rephrasing and consolidating

Signed-off-by: juliusvonkohout <[email protected]>
kubeflow · Oct 21, 2024 · a0debfa · a0debfa
1 parent 98af702
commit a0debfa
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -220,7 +220,8 @@ kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s
 
 #### Oauth2-proxy
 
-The oauth2-proxy extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client:
+The oauth2-proxy extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client.
+It supports user sessions as well as proper token-based machine to machine authentication.
 
 ```sh
 echo "Installing oauth2-proxy..."
@@ -234,21 +235,19 @@ echo "Installing oauth2-proxy..."
 kustomize build common/oauth2-proxy/overlays/m2m-dex-only/ | kubectl apply -f -
 kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
 
-# Option 2: works on Kind/K3D clusters, and allows K8s service account tokens to be used
-#           from outside the cluster via the Istio ingress-gateway.
+# Option 2: works on Kind/K3D and other clusters with the proper configuration, and allows K8s service account tokens to be used
+#           from outside the cluster via the Istio ingress-gateway. For example for automation with github actions.
 # 
 #kustomize build common/oauth2-proxy/overlays/m2m-dex-and-kind/ | kubectl apply -f -
 #kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
 #kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=cluster-jwks-proxy' --timeout=180s -n istio-system
 ```
 
-It supports user sessions as well as proper token-based machine to machine authentication.
-
-Also, if you need to use OAuth2 Proxy only for the Kubeflow Platform, you can refer to this [doc](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only)
+If you want to use OAuth2 Proxy without DEX and conenct it to your own IDP, you can refer to this [document](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only)
 
 #### Dex
 
-Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `[email protected]`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password).
+Dex is an OpenID Connect (OIDC) identity provider with multiple authentication backends. In this default installation, it includes a static user with email `[email protected]`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password).
 
 Install Dex:
 

diff --git a/common/oauth2-proxy/README.md b/common/oauth2-proxy/README.md
@@ -79,34 +79,23 @@ when client calls API to list the KF Pipeline Runs:
 ### Auth analysis diagram for Kubeflow Pipelines
 ![Kubeflow Auth Diagram](./components/kubeflow_auth_diagram.svg)
 
-### Change default authentication from "dex + oauth2-proxy" to "oauth2-proxy" only
+### Change the default authentication from "dex + oauth2-proxy" to "oauth2-proxy" only
 
+The authentication in Kubeflow evolved over time and we dropped envoyfilters and oidc-authservice in favor of RequestAuthentication and Oauth2-proxy in Kubeflow 1.9.
 ![auth-flow](components/oauth2-flow.svg)
 
-kubeflow platform is using Istio Ingress Gateway as its entrypoint. 
+You can adjust OAuth2 Proxy to directly connect to your own IDP(Identity Provider) suchg as GCP, [AWS](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), Azure etc:
 
-For the authentication part ,it used Envoy Filter to forward request to Dex(blue lines), and Dex was used as a proxy to retrieve JWT tokens and perform authentication. 
-
-With Kubeflow 1.8 , it integrates with OAuth2 Proxy in Istio Provider, as the Istio Provider is now an industry standard. 
-
-For out-of-the-box purposes, it still uses Dex as an identity provider, but you are now able to use OAuth2 Proxy to directly connect 
-to your own IdP(Identity Provider: GCP, [AWS](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), Azure and so on) 
-
-To do so, what you need to do is as follows:
-1. create an application on your IdP(purple line)
-2. change your [OAuth2 Proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP. 
-3. Under the istio-system namespace, there is a RequestAuthentication resource , you also need to change its issuer to your own IdP.(or you can just directly write a new one)
+1. Create an application on your IdP (purple line)
+2. Change your [OAuth2 Proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP. Of course never ever directly, but with kustomize overlays and components.
+3. In the istio-system namespace is a RequestAuthentication resource. You need to change its issuer to your own IdP, or even better create an additional one.
 4. Finally, you can now directly issue a token from your IdP and use this token to access your Kubeflow platform. 
 
-This feature is useful when you need to integrate kubeflow with you current CI/CD platform(eg.,Jenkins), you can now perform M2M(machine-to-machine) authentication. below is a Python code example to use it.
-
-
-get JWT token From your IDP
+This feature is useful when you need to integrate kubeflow with you current CI/CD platform (GitHub Actions, Jenkins) via machine-to-machine authentication.
 
+Example for obtaining and using a JWT token From your IDP:
 ```
 import requests
-
-# idp configuration 
 token_url = "https://your-idp.com/oauth/token"
 client_id = "YOUR_CLIENT_ID"
 client_secret = "YOUR_CLIENT_SECRET"
@@ -128,19 +117,14 @@ response = requests.post(token_url, headers=headers, data=data)
 TOKEN = response.json()['access_token']
 ```
 
-use token to call kubeflow
 ```
 import kfp
 kubeflow_host="https://your_host"
 pipeline_host = kubeflow_host + "/pipeline" 
-
 client = kfp.Client(host=pipeline_host, existing_token=TOKEN)
-
 print(client.list_runs(namespace="your-profile-name"))
 ```
 
-
-
 ## Kubeflow Notebooks User and M2M Authentication and Authorization
 
 The underlying mechanism is the same as in Kubeflow Pipelines.