From 90bcd672b6d1ec8489f22e04582e799a61b48618 Mon Sep 17 00:00:00 2001 From: "Ricardo M. Oliveira" Date: Fri, 5 Apr 2024 16:03:23 -0300 Subject: [PATCH] Add oauth2-proxy in mlmd envoy proxy pod --- ...md-envoy-dashboard-access-policy.yaml.tmpl | 7 ++- .../no-owner/clusterrolebinding.yaml.tmpl | 3 ++ .../metadata-envoy.deployment.yaml.tmpl | 51 +++++++++++++++++++ .../metadata-envoy.route.yaml.tmpl | 20 ++++++++ .../metadata-envoy.service.yaml.tmpl | 5 ++ .../metadata-envoy.serviceaccount.yaml.tmpl | 10 ++++ .../created/metadata-envoy_deployment.yaml | 51 +++++++++++++++++++ 7 files changed, 143 insertions(+), 4 deletions(-) create mode 100644 config/internal/ml-metadata/metadata-envoy.route.yaml.tmpl create mode 100644 config/internal/ml-metadata/metadata-envoy.serviceaccount.yaml.tmpl diff --git a/config/internal/common/default/mlmd-envoy-dashboard-access-policy.yaml.tmpl b/config/internal/common/default/mlmd-envoy-dashboard-access-policy.yaml.tmpl index f460040c..46ac120f 100644 --- a/config/internal/common/default/mlmd-envoy-dashboard-access-policy.yaml.tmpl +++ b/config/internal/common/default/mlmd-envoy-dashboard-access-policy.yaml.tmpl @@ -9,14 +9,13 @@ spec: app: ds-pipeline-metadata-envoy-{{ .Name }} component: data-science-pipelines ingress: + - ports: + - protocol: TCP + port: 8443 - ports: - protocol: TCP port: 9090 from: - - podSelector: - matchLabels: - app: odh-dashboard - namespaceSelector: {} - podSelector: matchLabels: component: data-science-pipelines diff --git a/config/internal/common/no-owner/clusterrolebinding.yaml.tmpl b/config/internal/common/no-owner/clusterrolebinding.yaml.tmpl index edf0b407..e8b1ebf3 100644 --- a/config/internal/common/no-owner/clusterrolebinding.yaml.tmpl +++ b/config/internal/common/no-owner/clusterrolebinding.yaml.tmpl @@ -13,3 +13,6 @@ subjects: - kind: ServiceAccount namespace: {{.Namespace}} name: ds-pipeline-{{.Name}} + - kind: ServiceAccount + namespace: {{.Namespace}} + name: ds-pipeline-metadata-envoy-{{.Name}} diff --git a/config/internal/ml-metadata/metadata-envoy.deployment.yaml.tmpl b/config/internal/ml-metadata/metadata-envoy.deployment.yaml.tmpl index 22cd11e7..1831f79c 100644 --- a/config/internal/ml-metadata/metadata-envoy.deployment.yaml.tmpl +++ b/config/internal/ml-metadata/metadata-envoy.deployment.yaml.tmpl @@ -71,7 +71,58 @@ spec: - mountPath: /etc/envoy.yaml name: envoy-config subPath: envoy.yaml + - name: oauth-proxy + args: + - --https-address=:8443 + - --provider=openshift + - --openshift-service-account=ds-pipeline-metadata-envoy-{{.Name}} + - --upstream=http://localhost:9090 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --cookie-secret=SECRET + - '--openshift-delegate-urls={"/": {"group":"route.openshift.io","resource":"routes","verb":"get","name":"ds-pipeline-metadata-envoy-{{.Name}}","namespace":"{{.Namespace}}"}}' + - '--openshift-sar={"namespace":"{{.Namespace}}","resource":"routes","resourceName":"ds-pipeline-metadata-envoy-{{.Name}}","verb":"get","resourceAPIGroup":"route.openshift.io"}' + - --skip-auth-regex='(^/metrics|^/apis/v1beta1/healthz)' + image: {{.OAuthProxy}} + ports: + - containerPort: 8443 + name: oauth2-proxy + protocol: TCP + livenessProbe: + httpGet: + path: /oauth/healthz + port: oauth2-proxy + scheme: HTTPS + initialDelaySeconds: 30 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /oauth/healthz + port: oauth2-proxy + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - mountPath: /etc/tls/private + name: proxy-tls + serviceAccountName: ds-pipeline-metadata-envoy-{{.Name}} volumes: - name: envoy-config configMap: name: ds-pipeline-metadata-envoy-config-{{.Name}} + - name: proxy-tls + secret: + secretName: ds-pipelines-envoy-proxy-tls-{{.Name}} diff --git a/config/internal/ml-metadata/metadata-envoy.route.yaml.tmpl