I want to publish some services via Istio in the Kubeflow Kubernetes cluster, for example, prometheus.mydomain.examle.com or mlflow.mydomain.examle.com. While my kubeflow central dashboard is available by mydomain.examle.com
Now, everything seems to be working, but if you go to one of the URLs, then the next one will not open. In short, if you use a private tab, the first URL requested is always opened. Why and how to fix it?
---
# https://github.com/adeo/dp--deploy-kubeflow/blob/v1.7-branch/common/oidc-authservice/base/envoy-filter.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: metrics
namespace: metrics
spec:
gateways:
- metrics-gateway
hosts:
- 'prometheus.mydomain.examle.com'
http:
- match:
- uri:
prefix: /
rewrite:
uri: /
route:
- destination:
host: prometheus-kube-prometheus-prometheus.metrics.svc.cluster.local
port:
number: 9090
---
# https://github.com/adeo/dp--deploy-kubeflow/blob/v1.7-branch/common/oidc-authservice/base/envoy-filter.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: metrics-gateway
namespace: metrics
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- 'prometheus.mydomain.examle.com'
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: tls
mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
# https://github.com/adeo/dp--deploy-prometheus/blob/master/helm/values/istio-kubeflow-resources
- applyTo: VIRTUAL_HOST
match:
routeConfiguration:
vhost:
name: mlflow.ml.data.lmru.tech:443
patch:
operation: MERGE
value:
typed_per_filter_config:
envoy.filters.http.ext_authz:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true
# https://github.com/adeo/dp--deploy-prometheus/blob/master/helm/values/istio-kubeflow-resources
- applyTo: VIRTUAL_HOST
match:
routeConfiguration:
vhost:
name: prometheus.mydomain.examle.com:443
patch:
operation: MERGE
value:
typed_per_filter_config:
envoy.filters.http.ext_authz:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
# For some reason, INSERT_FIRST doesn't work
operation: INSERT_BEFORE
value:
# See: https://www.envoyproxy.io/docs/envoy/v1.17.0/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz
name: "envoy.filters.http.ext_authz"
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
uri: http://$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local
cluster: outbound|8080||$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local
timeout: 10s
authorization_request:
allowed_headers:
patterns:
# XXX: MUST be lowercase!
- exact: "authorization"
- exact: "cookie"
- exact: "x-auth-token"
authorization_response:
allowed_upstream_headers:
patterns:
- exact: "kubeflow-userid"
I created my own Gateway and VirtualService for each endpoint, and also added an exception for authentication via oidc-authservice to the Envoy Filter authn-filter