kubeflow · yhwang · Jan 12, 2021
diff --git a/istio/oidc-authservice/base/envoy-filter.yaml b/istio/oidc-authservice/base/envoy-filter.yaml
@@ -17,7 +17,7 @@ spec:
           allowedHeaders:
             patterns:
             - exact: "cookie"
-            - exact: "X-Auth-Token"
+            - exact: "authorization"
         authorizationResponse:
           allowedUpstreamHeaders:
             patterns:

diff --git a/istio/oidc-authservice/base/params.env b/istio/oidc-authservice/base/params.env
@@ -2,6 +2,7 @@ client_id=ldapdexapp
 oidc_provider=
 oidc_redirect_uri=
 oidc_auth_url=
+authservice_url_prefix=/authservice/
 application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
 skip_auth_uri=
 userid-header=

diff --git a/istio/oidc-authservice/base/statefulset.yaml b/istio/oidc-authservice/base/statefulset.yaml
@@ -31,6 +31,8 @@ spec:
             value: email
           - name: OIDC_PROVIDER
             value: $(oidc_provider)
+          - name: AUTHSERVICE_URL_PREFIX
+            value: $(authservice_url_prefix)
           - name: OIDC_AUTH_URL
             value: $(oidc_auth_url)
           - name: OIDC_SCOPES

diff --git a/istio/oidc-authservice/base_v3/kustomization.yaml b/istio/oidc-authservice/base_v3/kustomization.yaml
@@ -5,7 +5,6 @@ resources:
 - ../base/statefulset.yaml
 - ../base/envoy-filter.yaml
 - ../base/pvc.yaml
-- ../overlays/application/application.yaml
 namespace: istio-system
 configMapGenerator:
 - name: oidc-authservice-config
@@ -42,6 +41,13 @@ vars:
     apiVersion: v1
   fieldref:
     fieldpath: data.oidc_auth_url
+- name: authservice_url_prefix
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.authservice_url_prefix
 - name: application_secret
   objref:
     kind: ConfigMap
@@ -77,9 +83,16 @@ vars:
     apiVersion: v1
   fieldref:
     fieldpath: data.namespace
+- name: gatewaySelector
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.gatewaySelector
 configurations:
 - ../base/params.yaml
 images:
 - name: gcr.io/arrikto/kubeflow/oidc-authservice
-  newName: gcr.io/arrikto/kubeflow/oidc-authservice
-  newTag: 28c59ef
+  newName: gcr.io/arrikto/oidc-authservice
+  newTag: 087a340
diff --git a/istio/oidc-authservice/overlays/application/kustomization.yaml b/istio/oidc-authservice/overlays/application/kustomization.yaml
@@ -1,6 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
-- ../../base
+- ../../base_v3
 commonLabels:
   app.kubernetes.io/component: oidc-authservice
   app.kubernetes.io/name: oidc-authservice

diff --git a/stacks/aws/application/oidc-authservice/kustomization.yaml b/stacks/aws/application/oidc-authservice/kustomization.yaml
@@ -4,7 +4,7 @@ namespace: istio-system
 resources:
 - ../../../../istio/oidc-authservice/overlays/application
 configMapGenerator:
-- name: oidc-authservice-parameters
+- name: oidc-authservice-config
   behavior: merge
   literals:
   - client_id=kubeflow-oidc-authservice

diff --git a/stacks/azure/application/oidc-authservice/kustomization.yaml b/stacks/azure/application/oidc-authservice/kustomization.yaml
@@ -4,7 +4,7 @@ namespace: istio-system
 resources:
 - ../../../../istio/oidc-authservice/overlays/application
 configMapGenerator:
-- name: oidc-authservice-parameters
+- name: oidc-authservice-config
   behavior: merge
   literals:
   - client_id=<client_id>

