Add OAuth2-Proxy sidecar

Author: BenGalewsky

.gitignore

@@ -2,3 +2,6 @@
 
 # dependencies (helm dep up)
 charts/*/charts/
+charts/mlflow/deployed-values
+.idea/
+

charts/mlflow/Chart.yaml

@@ -8,12 +8,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.3
+version: 1.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 1.24.0
+appVersion: 2.1.1
 
 # List of people that maintain this helm chart.
 maintainers:

charts/mlflow/templates/deployment.yaml

@@ -62,9 +62,11 @@ spec:
                 value: "{{ .Values.minio.auth.rootPassword }}"
             {{- end }}
           args: ["server",
-                 "--backend-store-uri", "{{- template "services.postgres.uri" .}}",
-                 "--default-artifact-root", "{{- template "services.minio.uri" . }}",
-                 "--host", "0.0.0.0"]
+                 "--backend-store-uri", "{{- template "services.postgres.uri" . }}",
+                 "--artifacts-destination", "s3://{{ .Values.oauth2Proxy.clientID }}",
+                 "--serve-artifacts",
+                 "--host", "0.0.0.0",
+                 "--port", "5000"]
           ports:
             - name: mlflow
               containerPort: 5000
@@ -79,8 +81,37 @@ spec:
 #            httpGet:
 #              path: /
 #              port: mlflow
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+{{- if .Values.oauth2Proxy.enabled }}
+        - name: sidecar
+          image: "{{- .Values.oauth2Proxy.repository}}:{{- .Values.oauth2Proxy.tag}}"
+
+          volumeMounts:
+            - name: oauth2-config
+              mountPath: "/etc/oauth2-proxy"
+              readOnly: true
+
+          ports:
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+
+          env:
+            - name: OAUTH2_PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.oauth2Proxy.secret }}
+                  key: client_secret
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.oauth2Proxy.secret }}
+                  key: cookie_secret
+
+          args: ["--http-address", "0.0.0.0:8443",
+                 "--upstream", "http://localhost:5000",
+                 "--config", "/etc/oauth2-proxy/config.cfg"
+          ]
+
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -93,3 +124,8 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      volumes:
+        - name: oauth2-config
+          configMap:
+            name: {{ include "mlflow.fullname" . }}-oauth2-config
+{{- end }}

charts/mlflow/templates/oauth2-config.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.oauth2Proxy.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "mlflow.fullname" . }}-oauth2-config
+  labels:
+    {{- include "mlflow.labels" . | nindent 4 }}
+data:
+  config.cfg: |
+    client_id = "{{ .Values.oauth2Proxy.clientID }}"
+    set_authorization_header = true	
+    skip_jwt_bearer_tokens = true
+    request_logging=true
+    auth_logging=true
+    standard_logging=true
+    provider = "{{- .Values.oauth2Proxy.provider }}"
+    cookie_secure = "false"
+    cookie_refresh = "{{- .Values.oauth2Proxy.cookieRefresh }}"
+    email_domains = "{{- .Values.oauth2Proxy.emailDomains }}"
+    {{- with (first .Values.ingress.hosts) }}
+    redirect_url = "https://{{- .host }}"
+    {{- end }}
+            
+    allowed_roles = 	"{{- .Values.oauth2Proxy.keycloak.allowed_roles }}" 
+    
+    oidc_issuer_url = "{{- .Values.oauth2Proxy.oidc.oidc_issuer_url }}" 
+    oidc_jwks_url = "{{- .Values.oauth2Proxy.oidc.oidc_jwks_url }}"
+    oidc_email_claim = "{{- .Values.oauth2Proxy.oidc.oidc_email_claim }}" 
+    oidc_groups_claim = "{{- .Values.oauth2Proxy.oidc.oidc_groups_claim }}" 
+
+  {{- end }}

charts/mlflow/templates/service.yaml

@@ -8,7 +8,11 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
+      {{- if .Values.oauth2Proxy.enabled }}
+      targetPort: https
+      {{- else }}
       targetPort: mlflow
+      {{- end }}
       protocol: TCP
       name: mlflow
   selector:

charts/mlflow/values.yaml

@@ -33,6 +33,41 @@ minio:
   auth:
     rootPassword: leftfoot1
 
+
+oauth2Proxy:
+  enabled: true
+  repository: "bitnami/oauth2-proxy"
+  tag: "7.4.0"
+
+  ## Name of Kubernetes secret holding
+  ##   cookie_secret
+  ##   client_secret
+  secret:
+
+  ## This should match the client ID for your provider
+  clientID:
+  provider: "keycloak-oidc"
+
+  emailDomains: "*"
+  cookieRefresh: "5m"
+  keycloak:
+    # restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider.
+    allowed_roles:
+
+  oidc:
+    # the OpenID Connect issuer URL, e.g. "https://accounts.google.com"
+    oidc_issuer_url:
+
+    # OIDC JWKS URI for token verification; required if OIDC discovery is disabled
+    oidc_jwks_url:
+
+    # which OIDC claim contains the user's email?
+    oidc_email_claim:
+
+    # which OIDC claim contains the user groups?
+    oidc_groups_claim:
+
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true