From 4f7f2402bc2081ec3a4d3df0f096256ee07c918e Mon Sep 17 00:00:00 2001 From: Dmitry Kartsev Date: Mon, 12 Feb 2024 19:46:50 +0200 Subject: [PATCH] add ns scope limited sso support --- api/v1/appdefaults.go | 6 +++--- charts/cnvrg-mlops/templates/cap.yml | 2 +- charts/cnvrg-mlops/templates/hooks.yml | 4 ++-- charts/cnvrg-mlops/values.yaml | 4 ++-- pkg/app/sso/central.go | 15 +++++++++------ pkg/app/sso/tmpl/jwks/cm.tpl | 1 + 6 files changed, 18 insertions(+), 14 deletions(-) diff --git a/api/v1/appdefaults.go b/api/v1/appdefaults.go index 98ad86e8..1cf341be 100644 --- a/api/v1/appdefaults.go +++ b/api/v1/appdefaults.go @@ -459,7 +459,7 @@ var ssoDefault = SSO{ Jwks: Jwks{ Enabled: false, - Image: "cnvrg/jwks:latest", + Image: "cnvrg/jwks:ns-watch-scope", Replicas: 1, SvcName: "cnvrg-jwks", CacheImage: "redis:7.0.5", @@ -470,7 +470,7 @@ var ssoDefault = SSO{ Enabled: false, Replicas: 1, SvcName: "sso-central", - CnvrgProxyImage: "cnvrg-proxy:v1.0.15", + CnvrgProxyImage: "cnvrg-proxy:ns-watch-scope", OauthProxyImage: "oauth2-proxy:v7.4.ssov3.p6", CentralUiImage: "centralsso:latest", EmailDomain: []string{"*"}, @@ -492,7 +492,7 @@ var ssoDefault = SSO{ Proxy: CentralProxy{ Enabled: false, Replicas: 1, - Image: "cnvrg-proxy:v1.0.15", + Image: "cnvrg-proxy:ns-watch-scope", SvcName: "cnvrg-proxy-central", Requests: Requests{ Cpu: "200m", diff --git a/charts/cnvrg-mlops/templates/cap.yml b/charts/cnvrg-mlops/templates/cap.yml index 97773bd6..8d39f7b2 100644 --- a/charts/cnvrg-mlops/templates/cap.yml +++ b/charts/cnvrg-mlops/templates/cap.yml @@ -1,7 +1,7 @@ apiVersion: mlops.cnvrg.io/v1 kind: CnvrgApp metadata: - name: {{ .Release.Name }} + name: cnvrg-app namespace: {{ .Release.Namespace}} spec: clusterDomain: {{.Values.clusterDomain}} diff --git a/charts/cnvrg-mlops/templates/hooks.yml b/charts/cnvrg-mlops/templates/hooks.yml index 4cc287be..e593c24c 100644 --- a/charts/cnvrg-mlops/templates/hooks.yml +++ b/charts/cnvrg-mlops/templates/hooks.yml @@ -23,8 +23,8 @@ spec: - | set -x echo "running cleanup" - kubectl delete cnvrgapp {{ .Release.Name }} -n {{ .Release.Namespace }} --ignore-not-found - while (( $(kubectl get cnvrgapp {{ .Release.Name }} -n {{ .Release.Namespace }} --ignore-not-found | grep {{ .Release.Name }} | wc -l ) != 0 )); do + kubectl delete cnvrgapp cnvrg-app -n {{ .Release.Namespace }} --ignore-not-found + while (( $(kubectl get cnvrgapp cnvrg-app -n {{ .Release.Namespace }} --ignore-not-found | grep cnvrg-app | wc -l ) != 0 )); do echo "waiting for cnvrgapp will be deleted. . . "; sleep 1 done diff --git a/charts/cnvrg-mlops/values.yaml b/charts/cnvrg-mlops/values.yaml index acdbd3c0..478747fd 100644 --- a/charts/cnvrg-mlops/values.yaml +++ b/charts/cnvrg-mlops/values.yaml @@ -327,7 +327,7 @@ sso: jwks: enabled: false name: cnvrg-jwks - image: jwks:latest + image: jwks:ns-watch-scope cacheImage: redis:7.0.5 central: enabled: false @@ -356,7 +356,7 @@ sso: memory: 4Gi proxy: enabled: false - image: cnvrg-proxy:v1.0.15 + image: cnvrg-proxy:ns-watch-scope address: "" readiness: true requests: diff --git a/pkg/app/sso/central.go b/pkg/app/sso/central.go index 9d9b6392..d5f76c84 100644 --- a/pkg/app/sso/central.go +++ b/pkg/app/sso/central.go @@ -74,12 +74,15 @@ func (c *CentralStateManager) proxyCfgData() map[string]interface{} { groups = append(groups, c.domainId()) } d := map[string]interface{}{ - "Namespace": c.app.Namespace, - "EmailDomain": c.app.Spec.SSO.Central.EmailDomain, - "Provider": c.app.Spec.SSO.Central.Provider, - "ClientId": c.app.Spec.SSO.Central.ClientID, - "ClientSecret": c.app.Spec.SSO.Central.ClientSecret, - "RedirectUrl": fmt.Sprintf("%s://%s.%s", c.schema(), c.app.Spec.SSO.Central.SvcName, c.app.Spec.ClusterDomain), + "Namespace": c.app.Namespace, + "EmailDomain": c.app.Spec.SSO.Central.EmailDomain, + "Provider": c.app.Spec.SSO.Central.Provider, + "ClientId": c.app.Spec.SSO.Central.ClientID, + "ClientSecret": c.app.Spec.SSO.Central.ClientSecret, + "RedirectUrl": fmt.Sprintf("%s://%s.%s/oauth2/callback", + c.schema(), + c.app.Spec.SSO.Central.SvcName, + c.app.Spec.ClusterDomain), "OidcIssuerURL": c.app.Spec.SSO.Central.OidcIssuerURL, "Scope": c.app.Spec.SSO.Central.Scope, "InsecureOidcAllowUnverifiedEmail": c.app.Spec.SSO.Central.InsecureOidcAllowUnverifiedEmail, diff --git a/pkg/app/sso/tmpl/jwks/cm.tpl b/pkg/app/sso/tmpl/jwks/cm.tpl index bd33ae82..328b61d0 100644 --- a/pkg/app/sso/tmpl/jwks/cm.tpl +++ b/pkg/app/sso/tmpl/jwks/cm.tpl @@ -18,6 +18,7 @@ data: config.yaml: |- discovery: secret: + namespace: {{.Namespace}} labelKey: domainId dataKey: CNVRG_PKI_PUBLIC_KEY cache: