Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
339c958
helm: add oauth2-proxy wrapper chart
danish9039 May 21, 2026
3f1b199
helm: address oauth2-proxy review comments
danish9039 May 25, 2026
728b3b6
helm: align oauth2-proxy wrapper with v7.15.2
danish9039 May 26, 2026
92695f9
helm: use foundation-owned oauth2-proxy namespace
danish9039 Jun 7, 2026
aff1225
helm: fix oauth2-proxy namespace names
danish9039 Jun 9, 2026
57245d4
helm: move oauth2-proxy chart to common/oauth2-proxy/helm
danish9039 Jun 15, 2026
494c3c2
test: add oauth2-proxy component to helm_kustomize_compare.sh
danish9039 Jun 15, 2026
3f8fb3a
helm: address oauth2-proxy review comments
danish9039 Jun 15, 2026
4ab99c6
test: keep oauth2-proxy hash normalization scoped
danish9039 Jun 15, 2026
0dc0ba2
helm: restore oauth2-proxy parity fixture values
danish9039 Jun 21, 2026
beb25b2
test: clean oauth2-proxy helm comparison style
danish9039 Jun 27, 2026
a6c3f31
scripts: sync oauth2-proxy helm chart updates
danish9039 Jun 28, 2026
36037df
ci: run helm compare for oauth2-proxy sync changes
danish9039 Jun 28, 2026
18671bb
helm: focus oauth2-proxy ci values on default scenario
danish9039 Jul 1, 2026
39bd4aa
helm: clarify oauth2-proxy external authorization values
danish9039 Jul 1, 2026
0ed1f3f
test: clarify oauth2-proxy helm comparison scenario
danish9039 Jul 2, 2026
3b67d4b
test: format helm compare helper
danish9039 Jul 3, 2026
ff69be0
helm: update chart repository metadata
danish9039 Jul 5, 2026
bfe9042
test: wait for cert-manager deployments during install
danish9039 Jul 5, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/helm-kustomize-comparison.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ on:
- experimental/helm/charts/**
- common/cert-manager/**
- scripts/synchronize-cert-manager-manifests.sh
- common/oauth2-proxy/**
- scripts/synchronize-oauth2-proxy-manifests.sh
- tests/kustomize_install.sh
- tests/helm_kustomize_compare.py
- tests/helm_kustomize_compare.sh
Expand Down
1 change: 1 addition & 0 deletions common/oauth2-proxy/base/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ spec:
labels:
app.kubernetes.io/name: oauth2-proxy
spec:
serviceAccountName: oauth2-proxy
volumes:
- name: oauth2-proxy-config
configMap:
Expand Down
22 changes: 22 additions & 0 deletions common/oauth2-proxy/helm/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: v2
name: oauth2-proxy
description: A Helm chart for Kubeflow oauth2-proxy authentication and authorization resources
version: 0.1.0
appVersion: 7.15.2

keywords:
- authentication
- authorization
- oauth2
- kubeflow
- oauth2-proxy

home: https://github.com/kubeflow/community-distribution

sources:
- https://github.com/kubeflow/community-distribution/tree/master/common/oauth2-proxy
- https://github.com/oauth2-proxy/oauth2-proxy

annotations:
category: Authentication
licenses: Apache-2.0
39 changes: 39 additions & 0 deletions common/oauth2-proxy/helm/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# OAuth2-Proxy Helm Chart

This chart renders the current Kubeflow oauth2-proxy Kustomize resources with
Helm. It is intentionally static for the first chart slice so rendered output
stays aligned with `common/oauth2-proxy`.

## Installation

Install foundation, cert-manager, and Istio first. The `kubeflow-namespaces`
foundation chart creates `Namespace/oauth2-proxy`; this chart stores Helm
release metadata in that same workload namespace.

## Namespace names

Namespace names are fixed to match the Kustomize baseline and `kubeflow-namespaces` foundation chart. oauth2-proxy workloads use `oauth2-proxy`, Istio authentication and authorization resources use `istio-system`, and gateway references use `kubeflow`. These names are not configurable.

```bash
helm install oauth2-proxy ./common/oauth2-proxy/helm \
--namespace oauth2-proxy \
--values ./common/oauth2-proxy/helm/ci/values-m2m-dex-only.yaml
```

## Kustomize Mapping

- `ci/values-m2m-dex-only.yaml`: `common/oauth2-proxy/overlays/m2m-dex-only`

Kubernetes in Docker and Amazon EKS machine-to-machine values are deferred until
Helm integration tests or documented cluster-specific scenarios cover them.