b/config/internal/ml-metadata/metadata-envoy.route.yaml.tmpl new file mode 100644 index 00000000..04354643 --- /dev/null +++ b/config/internal/ml-metadata/metadata-envoy.route.yaml.tmpl @@ -0,0 +1,20 @@ +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: ds-pipeline-metadata-envoy-{{.Name}} + namespace: {{.Namespace}} + labels: + app: ds-pipeline-metadata-envoy-{{.Name}} + component: data-science-pipelines + annotations: + kubernetes.io/tls-acme: "true" +spec: + to: + kind: Service + name: ds-pipeline-metadata-envoy-{{.Name}} + weight: 100 + port: + targetPort: oauth2-proxy + tls: + termination: Reencrypt + insecureEdgeTerminationPolicy: Redirect diff --git a/config/internal/ml-metadata/metadata-envoy.service.yaml.tmpl b/config/internal/ml-metadata/metadata-envoy.service.yaml.tmpl index 3813d89c..616fb4d4 100644 --- a/config/internal/ml-metadata/metadata-envoy.service.yaml.tmpl +++ b/config/internal/ml-metadata/metadata-envoy.service.yaml.tmpl @@ -5,12 +5,17 @@ metadata: app: ds-pipeline-metadata-envoy-{{.Name}} component: data-science-pipelines name: ds-pipeline-metadata-envoy-{{.Name}} + annotations: + service.beta.openshift.io/serving-cert-secret-name: ds-pipelines-envoy-proxy-tls-{{.Name}} namespace: {{.Namespace}} spec: ports: - name: md-envoy port: 9090 protocol: TCP + - name: oauth2-proxy + port: 8443 + protocol: TCP selector: app: ds-pipeline-metadata-envoy-{{.Name}} component: data-science-pipelines diff --git a/config/internal/ml-metadata/metadata-envoy.serviceaccount.yaml.tmpl b/config/internal/ml-metadata/metadata-envoy.serviceaccount.yaml.tmpl new file mode 100644 index 00000000..a73bf1b6 --- /dev/null +++ b/config/internal/ml-metadata/metadata-envoy.serviceaccount.yaml.tmpl @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ds-pipeline-metadata-envoy-{{.Name}} + namespace: {{.Namespace}} + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"ds-pipeline-metadata-envoy-{{.Name}}"}}' + labels: + app: ds-pipeline-metadata-envoy-{{.Name}} + component: data-science-pipelines diff --git a/controllers/testdata/declarative/case_5/expected/created/metadata-envoy_deployment.yaml b/controllers/testdata/declarative/case_5/expected/created/metadata-envoy_deployment.yaml index baeade1f..dc68c1e9 100644 --- a/controllers/testdata/declarative/case_5/expected/created/metadata-envoy_deployment.yaml +++ b/controllers/testdata/declarative/case_5/expected/created/metadata-envoy_deployment.yaml @@ -61,8 +61,59 @@ spec: - mountPath: /etc/envoy.yaml name: envoy-config subPath: envoy.yaml + - name: oauth-proxy + args: + - --https-address=:8443 + - --provider=openshift + - --openshift-service-account=ds-pipeline-metadata-envoy-testdsp5 + - --upstream=http://localhost:9090 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --cookie-secret=SECRET + - '--openshift-delegate-urls={"/": {"group":"route.openshift.io","resource":"routes","verb":"get","name":"ds-pipeline-metadata-envoy-testdsp5","namespace":"default"}}' + - '--openshift-sar={"namespace":"default","resource":"routes","resourceName":"ds-pipeline-metadata-envoy-testdsp5","verb":"get","resourceAPIGroup":"route.openshift.io"}' + - --skip-auth-regex='(^/metrics|^/apis/v1beta1/healthz)' + image: oauth-proxy:test5 + ports: + - containerPort: 8443 + name: oauth2-proxy + protocol: TCP + livenessProbe: + httpGet: + path: /oauth/healthz + port: oauth2-proxy + scheme: HTTPS + initialDelaySeconds: 30 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /oauth/healthz + port: oauth2-proxy + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - mountPath: /etc/tls/private + name: proxy-tls volumes: - name: envoy-config configMap: name: ds-pipeline-metadata-envoy-config-testdsp5 defaultMode: 420 + - name: proxy-tls + secret: + secretName: ds-pipelines-envoy-proxy-tls-testdsp5 + defaultMode: 420