dip
/
tenant-catalog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Repository for dip
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
17 Branches
0 Tags
3.2 MiB
Tag: Branch: Tree: service-kubeflow
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'service-kubeflow'
${ noResults }
tenant-catalog/kubeflow/common/oauth2-proxy/overlays/m2m-keycloak/patch-oauth2-proxy-config.yaml

56 lines
2.1 KiB
Raw Permalink Blame History

apiVersion: v1
kind: ConfigMap
metadata:
name: oauth2-proxy
labels:
app: oauth2-proxy
data:
oauth2_proxy.cfg: |
provider = "keycloak-oidc"
oidc_issuer_url = "https://keycloak.gke.paasup.io/realms/paasup"
scope = "profile email roles openid"
upstreams = "static://200"
email_domains = [ "*" ]
insecure_oidc_allow_unverified_email = "true"
# ---
# OIDC Discovery has to be skipped and login url has to be provided directly
# in order to enable relative auth redirect.
# Turning On OIDC Discovery would set the auth redirect location as the dex
# Issuer URL which is http://dex.auth.svc.cluster.local:5556 in the default,
# example installation. This address is usuallynot available through the Web
# Browser. If you have a setup where dex has it's url as other than the
# in-cluster service, this is optional.
# ---
# Go to dex login page directly instead of showing the oauth2-proxy login
# page.
skip_provider_button = true
# ---
# Set Authorization Bearer response header. This is needed in order to
# forward the Authorization Bearer token to Istio and enable authorization
# based on JWT.
set_authorization_header = true
pass_access_token = true
pass_authorization_header = true
# ---
# set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and
# X-Auth-Request-Preferred-Username. This is optional for Kubeflow but you
# may have other services that use standard auth headers.
set_xauthrequest = true
# ---
cookie_name = "oauth2_proxy_kubeflow"
# ---
# Dex default cookie expiration is 24h. If set to 168h (default oauth2-proxy),
# Istio will not be able to use the JWT after 24h but oauth2-proxy will still
# consider the cookie valid.
# It's possible to configure the JWT Refresh Token to enable longer login
# session.
cookie_expire = "24h"
cookie_refresh = "5m"
# ---
code_challenge_method = "S256"
# ---
redirect_url = "https://kubeflow.gke.paasup.io/oauth2/callback"
relative_redirect_url = true
binaryData: {}