Direct enterprise IdP mode, Cloudflare cache policies, and an upstream
oauth2-proxy Helm dependency wrapper are deferred until the parity chart is
stable.

## Comparison

```bash
helm lint common/oauth2-proxy/helm
./tests/helm_kustomize_compare.sh oauth2-proxy m2m-dex-only
```
15 changes: 15 additions & 0 deletions common/oauth2-proxy/helm/ci/values-m2m-dex-only.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
credentials:
clientSecret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
cookieSecret: 7d16fee92f8d11b8940b081b3f8b8acb

istioExternalAuthorization:
enabled: true

m2m:
enabled: false

clusterJwksProxy:
enabled: false

parameters:
allowSelfSignedIssuer: "true"
15 changes: 15 additions & 0 deletions common/oauth2-proxy/helm/files/kubeflow-logo.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
79 changes: 79 additions & 0 deletions common/oauth2-proxy/helm/files/oauth2_proxy.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
provider = "oidc"
oidc_issuer_url = "http://dex.auth.svc.cluster.local:5556/dex"
scope = "profile email groups openid"
email_domains = [ "*" ]

# serve a static HTTP 200 upstream on for authentication success
# we are using oauth2-proxy as an ExtAuthz to "check" each request, not pass it on
upstreams = [ "static://200" ]

# skip authentication for these paths
skip_auth_routes = [
"^/dex/",
]

# requests to paths matching these regex patterns will receive a 401 Unauthorized response
# when not authenticated, instead of being redirected to the login page with a 302,
# this prevents background requests being redirected to the login page,
# and the accumulation of CSRF cookies
api_routes = [
# Generic
# NOTE: included because most background requests contain these paths
"/api/",
"/apis/",

# Kubeflow Pipelines
# NOTE: included because KFP UI makes MANY background requests to these paths but because they are
# not `application/json` requests, oauth2-proxy will redirect them to the login page
"^/ml_metadata",
]

# OIDC Discovery has to be skipped and login url has to be provided directly
# in order to enable relative auth redirect. Using OIDC Discovery would set
# the redirect location to http://dex.auth.svc.cluster.local:5556 in the example
# installation. This address is usually not available through the Web Browser.
# If you have a setup where dex has it's url as other than the in-cluster
# service, this is optional.
skip_oidc_discovery = true
login_url = "/dex/auth"
redeem_url = "http://dex.auth.svc.cluster.local:5556/dex/token"
oidc_jwks_url = "http://dex.auth.svc.cluster.local:5556/dex/keys"

# if `false`, a sign-in page is displayed before starting the login flow
# prevents background requests starting their own login flow on token expiry,
# which can lead to many CSRF cookies, potentially exceeding the cookie limit
skip_provider_button = false

# style the sign-in page
provider_display_name = "Dex"
custom_sign_in_logo = "/custom-theme/kubeflow-logo.svg"
banner = "-"
footer = "-"

# oauth2-proxy sends "force" by default, which causes dex to always prompt for login
# https://github.com/dexidp/dex/pull/3086
prompt = "none"

# set Authorization Bearer response header. This is needed in order to
# forward the Authorization Bearer token to Istio and enable authorization
# based on JWT.
set_authorization_header = true

# set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and
# X-Auth-Request-Preferred-Username. This is optional for Kubeflow but you
# may have other services that use standard auth headers.
set_xauthrequest = true

cookie_name = "oauth2_proxy_kubeflow"

