Skip to content

Commit

Permalink
feat: move oauth2 proxy doc to common/oauth2-proxy/README.md.
Browse files Browse the repository at this point in the history
Signed-off-by: Cyber Nagle <[email protected]>
  • Loading branch information
cybernagle authored and juliusvonkohout committed Oct 21, 2024
1 parent a87873d commit 98af702
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 60 deletions.
61 changes: 2 additions & 59 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,8 @@ kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy'

It supports user sessions as well as proper token-based machine to machine authentication.

Also, if you need to use OAuth2 Proxy only for the Kubeflow Platform, you can refer to this [doc](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only)

#### Dex

Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `[email protected]`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password).
Expand Down Expand Up @@ -559,65 +561,6 @@ For example, running the above command locally with required packages like _pass

4. Try to login using the new dex password.

### Change default authentication from "dex + oauth2-proxy" to "oauth2-proxy" only

![auth-flow](common/oauth2-proxy/components/oauth2-flow.svg)

kubeflow platform is using Istio Ingress Gateway as its entrypoint.

For the authentication part ,it used Envoy Filter to forward request to Dex(blue lines), and Dex was used as a proxy to retrieve JWT tokens and perform authentication.

With Kubeflow 1.8 , it integrates with OAuth2 Proxy in Istio Provider, as the Istio Provider is now an industry standard.

For out-of-the-box purposes, it still uses Dex as an identity provider, but you are now able to use OAuth2 Proxy to directly connect
to your own IdP(Identity Provider: GCP, [AWS](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), Azure and so on)

To do so, what you need to do is as follows:
1. create an application on your IdP(purple line)
2. change your [OAuth2 Proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP.
3. Under the istio-system namespace, there is a RequestAuthentication resource , you also need to change its issuer to your own IdP.(or you can just directly write a new one)
4. Finally, you can now directly issue a token from your IdP and use this token to access your Kubeflow platform.

This feature is useful when you need to integrate kubeflow with you current CI/CD platform(eg.,Jenkins), you can now perform M2M(machine-to-machine) authentication. below is a Python code example to use it.


get JWT token From your IDP

```
import requests

# idp configuration
token_url = "https://your-idp.com/oauth/token"
client_id = "YOUR_CLIENT_ID"
client_secret = "YOUR_CLIENT_SECRET"
username = "YOUR_USERNAME"
password = "YOUR_PASSWORD"
# request header
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"grant_type": "password",
"client_id": client_id,
"client_secret": client_secret,
"username": username,
"password": password,
"scope": "openid profile email" #change your scope
}
response = requests.post(token_url, headers=headers, data=data)
TOKEN = response.json()['access_token']
```
use token to call kubeflow
```
import kfp
kubeflow_host="https://your_host"
pipeline_host = kubeflow_host + "/pipeline"

client = kfp.Client(host=pipeline_host, existing_token=TOKEN)

print(client.list_runs(namespace="your-profile-name"))
```


## Upgrading and extending
Expand Down
63 changes: 62 additions & 1 deletion common/oauth2-proxy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,70 @@ when client calls API to list the KF Pipeline Runs:
```

### Auth analysis diagram for Kubeflow Pipelines

![Kubeflow Auth Diagram](./components/kubeflow_auth_diagram.svg)

### Change default authentication from "dex + oauth2-proxy" to "oauth2-proxy" only

![auth-flow](components/oauth2-flow.svg)

kubeflow platform is using Istio Ingress Gateway as its entrypoint.

For the authentication part ,it used Envoy Filter to forward request to Dex(blue lines), and Dex was used as a proxy to retrieve JWT tokens and perform authentication.

With Kubeflow 1.8 , it integrates with OAuth2 Proxy in Istio Provider, as the Istio Provider is now an industry standard.

For out-of-the-box purposes, it still uses Dex as an identity provider, but you are now able to use OAuth2 Proxy to directly connect
to your own IdP(Identity Provider: GCP, [AWS](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), Azure and so on)

To do so, what you need to do is as follows:
1. create an application on your IdP(purple line)
2. change your [OAuth2 Proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP.
3. Under the istio-system namespace, there is a RequestAuthentication resource , you also need to change its issuer to your own IdP.(or you can just directly write a new one)
4. Finally, you can now directly issue a token from your IdP and use this token to access your Kubeflow platform.

This feature is useful when you need to integrate kubeflow with you current CI/CD platform(eg.,Jenkins), you can now perform M2M(machine-to-machine) authentication. below is a Python code example to use it.


get JWT token From your IDP

```
import requests

# idp configuration
token_url = "https://your-idp.com/oauth/token"
client_id = "YOUR_CLIENT_ID"
client_secret = "YOUR_CLIENT_SECRET"
username = "YOUR_USERNAME"
password = "YOUR_PASSWORD"
# request header
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"grant_type": "password",
"client_id": client_id,
"client_secret": client_secret,
"username": username,
"password": password,
"scope": "openid profile email" #change your scope
}
response = requests.post(token_url, headers=headers, data=data)
TOKEN = response.json()['access_token']
```
use token to call kubeflow
```
import kfp
kubeflow_host="https://your_host"
pipeline_host = kubeflow_host + "/pipeline"

client = kfp.Client(host=pipeline_host, existing_token=TOKEN)

print(client.list_runs(namespace="your-profile-name"))
```
## Kubeflow Notebooks User and M2M Authentication and Authorization
The underlying mechanism is the same as in Kubeflow Pipelines.
Expand Down

0 comments on commit 98af702

Please sign in to comment.