Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authentication to apiserver #235

Merged
merged 1 commit into from
Mar 9, 2023
Merged

Add authentication to apiserver #235

merged 1 commit into from
Mar 9, 2023

Conversation

akihikokuroda
Copy link
Collaborator

Summary

PR: #189 is a pre-req for this.

Fix #138
This PR enables "Client Credentials Grant" in OAuth2 specification for the apiserver.

Details and comments

Access to the apiserver needs the access token issued by the keycloak.
Here is the example script accessing the apiserver.

#!/bin/bash
API=$1
RESPONSE=$(curl --request POST \
  --url 'http://<LOCAL-IP>:31059/realms/quantumserverless/protocol/openid-connect/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=rayapiserver \
  --data client_secret=APISERVERSECRET-CHANGEME \
  --data audience=rayapiserver | jq .access_token)
TOKEN=${RESPONSE//'"'/}

curl --request GET -k --proxy http://<LOCAL-IP>:30634/ \
--header "authorization: Bearer $TOKEN" \
--header 'content-type: application/json' \
--url "http://kuberay-apiserver-service:8888/$API"

@IceKhan13 IceKhan13 marked this pull request as draft February 23, 2023 18:54
@IceKhan13 IceKhan13 added the enhancement New feature or request label Feb 23, 2023
@IceKhan13 IceKhan13 added this to the 0.2 milestone Feb 23, 2023
@akihikokuroda
Copy link
Collaborator Author

My PR in ray-project/kuberay got merged. I can remove the hack when they cut a new release.
Another PR got merged, too. We can remove the (temporary) step from the README.

@akihikokuroda akihikokuroda mentioned this pull request Feb 24, 2023
Merged
4 tasks
@akihikokuroda akihikokuroda force-pushed the login4apiserver branch 2 times, most recently from 10832f6 to a528d6f Compare February 28, 2023 21:21
@akihikokuroda akihikokuroda changed the title WIP: Add authentication to apiserver Add authentication to apiserver Feb 28, 2023
@akihikokuroda akihikokuroda marked this pull request as ready for review February 28, 2023 21:23
@pacomf pacomf requested review from psschwei, Tansito and IceKhan13 March 1, 2023 14:02
psschwei
psschwei approved these changes Mar 6, 2023
View reviewed changes
Copy link
Collaborator

@psschwei psschwei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @akihikokuroda

infrastructure/helm/quantumserverless/README.md Outdated Show resolved Hide resolved
@akihikokuroda
add apiserver client config to keycloak
5c9e265 
Signed-off-by: akihikokuroda <akihikokuroda2020@gmail.com>
@Tansito Tansito mentioned this pull request Mar 8, 2023
Closed
@psschwei psschwei merged commit 4421796 into Qiskit:main Mar 9, 2023
Tansito
Tansito reviewed Mar 10, 2023
View reviewed changes
infrastructure/helm/quantumserverless/README.md
@@ -59,6 +67,12 @@ Install from specific values file
kubectl patch svc -n ray kuberay-apiserver-service --type json --patch '[{"op" : "replace" ,"path" : "/spec/selector" ,"value" : {"app.kubernetes.io/component": "kuberay-apiserver"}}]'
```

(temporary) Patch the kuberay-apiserver deployment
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry that I couldn't have time to review this pull request properly 🙏

My only question for the future would be how we can remove this patch? I assume that is something related with ray like the patch that we have above, doesn't it, @psschwei , @akihikokuroda ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's right. The fix(es) has already been merged upstream, so once there's a new release cut we can bump our deps and drop the patch(es)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My question was more related to what actions do we need to apply to remove the patch (or not need it)? Like for example with the first one, that we need to open an issue in ray to fix the app.kubernetes.io/component annotation. I assume that the problem in this case is that we can't add as sidecar in the kuberay-api the gatekeeper image? To have it under control and move these things as soon as I can.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the sidecar patch, the sidecar setting is already in the values.yaml so when kuberay has a new release and we upgrade, we can just remove the patch script and update the README. For the service, we can just update the README when we get the new kuberay release.

@akihikokuroda akihikokuroda deleted the login4apiserver branch August 18, 2023 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@psschwei psschwei psschwei approved these changes

@Tansito Tansito Tansito left review comments

@pacomf pacomf pacomf approved these changes

@IceKhan13 IceKhan13 Awaiting requested review from IceKhan13

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
0.2
Development

Successfully merging this pull request may close these issues.

API server auth
5 participants
@akihikokuroda @pacomf @Tansito @psschwei @IceKhan13