diff --git a/stacks/ibm/application/oidc-authservice-appid/container-env-vars.yaml b/stacks/ibm/application/oidc-authservice-appid/container-env-vars.yaml
@@ -7,23 +7,23 @@
         key: oAuthServerUrl
         name: appid-application-configuration
 - op: replace
-  path: /spec/template/spec/containers/0/env/6
+  path: /spec/template/spec/containers/0/env/7
   value:
     name: REDIRECT_URL
     valueFrom:
       secretKeyRef:
         key: oidcRedirectUrl
         name: appid-application-configuration
 - op: replace
-  path: /spec/template/spec/containers/0/env/9
+  path: /spec/template/spec/containers/0/env/10
   value:
     name: CLIENT_ID
     valueFrom:
       secretKeyRef:
         key: clientId
         name: appid-application-configuration
 - op: replace
-  path: /spec/template/spec/containers/0/env/10
+  path: /spec/template/spec/containers/0/env/11
   value:
     name: CLIENT_SECRET
     valueFrom:

diff --git a/stacks/ibm/application/oidc-authservice-appid/kustomization.yaml b/stacks/ibm/application/oidc-authservice-appid/kustomization.yaml
@@ -3,7 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: istio-system
 resources:
-- ../../../../istio/oidc-authservice/base
+- ../../../../istio/oidc-authservice/overlays/application
 - service-account.yaml
 - vs.yaml
 commonLabels:
@@ -17,7 +17,7 @@ patches:
     kind: StatefulSet
     name: authservice
 configMapGenerator:
-- name: oidc-authservice-parameters
+- name: oidc-authservice-config
   behavior: merge
   envs:
   - params.env
diff --git a/stacks/ibm/application/oidc-authservice/kustomization.yaml b/stacks/ibm/application/oidc-authservice/kustomization.yaml
@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: istio-system
 resources:
-- ../../../../istio/oidc-authservice/base_v3
+- ../../../../istio/oidc-authservice/overlays/application
 images:
 - name: busybox
   newTag: "latest"

diff --git a/stacks/kubernetes/application/oidc-authservice/kustomization.yaml b/stacks/kubernetes/application/oidc-authservice/kustomization.yaml
@@ -4,7 +4,7 @@ namespace: istio-system
 resources:
 - ../../../../istio/oidc-authservice/overlays/application
 configMapGenerator:
-- name: oidc-authservice-parameters
+- name: oidc-authservice-config
   behavior: merge
   literals:
   - client_id=kubeflow-oidc-authservice

diff --git a/.../aws/application/oidc-authservice/test_data/expected/apps_v1_statefulset_authservice.yaml b/.../aws/application/oidc-authservice/test_data/expected/apps_v1_statefulset_authservice.yaml
@@ -33,6 +33,8 @@ spec:
           value: email
         - name: OIDC_PROVIDER
           value: http://dex.auth.svc.cluster.local:5556/dex
+        - name: AUTHSERVICE_URL_PREFIX
+          value: /authservice/
         - name: OIDC_AUTH_URL
           value: /dex/auth
         - name: OIDC_SCOPES
@@ -49,7 +51,7 @@ spec:
           value: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
         - name: STORE_PATH
           value: /var/lib/authservice/data.db
-        image: gcr.io/arrikto/kubeflow/oidc-authservice:28c59ef
+        image: gcr.io/arrikto/oidc-authservice:087a340
         imagePullPolicy: Always
         name: authservice
         ports:

diff --git a/...authservice/test_data/expected/networking.istio.io_v1alpha3_envoyfilter_authn-filter.yaml b/...authservice/test_data/expected/networking.istio.io_v1alpha3_envoyfilter_authn-filter.yaml
@@ -14,7 +14,7 @@ spec:
           allowedHeaders:
             patterns:
             - exact: cookie
-            - exact: X-Auth-Token
+            - exact: authorization
         authorizationResponse:
           allowedUpstreamHeaders:
             patterns:

