Apply requested changes

Signed-off-by: Mathew Wicks <[email protected]>

.github/workflows/pss_test.yaml

@@ -27,21 +27,28 @@ jobs:
     - name: Install kubectl
       run: ./tests/gh-actions/install_kubectl.sh
 
-    - name: Install all deployments from static namespaces
+    - name: Install Istio with external authentication
+      run: ./tests/gh-actions/install_istio_with_ext_auth.sh
+
+    - name: Install cert-manager
+      run: ./tests/gh-actions/install_cert_manager.sh
+
+    - name: Create kubeflow namespace
+      run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
+
+    - name: Install kubeflow-istio-resources
+      run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+
+    - name: Install KF Multi Tenancy
+      run: ./tests/gh-actions/install_multi_tenancy.sh
+
+    - name: Install dex
       run: |
-        kustomize build common/kubeflow-namespace/base | kubectl apply -f -
-        ./tests/gh-actions/install_cert_manager.sh
-        ./tests/gh-actions/install_istio_with_ext_auth.sh
-        kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
-        ./tests/gh-actions/install_multi_tenancy.sh
-        kustomize build ./common/oauth2-proxy/overlays/m2m-dex-and-kind | kubectl apply -f -
-        echo "Waiting for all oauth2-proxy pods to become ready..."
-        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
-        echo "Waiting for all cluster-jwks-proxy pods to become ready..."
-        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=cluster-jwks-proxy' --timeout=180s -n istio-system
+        echo "Installing Dex..."
         kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f -
+        
         echo "Waiting for pods in auth namespace to become ready..."
-        kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
+        kubectl wait --for=condition=ready pods --all --timeout=180s -n auth
 
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh

README.md

@@ -224,12 +224,25 @@ The oauth2-proxy extends your Istio Ingress-Gateway capabilities, to be able to
 
 ```sh
 echo "Installing oauth2-proxy..."
-kustomize build common/oauth2-proxy/overlays/m2m-dex-and-kind/ | kubectl apply -f -
+
+# Only uncomment ONE of the following overlays, they are mutually exclusive,
+# see `common/oauth2-proxy/overlays/` for more options.
+
+# OPTION 1: works on most clusters, does NOT allow K8s service account 
+#           tokens to be used from outside the cluster via the Istio ingress-gateway.
+#
+kustomize build common/oauth2-proxy/overlays/m2m-dex-only/ | kubectl apply -f -
 kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
-kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=cluster-jwks-proxy' --timeout=180s -n istio-system
+
+# Option 2: works on Kind/K3D clusters, and allows K8s service account tokens to be used
+#           from outside the cluster via the Istio ingress-gateway.
+# 
+#kustomize build common/oauth2-proxy/overlays/m2m-dex-and-kind/ | kubectl apply -f -
+#kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
+#kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=cluster-jwks-proxy' --timeout=180s -n istio-system
 ```
 
-It supports user sessions as well as proper token-based machine to machine atuhhentication.
+It supports user sessions as well as proper token-based machine to machine authentication.
 
 #### Dex
 
@@ -238,7 +251,9 @@ Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends.
 Install Dex:
 
 ```sh
+echo "Installing Dex..."
 kustomize build common/dex/overlays/oauth2-proxy | kubectl apply -f -
+kubectl wait --for=condition=ready pods --all --timeout=180s -n auth
 ```
 
 #### Knative

common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   # we only apply to the ingress-gateway because:
   #  - there is no need to verify the same tokens at each sidecar
-  #  - having no selector will apply to the RequestAuthentication to ALL
+  #  - having no selector will apply the RequestAuthentication to ALL
   #    Pods in the mesh, even ones which are not part of Kubeflow
   selector:
     matchLabels:

example/kustomization.yaml

@@ -41,9 +41,11 @@ resources:
 - ../common/istio-1-22/istio-namespace/base
 - ../common/istio-1-22/istio-install/overlays/oauth2-proxy
 # oauth2-proxy
-- ../common/oauth2-proxy/overlays/m2m-dex-and-kind
-#- ../common/oauth2-proxy/overlays/m2m-dex-and-eks # for EKS clusters (NOTE: requires you to configure issuer, see overlay)
-#- ../common/oauth2-proxy/overlays/m2m-dex-only    # for all clusters (NOTE: disables K8S JWTs for gateway auth)
+# NOTE: only uncomment ONE of the following overlays, depending on your cluster type
+- ../common/oauth2-proxy/overlays/m2m-dex-only     # for all clusters
+#- ../common/oauth2-proxy/overlays/m2m-dex-and-kind # for KIND clusters (allows K8S JWTs for gateway auth)
+#- ../common/oauth2-proxy/overlays/m2m-dex-and-eks  # for EKS clusters (NOTE: requires you to configure issuer, see overlay)
+
 # Dex
 - ../common/dex/overlays/oauth2-proxy
 # KNative