dip
/
tenant-catalog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Repository for dip
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
17 Branches
0 Tags
3.2 MiB
Tag: Branch: Tree: service-kubeflow
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'service-kubeflow'
${ noResults }
tenant-catalog/kubeflow/common/oauth2-proxy/base/kustomization.yaml

95 lines
2.6 KiB
Raw Permalink Blame History

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: oauth2-proxy
resources:
- namespace.yaml
- deployment.yaml
- serviceaccount.yaml
- service.yaml
- virtualservice.yaml
secretGenerator:
- name: oauth2-proxy
type: Opaque
literals:
- client-id=kubeflow-oidc-authservice
- client-secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
- cookie-secret=7d16fee92f8d11b8940b081b3f8b8acb
configMapGenerator:
- name: oauth2-proxy
files:
- oauth2_proxy.cfg
- name: oauth2-proxy-theme
files:
- kubeflow-logo.svg
- name: oauth2-proxy-parameters
literals:
# This will configure oauth2-proxy option --cookie-secure which can force
# auth redirect with redirect_uri parameter using https.
- FORCE_HTTPS=false
# If Kubernetes is managed by kind, vCluster, minikube or similar tool,
# most probably the Kubernetes OIDC Issuer will be server in-cluster
# behind self-signed certs. This option will configure
# --ssl-insecure-skip-verify which will accept self-signed-certificates.
- ALLOW_SELF_SIGNED_ISSUER=true
# This will configure oauth2-proxy option --skip-jwt-bearer-tokens which
# will pass the requests with 'Authorization' header with Bearer Token
# matching --extra-jwt-issuers.
- ENABLE_M2M_TOKENS=true
# Bearer tokens issued by these OIDC Issuers will be verified against the
# Issuer and accepted on success.
# The format is exactly like in --extra-jwt-issuers.
# If extra jwt issuers are meant to be used with m2m bearer tokens,
# each issuer has to be added with RequestAuthentication so Istio can
# verify, trust and use the JWT. See
# 'common/oauth2-proxy/components/istio-m2m' for details.
# Examples:
# - EXTRA_JWT_ISSUERS=https://kubernetes.default.svc.cluster.local=https://kubernetes.default.svc.cluster.local
# - EXTRA_JWT_ISSUERS=https://oidc.eks.region.amazonaws.com/id/1234abcd=https://kubernetes.default.svc
- EXTRA_JWT_ISSUERS=
replacements:
- source:
version: v1
kind: Service
name: oauth2-proxy
fieldPath: metadata.name
targets:
- fieldPaths:
- spec.http.0.route.0.destination.host
options:
delimiter: .
select:
version: v1alpha3
group: networking.istio.io
kind: VirtualService
name: oauth2-proxy
- source:
fieldPath: metadata.namespace
kind: Service
name: oauth2-proxy
version: v1
targets:
- fieldPaths:
- spec.http.0.route.0.destination.host
options:
delimiter: .
index: 1
select:
version: v1alpha3
group: networking.istio.io
kind: VirtualService
name: oauth2-proxy
images:
- name: quay.io/oauth2-proxy/oauth2-proxy
newName: quay.io/oauth2-proxy/oauth2-proxy
newTag: v7.7.1