diff --git a/...onfigmap_oidc-authservice-parameters.yaml → ...v1_configmap_oidc-authservice-config.yaml b/...onfigmap_oidc-authservice-parameters.yaml → ...v1_configmap_oidc-authservice-config.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 data:
   application_secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
+  authservice_url_prefix: /authservice/
   client_id: kubeflow-oidc-authservice
   gatewaySelector: ingressgateway
   namespace: istio-system
@@ -16,5 +17,5 @@ metadata:
   labels:
     app.kubernetes.io/component: oidc-authservice
     app.kubernetes.io/name: oidc-authservice
-  name: oidc-authservice-parameters
+  name: oidc-authservice-config
   namespace: istio-system
diff --git a/...zure/application/oidc-authservice/test_data/expected/apps_v1_statefulset_authservice.yaml b/...zure/application/oidc-authservice/test_data/expected/apps_v1_statefulset_authservice.yaml
@@ -33,6 +33,8 @@ spec:
           value: email
         - name: OIDC_PROVIDER
           value: https://login.microsoftonline.com/<tenant_id>/v2.0
+        - name: AUTHSERVICE_URL_PREFIX
+          value: /authservice/
         - name: OIDC_AUTH_URL
           value: https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize
         - name: OIDC_SCOPES
@@ -49,7 +51,7 @@ spec:
           value: <app_secret>
         - name: STORE_PATH
           value: /var/lib/authservice/data.db
-        image: gcr.io/arrikto/kubeflow/oidc-authservice:28c59ef
+        image: gcr.io/arrikto/oidc-authservice:087a340
         imagePullPolicy: Always
         name: authservice
         ports:

diff --git a/...authservice/test_data/expected/networking.istio.io_v1alpha3_envoyfilter_authn-filter.yaml b/...authservice/test_data/expected/networking.istio.io_v1alpha3_envoyfilter_authn-filter.yaml
@@ -14,7 +14,7 @@ spec:
           allowedHeaders:
             patterns:
             - exact: cookie
-            - exact: X-Auth-Token
+            - exact: authorization
         authorizationResponse:
           allowedUpstreamHeaders:
             patterns:

diff --git a/...onfigmap_oidc-authservice-parameters.yaml → ...v1_configmap_oidc-authservice-config.yaml b/...onfigmap_oidc-authservice-parameters.yaml → ...v1_configmap_oidc-authservice-config.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 data:
   application_secret: <app_secret>
+  authservice_url_prefix: /authservice/
   client_id: <client_id>
   gatewaySelector: ingressgateway
   namespace: istio-system
@@ -16,5 +17,5 @@ metadata:
   labels:
     app.kubernetes.io/component: oidc-authservice
     app.kubernetes.io/name: oidc-authservice
-  name: oidc-authservice-parameters
+  name: oidc-authservice-config
   namespace: istio-system
diff --git a/...authservice-appid/test_data/expected/app.k8s.io_v1beta1_application_oidc-authservice.yaml b/...authservice-appid/test_data/expected/app.k8s.io_v1beta1_application_oidc-authservice.yaml
@@ -0,0 +1,47 @@
+apiVersion: app.k8s.io/v1beta1
+kind: Application
+metadata:
+  labels:
+    app.kubernetes.io/component: oidc-authservice
+    app.kubernetes.io/name: oidc-authservice
+  name: oidc-authservice
+  namespace: istio-system
+spec:
+  addOwnerRef: true
+  componentKinds:
+  - group: apps
+    kind: StatefulSet
+  - group: core
+    kind: Service
+  - group: core
+    kind: PersistentVolumeClaim
+  - group: networking.istio.io
+    kind: EnvoyFilter
+  descriptor:
+    description: Provides OIDC-based authentication for Kubeflow Applications, at
+      the Istio Gateway.
+    keywords:
+    - oidc
+    - authservice
+    - authentication
+    links:
+    - description: About
+      url: https://github.com/kubeflow/kubeflow/tree/master/components/oidc-authservice
+    - description: Docs
+      url: https://www.kubeflow.org/docs/started/k8s/kfctl-existing-arrikto
+    maintainers:
+    - email: [email protected]
+      name: Yannis Zarkadas
+    owners:
+    - email: [email protected]
+      name: Yannis Zarkadas
+    type: oidc-authservice
+    version: v1beta1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: oidc-authservice
+      app.kubernetes.io/instance: oidc-authservice-v0.7.0
+      app.kubernetes.io/managed-by: kfctl
+      app.kubernetes.io/name: oidc-authservice
+      app.kubernetes.io/part-of: kubeflow
+      app.kubernetes.io/version: v0.7.0
diff --git a/...pplication/oidc-authservice-appid/test_data/expected/apps_v1_statefulset_authservice.yaml b/...pplication/oidc-authservice-appid/test_data/expected/apps_v1_statefulset_authservice.yaml
@@ -36,6 +36,8 @@ spec:
             secretKeyRef:
               key: oAuthServerUrl
               name: appid-application-configuration
+        - name: AUTHSERVICE_URL_PREFIX
+          value: /authservice/
         - name: OIDC_AUTH_URL
           value: ""
         - name: OIDC_SCOPES
@@ -61,7 +63,7 @@ spec:
               name: appid-application-configuration
         - name: STORE_PATH
           value: /var/lib/authservice/data.db
-        image: gcr.io/arrikto/kubeflow/oidc-authservice:28c59ef
+        image: gcr.io/arrikto/oidc-authservice:087a340
         imagePullPolicy: Always
         name: authservice
         ports:

