From 73f727d56dba5df52f65c3839a39124104d26a69 Mon Sep 17 00:00:00 2001 From: Ben Galewsky Date: Wed, 1 Mar 2023 20:17:19 -0600 Subject: [PATCH] Add allowed groups to oauth2 proxy --- charts/mlflow/Chart.yaml | 2 +- charts/mlflow/README.MD | 21 +++++++++++---------- charts/mlflow/templates/oauth2-config.yaml | 7 ++++++- charts/mlflow/values.yaml | 4 ++++ 4 files changed, 22 insertions(+), 12 deletions(-) diff --git a/charts/mlflow/Chart.yaml b/charts/mlflow/Chart.yaml index e3051c3..6c40e8c 100644 --- a/charts/mlflow/Chart.yaml +++ b/charts/mlflow/Chart.yaml @@ -8,7 +8,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.1.0 +version: 1.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/mlflow/README.MD b/charts/mlflow/README.MD index 9a84daa..07ced49 100644 --- a/charts/mlflow/README.MD +++ b/charts/mlflow/README.MD @@ -36,14 +36,15 @@ variables. Here are some of the useful settings in `values.yaml` - there are many other settings which are typical of most helm charts. -| Value | Description | Default Value | -|-----------------------------|--------------------------------------------------------------------|---------------| -| MLFlow.artifacts.bucketName | The bucket where the artifacts will be stored | | -| services.postgres.enabled | Deploy a postgres subchart with this chart? | true | -| services.minio.enabled | Deploy a minio subchart with this chart? | true | -| oauth2Proxy.enabled | Protect the tracking server with an OAuth2 Proxy? | true | -| oauth2Proxy.secret | Kubernetes secret holding values to configure the proxy | | -| oauth2Proxy.clientID | Client ID string for the value in your OAuth2 client. | | -| oauth2Proxy.provider | A valid setting for OAuth2-Proxy | keycloak-oidc | -| oauth2Proxy.emailDomains | List of domain names for users that will be automatically accepted | * | +| Value | Description | Default Value | +|-----------------------------|------------------------------------------------------------------------------------|---------------| +| MLFlow.artifacts.bucketName | The bucket where the artifacts will be stored | | +| services.postgres.enabled | Deploy a postgres subchart with this chart? | true | +| services.minio.enabled | Deploy a minio subchart with this chart? | true | +| oauth2Proxy.enabled | Protect the tracking server with an OAuth2 Proxy? | true | +| oauth2Proxy.secret | Kubernetes secret holding values to configure the proxy | | +| oauth2Proxy.clientID | Client ID string for the value in your OAuth2 client. | | +| oauth2Proxy.provider | A valid setting for OAuth2-Proxy | keycloak-oidc | +| oauth2Proxy.emailDomains | List of domain names for users that will be automatically accepted | * | +| oauth2Proxy.allowedGroups | YAML List of groups that will be accepted (best to set oidc_groups_claim with this | | diff --git a/charts/mlflow/templates/oauth2-config.yaml b/charts/mlflow/templates/oauth2-config.yaml index f9d5402..88a0561 100644 --- a/charts/mlflow/templates/oauth2-config.yaml +++ b/charts/mlflow/templates/oauth2-config.yaml @@ -20,7 +20,12 @@ data: {{- with (first .Values.ingress.hosts) }} redirect_url = "https://{{- .host }}" {{- end }} - + + {{- if .Values.oauth2Proxy.allowedGroups }} + allowed_groups = [ "{{ join "\",\"" .Values.oauth2Proxy.allowedGroups }}" ] + {{- end }} + + allowed_roles = "{{- .Values.oauth2Proxy.keycloak.allowed_roles }}" oidc_issuer_url = "{{- .Values.oauth2Proxy.oidc.oidc_issuer_url }}" diff --git a/charts/mlflow/values.yaml b/charts/mlflow/values.yaml index a0f2aee..70739dc 100644 --- a/charts/mlflow/values.yaml +++ b/charts/mlflow/values.yaml @@ -53,6 +53,10 @@ oauth2Proxy: provider: "keycloak-oidc" emailDomains: "*" + + # List of groups + allowedGroups: + cookieRefresh: "5m" keycloak: # restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider.