Implementation:Kubeflow Kubeflow Istio Certmanager Dex Setup
| Knowledge Sources | |
|---|---|
| Domains | Kubeflow, Platform Deployment, Service Mesh, Security |
| Last Updated | 2026-02-13 00:00 GMT |
Overview
Concrete tool for deploying the core Kubeflow infrastructure services provided by istioctl, kubectl, and the kubeflow/manifests kustomize overlays.
Description
This implementation deploys Istio (service mesh and ingress), cert-manager (TLS certificate automation), and Dex (OIDC authentication) into a Kubernetes cluster using the kustomize overlays provided in the kubeflow/manifests repository. Each service is deployed sequentially with health checks between phases to ensure dependencies are satisfied before proceeding. The Istio deployment uses the istio-cni plugin for compatibility with PodSecurityStandards. Dex is configured with OIDC parameters including issuer URL, client ID, client secret, and redirect URIs.
Usage
Use this implementation after prerequisites validation has passed and the installation method has been confirmed as Kubeflow Manifests. These commands should be run from the root of the cloned kubeflow/manifests repository.
Code Reference
Source Location
- Repository: kubeflow/manifests
- File: common/cert-manager/, common/istio/, common/dex/
Signature
# cert-manager
kustomize build common/cert-manager/cert-manager/base | kubectl apply -f -
# Istio
kustomize build common/istio-1-22/istio-crds/base | kubectl apply -f -
kustomize build common/istio-1-22/istio-namespace/base | kubectl apply -f -
kustomize build common/istio-1-22/istio-install/overlays/helm | kubectl apply -f -
# Dex
kustomize build common/dex/overlays/istio | kubectl apply -f -
Import
# Clone the manifests repository
git clone https://github.com/kubeflow/manifests.git
cd manifests
git checkout v1.9.0
# Ensure istioctl is installed (optional, for advanced Istio management)
curl -L https://istio.io/downloadIstio | sh -
export PATH=$PWD/istio-*/bin:$PATH
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| Kubernetes cluster access | kubeconfig | Yes | Valid kubeconfig with cluster-admin permissions |
| manifests repository | directory | Yes | Cloned kubeflow/manifests repo at a pinned release tag |
| Dex OIDC issuer | URL | Yes | The issuer URL for the Dex OIDC provider (e.g., http://dex.auth.svc.cluster.local:5556/dex) |
| Dex clientID | string | Yes | OAuth2 client ID for Kubeflow (default: kubeflow-oidc-authservice) |
| Dex clientSecret | string | Yes | OAuth2 client secret for the Kubeflow OIDC client |
| Dex redirectURIs | list | Yes | Allowed redirect URIs after authentication (e.g., /login/oidc) |
| istio-cni plugin | boolean | No | Whether to enable the Istio CNI plugin for PodSecurityStandards compliance. Defaults to true in recent manifests |
Outputs
| Name | Type | Description |
|---|---|---|
| istio-system namespace | namespace | Contains Istio control plane pods (istiod, istio-ingressgateway) |
| cert-manager namespace | namespace | Contains cert-manager controller, webhook, and cainjector pods |
| auth namespace | namespace | Contains Dex OIDC provider pod |
| Istio ingress gateway | service | LoadBalancer or NodePort service accepting external traffic |
| Dex OIDC endpoint | URL | OIDC discovery endpoint at /.well-known/openid-configuration |
Usage Examples
Basic Usage
# Navigate to the manifests repository root
cd manifests
# Phase 1: Deploy cert-manager
kustomize build common/cert-manager/cert-manager/base | kubectl apply -f -
echo "Waiting for cert-manager to be ready..."
kubectl wait --for=condition=ready pod -l app=cert-manager -n cert-manager --timeout=180s
kubectl wait --for=condition=ready pod -l app=webhook -n cert-manager --timeout=180s
# Phase 2: Deploy Istio CRDs, namespace, and control plane
kustomize build common/istio-1-22/istio-crds/base | kubectl apply -f -
kustomize build common/istio-1-22/istio-namespace/base | kubectl apply -f -
kustomize build common/istio-1-22/istio-install/overlays/helm | kubectl apply -f -
echo "Waiting for Istio to be ready..."
kubectl wait --for=condition=ready pod -l app=istiod -n istio-system --timeout=300s
# Phase 3: Deploy Dex OIDC provider
kustomize build common/dex/overlays/istio | kubectl apply -f -
echo "Waiting for Dex to be ready..."
kubectl wait --for=condition=ready pod -l app=dex -n auth --timeout=180s
# Verify all infrastructure pods
kubectl get pods -n cert-manager
kubectl get pods -n istio-system
kubectl get pods -n auth
Related Pages
Implements Principle
Requires Environment
- Environment:Kubeflow_Kubeflow_Kubernetes_Cluster_Environment
- Environment:Kubeflow_Kubeflow_Kubectl_Kustomize_CLI_Environment
- Environment:Kubeflow_Kubeflow_Istio_Certmanager_Dex_Environment
Uses Heuristic
Page Connections
Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment