add some comments + oidc scopes

Signed-off-by: David van der Spek <[email protected]>
pluralsh · Sep 14, 2023 · f1254e5 · f1254e5
1 parent f37b9b5
commit f1254e5
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml
@@ -91,7 +91,7 @@ spec:
       {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }}
   jwtRules:
   - forwardOriginalToken: true
-    outputPayloadToHeader: Authorization # TODO: needed so the requestauth resource in user namespace works
+    outputPayloadToHeader: Authorization # TODO: needed so the requestauth resource in user namespace works. Overwrites what `forward_bearer_token` sets in the envoy filter. Should the auth token or JWT be passed in the authorization header?
     fromHeaders: # TODO: possibly add this to profile controller setup
     - name: cookie
       prefix: IdToken=

diff --git a/kubeflow/helm/gateway/values.yaml b/kubeflow/helm/gateway/values.yaml
@@ -15,13 +15,18 @@ fullnameOverride: ""
 
 provider: ""
 
+# TODO: investigate XSRF filter in envoy
+# TODO: check if we should be passing the access token through in the Authorization header or just the JWT
+
 oidc:
   clientID: ""
   clientSecret: ""
   hmacSecret: ""
   scopes:
   - openid
   - profile
+  - offline
+  - offline_access
 
 gateway:
   name: kubeflow-gateway