You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57 lines
1.6 KiB
57 lines
1.6 KiB
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
|
|
resources:
|
|
- ../../base
|
|
|
|
components:
|
|
- ../../components/cluster-jwks-proxy
|
|
- ../../components/istio-external-auth
|
|
- ../../components/istio-m2m
|
|
|
|
configMapGenerator:
|
|
- name: oauth2-proxy-parameters
|
|
behavior: merge
|
|
literals:
|
|
# Configs for oauth2-proxy
|
|
- ALLOW_SELF_SIGNED_ISSUER=true
|
|
|
|
patches:
|
|
# patch the 'm2m-token-issuer' RequestAuthentication with correct `issuer` and `jwksUri`
|
|
# NOTE: we are using kustomize components, so we can't use the outer `configMapGenerator` to
|
|
# patch the inner one, so we are stuck with using a `patch` instead
|
|
- patch: |-
|
|
- op: replace
|
|
path: /spec/jwtRules/0/issuer
|
|
value: https://kubernetes.default.svc.cluster.local
|
|
- op: replace
|
|
path: /spec/jwtRules/0/jwksUri
|
|
value: http://cluster-jwks-proxy.istio-system.svc.cluster.local/openid/v1/jwks
|
|
target:
|
|
group: security.istio.io
|
|
version: v1beta1
|
|
kind: RequestAuthentication
|
|
name: m2m-token-issuer
|
|
namespace: istio-system
|
|
|
|
- patch: |-
|
|
- op: add
|
|
path: /spec/jwtRules/-
|
|
value:
|
|
issuer: "https://kubernetes.default.svc"
|
|
jwksUri: "http://cluster-jwks-proxy.istio-system.svc.cluster.local/openid/v1/jwks"
|
|
forwardOriginalToken: true
|
|
outputClaimToHeaders:
|
|
- header: kubeflow-userid
|
|
claim: sub
|
|
- header: kubeflow-groups
|
|
claim: groups
|
|
fromHeaders:
|
|
- name: Authorization
|
|
prefix: "Bearer "
|
|
target:
|
|
group: security.istio.io
|
|
version: v1beta1
|
|
kind: RequestAuthentication
|
|
name: m2m-token-issuer
|
|
namespace: istio-system
|
|
|