Kubeflow 1.7 SSL and DEX Auth

Hello,

I did a new installation of charmed kubeflow 1.7 today. The configuration regarding https is exactly the same as under charmed kubeflow 1.6. Only unfortunately the authentication via dex does not work anymore.

If I configure everything with http, the redirection to dex auth occurs as expected. If I change the configuration in the Kubeflow gateway to https and configure it accordingly, then the kubeflow dashboard is direct accessible without login. If I also add a redirect configuration to the gateway configuration, then the redirection to the dex auth occurs. But with the call via HTTPS I still land on the dashboard without login.

• only http: works perfect http://mydomain.dev/ -> dex redirect to login page

• https config: not working https://mydomain.dev -> Kubeflow Dashboard

• http redirect config + https config: working http://mydomain.dev -> redirect to https://mydomain.dev/dex/auth/local/login

  servers:
   - hosts:
     - mydomain.dev
     port:
       name: https
       number: 443
      protocol: HTTPS
    tls:
      credentialName: dex-certs
      mode: SIMPLE
   - hosts:
    - mydomain.dev
     port:
      name: http
      number: 80
      protocol: HTTP
     tls:
      httpsRedirect: true
  

in addition I have executed the following commands:

juju config dex-auth public-url=https://mydomain.dev
juju config oidc-gatekeeper public-url=https://mydomain.dev

Unfortunately, I can’t find any hint in the logs. Does anyone have ideas where I can still look?

Many thanks

Ok, patching the envoyFilter leads to the desired behavior:

kubectl patch envoyfilter authn-filter --type='json' -p '[{"op":"replace","path":"/spec/configPatches/0/match/listener/portNumber","value":8443}]' -n kubeflow

Thanks for the message @schleppo, that doesn’t seem like we’d want it. Is this regularly happening, or did something just get misconfigured and the patch is always required?

Hi @ca-scribner,

I can always observe the error. I set key and certificates via juju.

juju config istio-pilot ssl-key="MY_KEY"
juju config istio-pilot ssl-crt="MY_CERT"

Then the kubeflow gateway is automatically redeployed but the envoyfilter remains on port 8080.

Thanks @schleppo, we’re going to look at it. I’m also adding a bug here in our bug tracker, but since we’ve already started talking about it in Charmhub we can keep discussing it here.