v0.3
imagePullPolicy: Always
ports:
- name: http-api
Expand All @@ -51,6 +51,10 @@ spec:
mountPath: /etc/custom-ca
readOnly: true
env:
- name: USERID_HEADER
value: "kubeflow-userid"
- name: USERID_PREFIX
value: ""
- name: OIDC_PROVIDER_CA_FILE
value: "/etc/custom-ca/tls.crt"
- name: DISABLE_USERINFO
Expand Down
4 changes: 4 additions & 0 deletions deployment/existing/auth_oidc/envoy-filter.yaml
Expand Up @@ -19,6 +19,10 @@ spec:
allowedHeaders:
patterns:
- exact: "cookie"
authorizationResponse:
allowedUpstreamHeaders:
patterns:
- exact: "kubeflow-userid"
statusOnError:
code: GatewayTimeout
filterName: envoy.ext_authz
Expand Down
6 changes: 6 additions & 0 deletions deployment/existing/istio/istio-noauth.yaml
Expand Up @@ -18981,3 +18981,9 @@ spec:
maxRequestsPerConnection: 10000
---

apiVersion: rbac.istio.io/v1alpha1
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: 'ON'

0 comments on commit 0985a2f

Please sign in to comment.