-
Notifications
You must be signed in to change notification settings - Fork 900
/
Copy pathoauth2-proxy-config.yaml
57 lines (56 loc) · 2.15 KB
/
oauth2-proxy-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
apiVersion: v1
kind: ConfigMap
metadata:
name: oauth2-proxy
labels:
app: oauth2-proxy
data:
oauth2_proxy.cfg: |
provider = "oidc"
oidc_issuer_url = "http://dex.auth.svc.cluster.local:5556/dex"
scope = "profile email groups openid"
upstreams = "static://200"
email_domains = [ "*" ]
skip_auth_regex=["/dex/.*"]
# ---
# OIDC Discovery has to be skipped and login url has to be provided directly
# in order to enable relative auth redirect.
# Turning On OIDC Discovery would set the auth redirect location as the dex
# Issuer URL which is http://dex.auth.svc.cluster.local:5556 in the default,
# example installation. This address is usuallynot available through the Web
# Browser. If you have a setup where dex has it's url as other than the
# in-cluster service, this is optional.
skip_oidc_discovery = true
login_url = "/dex/auth"
redeem_url = "http://dex.auth.svc.cluster.local:5556/dex/token"
oidc_jwks_url = "http://dex.auth.svc.cluster.local:5556/dex/keys"
# ---
# Go to dex login page directly instead of showing the oauth2-proxy login
# page.
skip_provider_button = true
# ---
# Set Authorization Bearer response header. This is needed in order to
# forward the Authorization Bearer token to Istio and enable authorization
# based on JWT.
set_authorization_header = true
# ---
# set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and
# X-Auth-Request-Preferred-Username. This is optional for Kubeflow but you
# may have other services that use standard auth headers.
set_xauthrequest = true
# ---
cookie_name = "oauth2_proxy_kubeflow"
# ---
# Dex default cookie expiration is 24h. If set to 168h (default oauth2-proxy),
# Istio will not be able to use the JWT after 24h but oauth2-proxy will still
# consider the cookie valid.
# It's possible to configure the JWT Refresh Token to enable longer login
# session.
cookie_expire = "24h"
cookie_refresh = 0
# ---
code_challenge_method = "S256"
# ---
redirect_url = "/oauth2/callback"
relative_redirect_url = true
binaryData: {}