Skip to content

Commit

Permalink
Merge pull request #623 from rimolive/rmartine
Browse files Browse the repository at this point in the history 
Add oauth2-proxy in mlmd envoy proxy pod
  • Loading branch information
@HumairAK
HumairAK committed Apr 8, 2024
2 parents a688370 + 90bcd67 commit d4d9cd6
Show file tree
Hide file tree
Showing 7 changed files with 143 additions and 4 deletions.
7 changes: 3 additions & 4 deletions config/internal/common/default/mlmd-envoy-dashboard-access-policy.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,13 @@ spec:
app: ds-pipeline-metadata-envoy-{{ .Name }}
component: data-science-pipelines
ingress:
- ports:
- protocol: TCP
port: 8443
- ports:
- protocol: TCP
port: 9090
from:
- podSelector:
matchLabels:
app: odh-dashboard
namespaceSelector: {}
- podSelector:
matchLabels:
component: data-science-pipelines
Expand Down
3 changes: 3 additions & 0 deletions config/internal/common/no-owner/clusterrolebinding.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,6 @@ subjects:
- kind: ServiceAccount
namespace: {{.Namespace}}
name: ds-pipeline-{{.Name}}
- kind: ServiceAccount
namespace: {{.Namespace}}
name: ds-pipeline-metadata-envoy-{{.Name}}
51 changes: 51 additions & 0 deletions config/internal/ml-metadata/metadata-envoy.deployment.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,58 @@ spec:
- mountPath: /etc/envoy.yaml
name: envoy-config
subPath: envoy.yaml
- name: oauth-proxy
args:
- --https-address=:8443
- --provider=openshift
- --openshift-service-account=ds-pipeline-metadata-envoy-{{.Name}}
- --upstream=http://localhost:9090
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --cookie-secret=SECRET
- '--openshift-delegate-urls={"/": {"group":"route.openshift.io","resource":"routes","verb":"get","name":"ds-pipeline-metadata-envoy-{{.Name}}","namespace":"{{.Namespace}}"}}'
- '--openshift-sar={"namespace":"{{.Namespace}}","resource":"routes","resourceName":"ds-pipeline-metadata-envoy-{{.Name}}","verb":"get","resourceAPIGroup":"route.openshift.io"}'
- --skip-auth-regex='(^/metrics|^/apis/v1beta1/healthz)'
image: {{.OAuthProxy}}
ports:
- containerPort: 8443
name: oauth2-proxy
protocol: TCP
livenessProbe:
httpGet:
path: /oauth/healthz
port: oauth2-proxy
scheme: HTTPS
initialDelaySeconds: 30
timeoutSeconds: 1
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /oauth/healthz
port: oauth2-proxy
scheme: HTTPS
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- mountPath: /etc/tls/private
name: proxy-tls
serviceAccountName: ds-pipeline-metadata-envoy-{{.Name}}
volumes:
- name: envoy-config
configMap:
name: ds-pipeline-metadata-envoy-config-{{.Name}}
- name: proxy-tls
secret:
secretName: ds-pipelines-envoy-proxy-tls-{{.Name}}
20 changes: 20 additions & 0 deletions config/internal/ml-metadata/metadata-envoy.route.yaml.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: ds-pipeline-metadata-envoy-{{.Name}}
namespace: {{.Namespace}}
labels:
app: ds-pipeline-metadata-envoy-{{.Name}}
component: data-science-pipelines
annotations:
kubernetes.io/tls-acme: "true"
spec:
to:
kind: Service
name: ds-pipeline-metadata-envoy-{{.Name}}
weight: 100
port:
targetPort: oauth2-proxy
tls:
termination: Reencrypt
insecureEdgeTerminationPolicy: Redirect
5 changes: 5 additions & 0 deletions config/internal/ml-metadata/metadata-envoy.service.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,17 @@ metadata:
app: ds-pipeline-metadata-envoy-{{.Name}}
component: data-science-pipelines
name: ds-pipeline-metadata-envoy-{{.Name}}
annotations:
service.beta.openshift.io/serving-cert-secret-name: ds-pipelines-envoy-proxy-tls-{{.Name}}
namespace: {{.Namespace}}
spec:
ports:
- name: md-envoy
port: 9090
protocol: TCP
- name: oauth2-proxy
port: 8443
protocol: TCP
selector:
app: ds-pipeline-metadata-envoy-{{.Name}}
component: data-science-pipelines
Expand Down
10 changes: 10 additions & 0 deletions config/internal/ml-metadata/metadata-envoy.serviceaccount.yaml.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: ds-pipeline-metadata-envoy-{{.Name}}
namespace: {{.Namespace}}
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"ds-pipeline-metadata-envoy-{{.Name}}"}}'
labels:
app: ds-pipeline-metadata-envoy-{{.Name}}
component: data-science-pipelines
51 changes: 51 additions & 0 deletions controllers/testdata/declarative/case_5/expected/created/metadata-envoy_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,59 @@ spec:
- mountPath: /etc/envoy.yaml
name: envoy-config
subPath: envoy.yaml
- name: oauth-proxy
args:
- --https-address=:8443
- --provider=openshift
- --openshift-service-account=ds-pipeline-metadata-envoy-testdsp5
- --upstream=http://localhost:9090
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --cookie-secret=SECRET
- '--openshift-delegate-urls={"/": {"group":"route.openshift.io","resource":"routes","verb":"get","name":"ds-pipeline-metadata-envoy-testdsp5","namespace":"default"}}'
- '--openshift-sar={"namespace":"default","resource":"routes","resourceName":"ds-pipeline-metadata-envoy-testdsp5","verb":"get","resourceAPIGroup":"route.openshift.io"}'
- --skip-auth-regex='(^/metrics|^/apis/v1beta1/healthz)'
image: oauth-proxy:test5
ports:
- containerPort: 8443
name: oauth2-proxy
protocol: TCP
livenessProbe:
httpGet:
path: /oauth/healthz
port: oauth2-proxy
scheme: HTTPS
initialDelaySeconds: 30
timeoutSeconds: 1
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /oauth/healthz
port: oauth2-proxy
scheme: HTTPS
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- mountPath: /etc/tls/private
name: proxy-tls
volumes:
- name: envoy-config
configMap:
name: ds-pipeline-metadata-envoy-config-testdsp5
defaultMode: 420
- name: proxy-tls
secret:
secretName: ds-pipelines-envoy-proxy-tls-testdsp5
defaultMode: 420

0 comments on commit d4d9cd6

Please sign in to comment.