# Dex default cookie expiration is 24h.
# If set to 168h (default oauth2-proxy), Istio will not be able to use the JWT after 24h,
# but oauth2-proxy will still consider the cookie valid.
# It's possible to configure the JWT Refresh Token to enable longer login session.
cookie_expire = "24h"
cookie_refresh = 0

code_challenge_method = "S256"

redirect_url = "/oauth2/callback"
relative_redirect_url = true
18 changes: 18 additions & 0 deletions common/oauth2-proxy/helm/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{/*
Render a JWT rule for Istio RequestAuthentication.
*/}}
{{- define "oauth2-proxy.m2mJwtRule" -}}
- forwardOriginalToken: true
fromHeaders:
- name: Authorization
prefix: "Bearer "
issuer: {{ .issuer }}
{{- if .jwksUri }}
jwksUri: {{ .jwksUri }}
{{- end }}
outputClaimToHeaders:
- claim: sub
header: kubeflow-userid
- claim: groups
header: kubeflow-groups
{{- end -}}
85 changes: 85 additions & 0 deletions common/oauth2-proxy/helm/templates/cluster-jwks-proxy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
{{- if .Values.clusterJwksProxy.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: cluster-jwks-proxy
name: cluster-jwks-proxy
namespace: istio-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: cluster-jwks-proxy
name: cluster-jwks-proxy
namespace: istio-system
spec:
ports:
- name: http
port: 80
targetPort: http
selector:
app.kubernetes.io/name: cluster-jwks-proxy
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: cluster-jwks-proxy
name: cluster-jwks-proxy
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cluster-jwks-proxy
template:
metadata:
labels:
app.kubernetes.io/name: cluster-jwks-proxy
spec:
containers:
- args:
- proxy
- --address=0.0.0.0
- --port=8080
- --accept-hosts=.*
- --accept-paths=^(?:/openid/v1/jwks)|(?:/.well-known/openid-configuration)$
- --reject-methods=^(POST|PUT|PATCH|DELETE|HEAD|OPTIONS|CONNECT|TRACE)$
image: {{ required "clusterJwksProxy.image is required when clusterJwksProxy.enabled is true" .Values.clusterJwksProxy.image }}
livenessProbe:
httpGet:
path: /openid/v1/jwks
port: http
initialDelaySeconds: 15
periodSeconds: 15
timeoutSeconds: 5
name: kubectl-proxy
ports:
- containerPort: 8080
name: http
readinessProbe:
httpGet:
path: /openid/v1/jwks
port: http
initialDelaySeconds: 15
periodSeconds: 15
timeoutSeconds: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
startupProbe:
httpGet:
path: /openid/v1/jwks
port: http
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 2
serviceAccountName: cluster-jwks-proxy
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
{{- if .Values.istioExternalAuthorization.enabled }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: istio-ingressgateway-oauth2-proxy
namespace: istio-system
spec:
action: CUSTOM
provider:
name: oauth2-proxy
rules:
- to:
- operation:
notPaths:
- /dex/*
- /dex/**
- /oauth2/*
when:
- key: request.headers[authorization]
notValues:
- '*'
selector:
matchLabels:
app: istio-ingressgateway
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: istio-ingressgateway-require-jwt
namespace: istio-system
spec:
action: DENY
rules:
- from:
- source:
notRequestPrincipals:
- '*'
to:
- operation:
notPaths:
- /dex/*
- /dex/**
- /oauth2/*
selector:
matchLabels:
app: istio-ingressgateway
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: dex-jwt
namespace: istio-system
spec:
jwtRules:
- forwardOriginalToken: true
fromHeaders:
- name: Authorization
prefix: 'Bearer '
issuer: http://dex.auth.svc.cluster.local:5556/dex
outputClaimToHeaders:
- claim: email
header: kubeflow-userid
- claim: groups
header: kubeflow-groups
selector:
matchLabels:
app: istio-ingressgateway
{{- end }}
16 changes: 16 additions & 0 deletions common/oauth2-proxy/helm/templates/m2m.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.m2m.enabled }}
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: m2m-token-issuer
namespace: istio-system
spec:
jwtRules:
{{ include "oauth2-proxy.m2mJwtRule" (dict "issuer" .Values.m2m.issuer "jwksUri" .Values.m2m.jwksUri) | nindent 2 }}
{{- range .Values.m2m.additionalJwtRules }}
{{ include "oauth2-proxy.m2mJwtRule" (dict "issuer" .issuer "jwksUri" .jwksUri) | nindent 2 }}
{{- end }}
selector:
matchLabels:
app: istio-ingressgateway
{{- end }}
Loading
Loading