Skip to content

Commit

Permalink
Add allowed groups to oauth2 proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
@BenGalewsky
BenGalewsky committed Mar 2, 2023
1 parent 0b5ffb2 commit 73f727d
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 12 deletions.
2 changes: 1 addition & 1 deletion charts/mlflow/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.1.0
version: 1.1.1

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
21 changes: 11 additions & 10 deletions charts/mlflow/README.MD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,15 @@ variables.
Here are some of the useful settings in `values.yaml` - there are many other
settings which are typical of most helm charts.

| Value | Description | Default Value |
|-----------------------------|--------------------------------------------------------------------|---------------|
| MLFlow.artifacts.bucketName | The bucket where the artifacts will be stored | |
| services.postgres.enabled | Deploy a postgres subchart with this chart? | true |
| services.minio.enabled | Deploy a minio subchart with this chart? | true |
| oauth2Proxy.enabled | Protect the tracking server with an OAuth2 Proxy? | true |
| oauth2Proxy.secret | Kubernetes secret holding values to configure the proxy | |
| oauth2Proxy.clientID | Client ID string for the value in your OAuth2 client. | |
| oauth2Proxy.provider | A valid setting for OAuth2-Proxy | keycloak-oidc |
| oauth2Proxy.emailDomains | List of domain names for users that will be automatically accepted | * |
| Value | Description | Default Value |
|-----------------------------|------------------------------------------------------------------------------------|---------------|
| MLFlow.artifacts.bucketName | The bucket where the artifacts will be stored | |
| services.postgres.enabled | Deploy a postgres subchart with this chart? | true |
| services.minio.enabled | Deploy a minio subchart with this chart? | true |
| oauth2Proxy.enabled | Protect the tracking server with an OAuth2 Proxy? | true |
| oauth2Proxy.secret | Kubernetes secret holding values to configure the proxy | |
| oauth2Proxy.clientID | Client ID string for the value in your OAuth2 client. | |
| oauth2Proxy.provider | A valid setting for OAuth2-Proxy | keycloak-oidc |
| oauth2Proxy.emailDomains | List of domain names for users that will be automatically accepted | * |
| oauth2Proxy.allowedGroups | YAML List of groups that will be accepted (best to set oidc_groups_claim with this | |

7 changes: 6 additions & 1 deletion charts/mlflow/templates/oauth2-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,12 @@ data:
{{- with (first .Values.ingress.hosts) }}
redirect_url = "https://{{- .host }}"
{{- end }}
{{- if .Values.oauth2Proxy.allowedGroups }}
allowed_groups = [ "{{ join "\",\"" .Values.oauth2Proxy.allowedGroups }}" ]
{{- end }}
allowed_roles = "{{- .Values.oauth2Proxy.keycloak.allowed_roles }}"
oidc_issuer_url = "{{- .Values.oauth2Proxy.oidc.oidc_issuer_url }}"
Expand Down
4 changes: 4 additions & 0 deletions charts/mlflow/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ oauth2Proxy:
provider: "keycloak-oidc"

emailDomains: "*"

# List of groups
allowedGroups:

cookieRefresh: "5m"
keycloak:
# restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider.
Expand Down

0 comments on commit 73f727d

Please sign in to comment.