diff --git a/...rvice-appid/test_data/expected/networking.istio.io_v1alpha3_envoyfilter_authn-filter.yaml b/...rvice-appid/test_data/expected/networking.istio.io_v1alpha3_envoyfilter_authn-filter.yaml
@@ -14,7 +14,7 @@ spec:
           allowedHeaders:
             patterns:
             - exact: cookie
-            - exact: X-Auth-Token
+            - exact: authorization
         authorizationResponse:
           allowedUpstreamHeaders:
             patterns:

diff --git a/...onfigmap_oidc-authservice-parameters.yaml → ...v1_configmap_oidc-authservice-config.yaml b/...onfigmap_oidc-authservice-parameters.yaml → ...v1_configmap_oidc-authservice-config.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 data:
   application_secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
+  authservice_url_prefix: /authservice/
   client_id: ldapdexapp
   gatewaySelector: ingressgateway
   namespace: istio-system
@@ -16,5 +17,5 @@ metadata:
   labels:
     app.kubernetes.io/component: oidc-authservice
     app.kubernetes.io/name: oidc-authservice
-  name: oidc-authservice-parameters
+  name: oidc-authservice-config
   namespace: istio-system
diff --git a/.../oidc-authservice/test_data/expected/app.k8s.io_v1beta1_application_oidc-authservice.yaml b/.../oidc-authservice/test_data/expected/app.k8s.io_v1beta1_application_oidc-authservice.yaml
@@ -1,6 +1,9 @@
 apiVersion: app.k8s.io/v1beta1
 kind: Application
 metadata:
+  labels:
+    app.kubernetes.io/component: oidc-authservice
+    app.kubernetes.io/name: oidc-authservice
   name: oidc-authservice
   namespace: istio-system
 spec:

diff --git a/.../ibm/application/oidc-authservice/test_data/expected/apps_v1_statefulset_authservice.yaml b/.../ibm/application/oidc-authservice/test_data/expected/apps_v1_statefulset_authservice.yaml
@@ -1,20 +1,27 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
+  labels:
+    app.kubernetes.io/component: oidc-authservice
+    app.kubernetes.io/name: oidc-authservice
   name: authservice
   namespace: istio-system
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: authservice
+      app.kubernetes.io/component: oidc-authservice
+      app.kubernetes.io/name: oidc-authservice
   serviceName: authservice
   template:
     metadata:
       annotations:
         sidecar.istio.io/inject: "false"
       labels:
         app: authservice
+        app.kubernetes.io/component: oidc-authservice
+        app.kubernetes.io/name: oidc-authservice
     spec:
       containers:
       - env:
@@ -26,6 +33,8 @@ spec:
           value: email
         - name: OIDC_PROVIDER
           value: http://dex.auth.svc.cluster.local:5556/dex
+        - name: AUTHSERVICE_URL_PREFIX
+          value: /authservice/
         - name: OIDC_AUTH_URL
           value: /dex/auth
         - name: OIDC_SCOPES
@@ -42,7 +51,7 @@ spec:
           value: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
         - name: STORE_PATH
           value: /var/lib/authservice/data.db
-        image: gcr.io/arrikto/kubeflow/oidc-authservice:28c59ef
+        image: gcr.io/arrikto/oidc-authservice:087a340
         imagePullPolicy: Always
         name: authservice
         ports: