Closed IceKhan13 closed 1 year ago
I'm looking at if this can be used as the base https://github.com/openshift/oauth-proxy/blob/master/contrib/sidecar.yaml
kuberay/raycluster-cliuster helm chart has
{{- if .Values.head.sidecarContainers }}
{{- toYaml .Values.head.sidecarContainers | nindent 10 }}
{{- end }}
I try to utilize it to inject the proxy container into the head node.
The configuration of the Oauth-proxy is different for each environment. I'll focus on the local install with the ingress enabled first.
I'm setting up this oath-proxy Here is an example of Oath-proxy with the node ported ray service.
- args:
- --email-domain=*
- --cookie-secret=SECRET0123456789
- --provider=keycloak-oidc
- --client-id=rayclient
- --client-secret=5vJ9W9uLMmoU8v13ZrrZMdjSOTKbeZXV
- --redirect-url=http://localhost:32031/
- --oidc-issuer-url=http://quantumserverless-keycloak/realms/testtest
image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
imagePullPolicy: IfNotPresent
name: oauth-proxy
What is the expected behavior?
In order to provide authentication mechanism to work with ray cluster we need to figure out a way to proxy ray head node with keycloak auth.
Minimal requirement at this moment is protect 8265 port which is ray dashboard (ray cluster dashboard and job scheduler api).
KubeRay helm deployment of ray clusters allows addition of sidecar containers to head nodes. https://github.com/ray-project/kuberay-helm/blob/main/helm-chart/ray-cluster/values.yaml#L87
Idea is deploy sidecar container on the same pod with ray head which will be acting as authentication proxy to KeyCloak deployment.
Requirements:
Epic https://github.com/Qiskit-Extensions/quantum-serverless/issues/105