Provide options to use IBM Cloud AppID as authentication provider

[shawnzhu]

This is a follow up of #2069 and #2000

Today

It uses dex as OIDC auth provider.

Expected outcome

It provides configuration path to use IBM Cloud AppID as OIDC auth provider besides dex.

[issue-label-bot]

Issue-Label Bot is automatically applying the labels:

Label	Probability
kind/feature	0.97
area/docs	0.93

Please mark this comment with 👍 or 👎 to give our bot feedback!
Links: app homepage, dashboard and code for this bot.

[shawnzhu]

Requirement

In order to bring in IBM Cloud AppID as a replacement of Dex, it will need to work with existing component called oidc-authservice of multi-user Kubeflow from https://github.com/arrikto/oidc-authservice it's technically working now with its previous release, but more work required ONLY if we want to integrate with latest release of arrikto/oidc-authservice.

Option 1

upgrade arrikto/oidc-authservice to latest

• break change - rework logout feature of kubeflow central dasbhoard w/ CSRF protection
  • deprecating X-Auth-Token header with Authorization - Deprecate header "X-Auth-Token" by using "Authorization" kubeflow#5302
• tweak settings in kubeflow/manifests to support this break change

Option 2

Keep using existing out-dated arrikto/oidc-authservice container image.

• tweak settings of oidc-authservice in kubeflow/manifests repo to favor config settings of IBM AppID.

@animeshsingh @adrian555 @Tomcli comments?

[shawnzhu]

Updates

I've got the AppID works in Kubeflow 1.1 deployed on OpenShift. see my code changes here:

• kfdef - https://github.com/shawnzhu/KubeflowDojo/blob/appid/OpenShift/manifests/kfctl_openshift_tekton_kfserving_appid.v1.1.0.yaml
• Manifests - https://github.com/shawnzhu/manifests/tree/appid

Once I get some code merged, I can start working on doc.

Notice that I've used the option 2 from ☝️ with tweaked settings like:

          env:
            - name: USERID_HEADER
              value: kubeflow-userid
            - name: USERID_PREFIX
            - name: USERID_CLAIM
              value: email
            - name: OIDC_PROVIDER
              value: >-
                https://<appid-tenant-url>
            - name: OIDC_AUTH_URL
            - name: OIDC_SCOPES
              value: email
            - name: REDIRECT_URL
              value: >-
                https://<istio-ingressgateway-public-endpoint-FQDN>/login/oidc
            - name: SKIP_AUTH_URI
            - name: PORT
              value: '8080'
            - name: CLIENT_ID
              value: <client_id_from_AppID_service-credential>
            - name: CLIENT_SECRET
              value: <client_secret_from_AppID_service-credential>

[shawnzhu]

Progress

@adrian555 and I had a quick chat on the initial design:

1. managing AppID configuration in a separate k8s secret object, document the steps on how to create it prior to deploying kubeflow.
2. update the Authservice config to use this secret instead of keeping client_secret in a statefulset resource object.
3. create a new kfctl_ibm_appid.yaml for cloud kubernetes service

[adrian555]

just one comment, @shawnzhu will provide the install instructions with appid on IBM Cloud native K8S cluster first and document through this issue.

[animeshsingh]

+1