Kubeflow Dex 와 Keycloak 연동 가이드

Kubeflow Dex 와 Keycloak 연동 가이드이며 아래 URL 참고
https://github.com/kubeflow/manifests/tree/master/common/dex

Keycloak 설정

KeyCloak Relm 생성

• Realm name :mlops

KeyCloak Client 생성

• Client type : OpenID Connect
• Client ID : kubeflow-oidc-authservice
• Client authentication : On
• Authentication flow : Standard flow, Direct access grants 만 체크
• Root URL : https://kubeflow.wooyoung85.net
• Home URL : https://kubeflow.wooyoung85.net
• Valid redirect URIs : https://kubeflow.wooyoung85.net/dex/callback
• Valid post logout redirect URIs : https://kubeflow.wooyoung85.net/oauth2/sign_out
• Web origins : *

Dex Config Map 수정

실제 운영 환경에서는 staticPasswords 사용하지 않는 것을 권장함

cp ~/manifests/common/dex/overlays/oauth2-proxy/config-map.yaml ~/manifests/common/dex/overlays/oauth2-proxy/config-map_bak.yaml

KEYCLOAK_ISSUER="https://keycloak.wooyoung85.net/realms/mlops"
CLIENT_ID="kubeflow-oidc-authservice"
CLIENT_SECRET="IbhvH5HYzejARgsSTql5UPeWtgwPvh4g"    # kubeflow-oidc-authservice 의 Client Secret으로 업데이트 필수!
REDIRECT_URI="https://kubeflow.wooyoung85.net/dex/callback"
DEX_ISSUER="https://kubeflow.wooyoung85.net/dex"
 
tee ~/manifests/common/dex/overlays/oauth2-proxy/config-map.yaml <<- DEX_CONFIG
apiVersion: v1
kind: ConfigMap
metadata:
  name: dex
data:
  config.yaml: |
    issuer: $DEX_ISSUER
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      http: 0.0.0.0:5556
    logger:
      level: "debug"
      format: text
    oauth2:
      skipApprovalScreen: true
    enablePasswordDB: false
    #### WARNING YOU SHOULD NOT USE THE DEFAULT STATIC PASSWORDS
    #### and patch /common/dex/base/dex-passwords.yaml in a Kustomize overlay or remove it
    storage:
      type: sqlite3
      config:
        file: /var/dex/dex.db
    enablePasswordDB: true    
    staticPasswords:
    - email: user@example.com
      hashFromEnv: DEX_USER_PASSWORD
      username: user
      userID: "15841185641784"
    - email: resu@example.com
      hash: \$2a\$12\$omrdWnytbefYDn.ifiN36O2iB2zHYn.vcZfQRLh.B6dn7OS7rgf.C
      username: resu
      userID: "15841185641785"
    #### WARNING YOU SHOULD NOT USE THE DEFAULT STATIC PASSWORDS      
    staticClients:
    # https://github.com/dexidp/dex/pull/1664
    - idEnv: OIDC_CLIENT_ID
      redirectURIs: ["/oauth2/callback"]
      name: 'Dex Login Application'
      secretEnv: OIDC_CLIENT_SECRET
    #### Here come the connectors to OIDC providers such as Azure, GCP, GitHub, GitLab etc.
    #### Connector config values starting with a "$" will read from the environment.
    connectors:
    - type: oidc
      id: keycloak
      name: keycloak
      config:
        issuer: $KEYCLOAK_ISSUER
        clientID: $CLIENT_ID
        clientSecret: $CLIENT_SECRET
        redirectURI: $REDIRECT_URI
        insecure: false
        insecureSkipEmailVerified: true
        userNameKey: email       
        scopes:
          - openid
          - profile
          - email
          - offline_access
DEX_CONFIG
 
 
cd ~/manifests
kustomize build common/dex/overlays/oauth2-proxy | kubectl delete -f -
kustomize build common/dex/overlays/oauth2-proxy | kubectl apply -f -
sleep 5
kubectl logs -n auth deployments/dex -f

OAuth2 Proxy Config 수정

cp ~/manifests/common/oauth2-proxy/base/oauth2_proxy.cfg ~/manifests/common/oauth2-proxy/base/oauth2_proxy_bak.cfg
 
DEX_ISSUER="https://kubeflow.wooyoung85.net/dex"
tee ~/manifests/common/oauth2-proxy/base/oauth2_proxy.cfg <<- OAUTH2_PROXY_CONFIG
provider = "oidc"
oidc_issuer_url = "$DEX_ISSUER"
scope = "profile email offline_access openid"
email_domains = "*"
insecure_oidc_allow_unverified_email = "true"
 
upstreams = [ "static://200" ]
 
skip_auth_routes = [
  "^/dex/",
]
 
api_routes = [
  "/api/",
  "/apis/",
  "^/ml_metadata",
]
 
skip_oidc_discovery = true
login_url = "/dex/auth"
redeem_url = "http://dex.auth.svc.cluster.local:5556/dex/token"
oidc_jwks_url = "http://dex.auth.svc.cluster.local:5556/dex/keys"
 
skip_provider_button = false
 
provider_display_name = "Dex"
custom_sign_in_logo = "/custom-theme/kubeflow-logo.svg"
banner = "-"
footer = "-"
 
prompt = "none"
 
set_authorization_header = true
 
set_xauthrequest = true
 
cookie_name = "oauth2_proxy_kubeflow"
cookie_expire = "24h"
cookie_refresh = 0
 
code_challenge_method = "S256"
 
redirect_url = "/oauth2/callback"
relative_redirect_url = true
OAUTH2_PROXY_CONFIG
 
 
cd ~/manifests
kustomize build common/oauth2-proxy/overlays/m2m-dex-only/ | kubectl delete -f -
sleep 5;
kustomize build common/oauth2-proxy/overlays/m2m-dex-only/ | kubectl apply -f -
sleep 5;
kubectl logs -n oauth2-proxy deployments/oauth2-proxy -f

Istio Request Authentication Config 수정

cp ~/manifests/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml ~/manifests/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt_bak.yaml
 
DEX_ISSUER="https://kubeflow.wooyoung85.net/dex"
tee ~/manifests/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml <<- ISTIO_REQUEST_AUTH_CONFIG
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: dex-jwt
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  jwtRules:
  - issuer: $DEX_ISSUER
    forwardOriginalToken: true
    outputClaimToHeaders:
    - header: kubeflow-userid
      claim: email
    - header: kubeflow-groups
      claim: groups
    fromHeaders:
    - name: Authorization
      prefix: "Bearer "
ISTIO_REQUEST_AUTH_CONFIG
 
cd ~/manifests
kustomize build common/istio-1-22/istio-install/overlays/oauth2-proxy | kubectl delete -f -
kustomize build common/istio-1-22/istio-install/overlays/oauth2-proxy | kubectl apply -f -
kustomize build common/oauth2-proxy/overlays/m2m-dex-only/ | kubectl delete -f -
kustomize build common/oauth2-proxy/overlays/m2m-dex-only/ | kubectl apply -f -
sleep 5
kubectl logs -n istio-system deployments/istio-ingressgateway -f