dip
/
tenant-catalog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Repository for dip
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
17 Branches
0 Tags
3.2 MiB
Tag: Branch: Tree: service-kubeflow
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'service-kubeflow'
${ noResults }
tenant-catalog/kubeflow/common/oauth2-proxy/components/cluster-jwks-proxy/cluster-jwks-proxy.yaml

88 lines
2.4 KiB
Raw Permalink Blame History

# the default JWKS endpoint for Kind is not public, and uses a self-signed certificate
# for the Istio RequestAuthentication to trust it, we need to proxy the cluster's JWKS endpoint over HTTP
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-jwks-proxy
namespace: istio-system
labels:
app.kubernetes.io/name: cluster-jwks-proxy
---
apiVersion: v1
kind: Service
metadata:
name: cluster-jwks-proxy
namespace: istio-system
labels:
app.kubernetes.io/name: cluster-jwks-proxy
spec:
ports:
- name: http
port: 80
targetPort: http
selector:
app.kubernetes.io/name: cluster-jwks-proxy
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cluster-jwks-proxy
namespace: istio-system
labels:
app.kubernetes.io/name: cluster-jwks-proxy
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cluster-jwks-proxy
template:
metadata:
labels:
app.kubernetes.io/name: cluster-jwks-proxy
spec:
serviceAccountName: cluster-jwks-proxy
containers:
- name: kubectl-proxy
image: docker.io/bitnami/kubectl
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 8080
startupProbe:
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 2
httpGet:
path: /openid/v1/jwks
port: http
livenessProbe:
initialDelaySeconds: 15
periodSeconds: 15
timeoutSeconds: 5
httpGet:
path: /openid/v1/jwks
port: http
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 15
timeoutSeconds: 5
httpGet:
path: /openid/v1/jwks
port: http
args:
- proxy
- --address=0.0.0.0
- --port=8080
## accept all hosts (default is local only)
- --accept-hosts=.*
## only accept requests to '/openid/v1/jwks' and '/.well-known/openid-configuration'
- --accept-paths=^(?:/openid/v1/jwks)|(?:/.well-known/openid-configuration)$
## reject all methods except 'GET'
- --reject-methods=^(POST|PUT|PATCH|DELETE|HEAD|OPTIONS|CONNECT|TRACE)$