add ns scope limited sso support

api/v1/appdefaults.go

@@ -459,7 +459,7 @@ var ssoDefault = SSO{
 
 	Jwks: Jwks{
 		Enabled:      false,
-		Image:        "cnvrg/jwks:latest",
+		Image:        "cnvrg/jwks:ns-watch-scope",
 		Replicas:     1,
 		SvcName:      "cnvrg-jwks",
 		CacheImage:   "redis:7.0.5",
@@ -470,7 +470,7 @@ var ssoDefault = SSO{
 		Enabled:                          false,
 		Replicas:                         1,
 		SvcName:                          "sso-central",
-		CnvrgProxyImage:                  "cnvrg-proxy:v1.0.15",
+		CnvrgProxyImage:                  "cnvrg-proxy:ns-watch-scope",
 		OauthProxyImage:                  "oauth2-proxy:v7.4.ssov3.p6",
 		CentralUiImage:                   "centralsso:latest",
 		EmailDomain:                      []string{"*"},
@@ -492,7 +492,7 @@ var ssoDefault = SSO{
 	Proxy: CentralProxy{
 		Enabled:  false,
 		Replicas: 1,
-		Image:    "cnvrg-proxy:v1.0.15",
+		Image:    "cnvrg-proxy:ns-watch-scope",
 		SvcName:  "cnvrg-proxy-central",
 		Requests: Requests{
 			Cpu:    "200m",

charts/cnvrg-mlops/templates/cap.yml

@@ -1,7 +1,7 @@
 apiVersion: mlops.cnvrg.io/v1
 kind: CnvrgApp
 metadata:
-  name: {{ .Release.Name }}
+  name: cnvrg-app
   namespace: {{ .Release.Namespace}}
 spec:
   clusterDomain: {{.Values.clusterDomain}}

charts/cnvrg-mlops/templates/hooks.yml

@@ -23,8 +23,8 @@ spec:
             - |
               set -x
               echo "running cleanup"
-              kubectl delete cnvrgapp {{ .Release.Name }} -n {{ .Release.Namespace }} --ignore-not-found
-              while (( $(kubectl get cnvrgapp {{ .Release.Name }} -n {{ .Release.Namespace }} --ignore-not-found | grep {{ .Release.Name }} | wc -l ) != 0 )); do
+              kubectl delete cnvrgapp cnvrg-app -n {{ .Release.Namespace }} --ignore-not-found
+              while (( $(kubectl get cnvrgapp cnvrg-app -n {{ .Release.Namespace }} --ignore-not-found | grep cnvrg-app | wc -l ) != 0 )); do
                 echo "waiting for cnvrgapp will be deleted. . . ";
                 sleep 1
               done

charts/cnvrg-mlops/values.yaml

@@ -327,7 +327,7 @@ sso:
   jwks:
     enabled: false
     name: cnvrg-jwks
-    image: jwks:latest
+    image: jwks:ns-watch-scope
     cacheImage: redis:7.0.5
   central:
     enabled: false
@@ -356,7 +356,7 @@ sso:
       memory: 4Gi
   proxy:
     enabled: false
-    image: cnvrg-proxy:v1.0.15
+    image: cnvrg-proxy:ns-watch-scope
     address: ""
     readiness: true
     requests:

pkg/app/sso/central.go

@@ -74,12 +74,15 @@ func (c *CentralStateManager) proxyCfgData() map[string]interface{} {
 		groups = append(groups, c.domainId())
 	}
 	d := map[string]interface{}{
-		"Namespace":                        c.app.Namespace,
-		"EmailDomain":                      c.app.Spec.SSO.Central.EmailDomain,
-		"Provider":                         c.app.Spec.SSO.Central.Provider,
-		"ClientId":                         c.app.Spec.SSO.Central.ClientID,
-		"ClientSecret":                     c.app.Spec.SSO.Central.ClientSecret,
-		"RedirectUrl":                      fmt.Sprintf("%s://%s.%s", c.schema(), c.app.Spec.SSO.Central.SvcName, c.app.Spec.ClusterDomain),
+		"Namespace":    c.app.Namespace,
+		"EmailDomain":  c.app.Spec.SSO.Central.EmailDomain,
+		"Provider":     c.app.Spec.SSO.Central.Provider,
+		"ClientId":     c.app.Spec.SSO.Central.ClientID,
+		"ClientSecret": c.app.Spec.SSO.Central.ClientSecret,
+		"RedirectUrl": fmt.Sprintf("%s://%s.%s/oauth2/callback",
+			c.schema(),
+			c.app.Spec.SSO.Central.SvcName,
+			c.app.Spec.ClusterDomain),
 		"OidcIssuerURL":                    c.app.Spec.SSO.Central.OidcIssuerURL,
 		"Scope":                            c.app.Spec.SSO.Central.Scope,
 		"InsecureOidcAllowUnverifiedEmail": c.app.Spec.SSO.Central.InsecureOidcAllowUnverifiedEmail,

pkg/app/sso/tmpl/jwks/cm.tpl

@@ -18,6 +18,7 @@ data:
   config.yaml: |-
     discovery:
       secret:
+        namespace: {{.Namespace}}
         labelKey: domainId
         dataKey: CNVRG_PKI_PUBLIC_KEY
     cache: