Kubeflow 1.7 SSL and DEX Auth


I did a new installation of charmed kubeflow 1.7 today. The configuration regarding https is exactly the same as under charmed kubeflow 1.6. Only unfortunately the authentication via dex does not work anymore.

If I configure everything with http, the redirection to dex auth occurs as expected. If I change the configuration in the Kubeflow gateway to https and configure it accordingly, then the kubeflow dashboard is direct accessible without login. If I also add a redirect configuration to the gateway configuration, then the redirection to the dex auth occurs. But with the call via HTTPS I still land on the dashboard without login.

in addition I have executed the following commands:

juju config dex-auth public-url=https://mydomain.dev
juju config oidc-gatekeeper public-url=https://mydomain.dev

Unfortunately, I can’t find any hint in the logs. Does anyone have ideas where I can still look?

Many thanks

Ok, patching the envoyFilter leads to the desired behavior:

kubectl patch envoyfilter authn-filter --type='json' -p '[{"op":"replace","path":"/spec/configPatches/0/match/listener/portNumber","value":8443}]' -n kubeflow

Thanks for the message @schleppo, that doesn’t seem like we’d want it. Is this regularly happening, or did something just get misconfigured and the patch is always required?

Hi @ca-scribner,

I can always observe the error. I set key and certificates via juju.

juju config istio-pilot ssl-key="MY_KEY"
juju config istio-pilot ssl-crt="MY_CERT"

Then the kubeflow gateway is automatically redeployed but the envoyfilter remains on port 8080.

Thanks @schleppo, we’re going to look at it. I’m also adding a bug here in our bug tracker, but since we’ve already started talking about it in Charmhub we can keep discussing it here.