Enable oauth2-proxy sign-in page + fix CSRF cookie accumulation

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
kubeflow · Sep 3, 2024 · 939010b · 939010b
1 parent a27b7d4
commit 939010b
Show file tree

Hide file tree

Showing 5 changed files with 113 additions and 66 deletions.
diff --git a/common/oauth2-proxy/base/deployment.yaml b/common/oauth2-proxy/base/deployment.yaml
@@ -15,10 +15,12 @@ spec:
         app.kubernetes.io/name: oauth2-proxy
     spec:
       volumes:
-      - name: configmain
+      - name: oauth2-proxy-config
         configMap:
           name: oauth2-proxy
-          defaultMode: 420
+      - name: oauth2-proxy-theme
+        configMap:
+          name: oauth2-proxy-theme
       containers:
       - name: oauth2-proxy
         image: quay.io/oauth2-proxy/oauth2-proxy:latest
@@ -69,17 +71,22 @@ spec:
               name: oauth2-proxy-parameters
               key: EXTRA_JWT_ISSUERS
         volumeMounts:
-        - name: configmain
+        - name: oauth2-proxy-config
           mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
           subPath: oauth2_proxy.cfg
+          readOnly: true
+        - name: oauth2-proxy-theme
+          mountPath: /custom-theme/kubeflow-logo.svg
+          subPath: kubeflow-logo.svg
+          readOnly: true
         livenessProbe:
           httpGet:
             path: /ping
             port: http
             scheme: HTTP
         readinessProbe:
           httpGet:
-            path: /ping
+            path: /ready
             port: http
             scheme: HTTP
         resources: {}
diff --git a/common/oauth2-proxy/base/kubeflow-logo.svg b/common/oauth2-proxy/base/kubeflow-logo.svg
diff --git a/common/oauth2-proxy/base/kustomization.yaml b/common/oauth2-proxy/base/kustomization.yaml
@@ -6,7 +6,6 @@ namespace: oauth2-proxy
 resources:
 - namespace.yaml
 - deployment.yaml
-- oauth2-proxy-config.yaml
 - serviceaccount.yaml
 - service.yaml
 - virtualservice.yaml
@@ -20,6 +19,14 @@ secretGenerator:
   - cookie-secret=7d16fee92f8d11b8940b081b3f8b8acb
 
 configMapGenerator:
+- name: oauth2-proxy
+  files:
+  - oauth2_proxy.cfg
+
+- name: oauth2-proxy-theme
+  files:
+  - kubeflow-logo.svg
+
 - name: oauth2-proxy-parameters
   literals:
   # This will configure oauth2-proxy option --cookie-secure which can force

diff --git a/common/oauth2-proxy/base/oauth2-proxy-config.yaml b/common/oauth2-proxy/base/oauth2-proxy-config.yaml
diff --git a/common/oauth2-proxy/base/oauth2_proxy.cfg b/common/oauth2-proxy/base/oauth2_proxy.cfg
@@ -0,0 +1,79 @@
+provider = "oidc"
+oidc_issuer_url = "http://dex.auth.svc.cluster.local:5556/dex"
+scope = "profile email groups openid"
+email_domains = [ "*" ]
+
+# serve a static HTTP 200 upstream on for authentication success
+# we are using oauth2-proxy as an ExtAuthz to "check" each request, not pass it on
+upstreams = [ "static://200" ]
+
+# skip authentication for these paths
+skip_auth_routes = [
+  "^/dex/",
+]
+
+# requests to paths matching these regex patterns will receive a 401 Unauthorized response
+# when not authenticated, instead of being redirected to the login page with a 302,
+# this prevents background requests being redirected to the login page,
+# and the accumulation of CSRF cookies
+api_routes = [
+  # Generic
+  # NOTE: included because most background requests contain these paths
+  "/api/",
+  "/apis/",
+
+  # Kubeflow Pipelines
+  # NOTE: included because KFP UI makes MANY background requests to these paths but because they are
+  #       not `application/json` requests, oauth2-proxy will redirect them to the login page
+  "^/ml_metadata",
+]
+
+# OIDC Discovery has to be skipped and login url has to be provided directly
+# in order to enable relative auth redirect. Using OIDC Discovery would set
+# the redirect location to http://dex.auth.svc.cluster.local:5556 in the example
+# installation. This address is usually not available through the Web Browser.
+# If you have a setup where dex has it's url as other than the in-cluster
+# service, this is optional.
+skip_oidc_discovery = true
+login_url = "/dex/auth"
+redeem_url = "http://dex.auth.svc.cluster.local:5556/dex/token"
+oidc_jwks_url = "http://dex.auth.svc.cluster.local:5556/dex/keys"
+
+# if `false`, a sign-in page is displayed before starting the login flow
+# prevents background requests starting their own login flow on token expiry,
+# which can lead to many CSRF cookies, potentially exceeding the cookie limit
+skip_provider_button = false
+
+# style the sign-in page
+provider_display_name = "Dex"
+custom_sign_in_logo = "/custom-theme/kubeflow-logo.svg"
+banner = "-"
+footer = "-"
+
+# oauth2-proxy sends "force" by default, which causes dex to always prompt for login
+# https://github.com/dexidp/dex/pull/3086
+prompt = "none"
+
+# set Authorization Bearer response header. This is needed in order to
+# forward the Authorization Bearer token to Istio and enable authorization
+# based on JWT.
+set_authorization_header = true
+
+# set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and
+# X-Auth-Request-Preferred-Username. This is optional for Kubeflow but you
+# may have other services that use standard auth headers.
+set_xauthrequest = true
+
+cookie_name = "oauth2_proxy_kubeflow"
+
+# Dex default cookie expiration is 24h.
+# If set to 168h (default oauth2-proxy), Istio will not be able to use the JWT after 24h,
+# but oauth2-proxy will still consider the cookie valid.
+# It's possible to configure the JWT Refresh Token to enable longer login session.
+cookie_expire = "24h"
+cookie_refresh = 0
+
+code_challenge_method = "S256"
+
+redirect_url = "/oauth2/callback"
+relative_redirect_url = true