Skip to content

Commit

Permalink
feat: add doc to describe use oauth2proxy directly.
Browse files Browse the repository at this point in the history
  • Loading branch information
cybernagle committed Sep 18, 2024
1 parent 35539f1 commit a6c4063
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 0 deletions.
61 changes: 61 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -543,6 +543,67 @@ For example, running the above command locally with required packages like _pass

4. Try to login using the new dex password.

### Change default authtication from "dex + oauth2-proxy" to "oauth2-proxy" only

![auth-flow](common/oauth2-proxy/components/oauth2-flow.svg)

kubeflow platform are using istio ingress gateway as it's entrypoint.

for the authentication part ,it used to be use envoy filter to forward reqeust to dex(blue lines), and using dex as a proxy to retrive JWT token and do authentication.

with kubeflow 1.8 , it integrate with oauth2 proxy since istio provider now is indestry standard.

for the purpose of out of box, it still use dex as a identity provider, but , actually , you are now able to using oauth2 proxy to directly connect
to your own IdP(Identity Provider: gcp, [aws](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), gcp, azure and so on)

to do so , what you need to is follows:
1. create a application on you IdP(purple line)
2. change your [oauth2 proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP.
3. under istio-system namespace, there is a requestauthentication , you also need change it issuer to your own IdP.( or you can just directly write a new one)
4. finally , now you can directly use issue a token from your IdP. and take thit token to access you kubeflow platform.

this feature is useful when you need to integrate kubeflow with you corrent CI/CD platform for example: Jenkins, you can now able to do m2m authentication. below is Python code example to use it.


get JWT token From your IDP

```
import requests

# idp configuration
token_url = "https://your-idp.com/oauth/token"
client_id = "YOUR_CLIENT_ID"
client_secret = "YOUR_CLIENT_SECRET"
username = "YOUR_USERNAME"
password = "YOUR_PASSWORD"
# request header
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"grant_type": "password",
"client_id": client_id,
"client_secret": client_secret,
"username": username,
"password": password,
"scope": "openid profile email" #change your scope
}
response = requests.post(token_url, headers=headers, data=data)
TOKEN = response.json()['access_token']
```
use token to call kubeflow
```
import kfp
kubeflow_host="https://your_host"
pipeline_host = kubeflow_host + "/pipeline"

client = kfp.Client(host=pipeline_host, existing_token=TOKEN)

print(client.list_runs(namespace="your-profile-name"))
```
## Upgrading and extending
For modifications and in place upgrades of the Kubeflow platform we provide a rough description for advanced users:
Expand Down
Loading

0 comments on commit a6c4063

Please sign in to comment.