Add an application to the ML platform
In the ML platform you can add additional applications with kubectl, helm, kustomize.
You can open an application using a URL of the form https://myapp-yourdomain.mlops.selcloud.ru
or add the application to the ML-platform home page.
For applications that will be available online, you need to set up authorization.
Add a new application to the ML platform
To add a new application to the ML-platform, you need to create an object of the form Ingress. Ingress Controller does not need to be created — in the ML platform, the Traefik controller is pre-installed in Managed Kubernetes clusters.
It is not necessary to obtain TLS certificates directly in the ML platform because the certificate is installed on the reverse proxy.
-
Connect to a Managed Kubernetes cluster which was created under the auspices ML platform connection.
-
Create a yaml file with a manifest for the Ingress object.
Manifesto example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp
namespace: <ml_platform_namespace>
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- "myapp-<ml_platform_domain>"
secretName: myapp-<ml_platform_domain>-cert
rules:
- host: "myapp-<ml_platform_domain>"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp
port:
number: 80Specify:
<ml_platform_namespace>
— Namespace (Namespace) of the ML platform;<ml_platform_domain>
— URL of the formyourdomain.mlops.selcloud.ru
that was issued after the ML platform was connected.
-
Create Ingress:
kubectl apply -f <ingress.yaml>
Specify
<ingress.yaml>
— name of the yaml file with the manifest for Ingress. -
Open the application at:
https://myapp-<ml_platform_domain>
Specify
<ml_platform_domain>
— URL of the formyourdomain.mlops.selcloud.ru
that was issued after the ML platform was connected. -
Optional: add the application to the home page.
Add an application to the ML-platform start page
The ML platform start page works with the help of the tool Forecastle. The page allows you to see all the applications that are running by default in a Managed Kubernetes cluster.
If you're added a new application into the ML platform, it can also be placed on the home page.
-
Connect to a Managed Kubernetes cluster which was created under the auspices ML platform connection.
-
Open the yaml file with the manifest for the Ingress application and add annotations to it:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp
namespace: <ml_platform_namespace>
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: MyApp # Название приложения, которое будет показано на стартовой странице
forecastle.stakater.com/group: MyAppsGroup # Группа на стартовой странице, в которую добавится приложение
forecastle.stakater.com/icon: <app_icon_url>Specify:
<ml_platform_namespace>
— Namespace (Namespace) of the ML platform;<app_icon_url>
— optional: image URL for the application icon.
-
Apply the changes for Ingress:
kubectl apply -f <ingress.yaml>
Specify
<ingress.yaml>
— name of the yaml file with the manifest for Ingress. -
Open the ML platform start page and check that the app has been added:
https://myapp-<ml_platform_domain>
Specify
<ml_platform_domain>
— URL of the formyourdomain.mlops.selcloud.ru
that was issued after the ML platform was connected.
Configure authorization for the application
If you've added an application to the ML platform, be sure to set up authorization.
The authorization setting depends on the protocols that the application supports:
- If the application supports authorization using OIDC/OAuth2/SAML protocols, create a Keycloak client;
- If the application does not support OIDC/OAuth2/SAML protocols or the application does not have authorization mechanisms, use gogatekeeper — it is a sidecar for Keycloak.
Authorization with OIDC
Authorization with gogatekeeper
Create a Keycloak client and configure the application to authorize through the Keycloak ML platform. When the user authorizes in the application, a request will be sent to the Keycloak client. If it fails it, the user will be able to log into the app. Learn more about using Keycloak in the ML-platform in the manual User management in Keycloak.
-
Connect to a Managed Kubernetes cluster which was created under the auspices ML platform connection.
-
Create a Keycloak client through the Keycloak control panel at
https://keycloak-<ml_platform_domain>/admin/cmlp/console/
or create a yaml file with a manifest for the KeycloakClient object.Manifesto example:
apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
name: myapp-client
namespace: <ml_platform_namespace>
spec:
client:
# Settings
enabled: true
clientId: "<appclient_name>"
name: ""
description: ''
secret: "<password>"
protocol: "openid-connect"
redirectUris:
- "https://<appclient_name>-.<ml_platform_namespace>/*" # URI, с которого будет происходить редирект в Keycloak
rootUrl: "${authBaseUrl}"
baseUrl: "/"
publicClient: false
bearerOnly: false
serviceAccountsEnabled: false
consentRequired: false
directAccessGrantsEnabled: true
implicitFlowEnabled: false
frontchannelLogout: false
standardFlowEnabled: true
surrogateAuthRequired: false
useTemplateConfig: true
useTemplateMappers: true
# Scopes
useTemplateScope: true
fullScopeAllowed: false
defaultClientScopes:
- "profile"
- "email"
# Roles
protocolMappers:
- config:
access.token.claim: "true"
id.token.claim: "false"
included.custom.audience: <appclient_name>
consentRequired: false
name: Audience-forecastle-cmlp
protocol: openid-connect
protocolMapper: oidc-audience-mapper
realmSelector:
matchLabels:
app.kubernetes.io/name: keycloak-realm-cmlp
app.kubernetes.io/instance: keycloak-operatorSpecify:
<ml_platform_namespace>
— Namespace (Namespace) of the ML platform;<appclient_name>
— Keycloak client's unique name;<password>
— password for the Keycloak client. Required to configure the application.
-
Create a Keycloak client:
kubectl apply -f <keycloakclient.yaml>
Specify
<keycloakclient.yaml>
— name of the yaml file with the manifest to create the Keycloak client. -
Verify that the client has been created. Open the Security Admin Console application and go to Configure → Clients.
-
Configure the application to authorize through the created Keycloak client:
- use the python library python-keycloak;
- or use Grafana and modify the configuration file by for example from Grafana's documentation.
Gogatekeeper acts as a proxy between the application container and the service, requesting a JWT (JSON Web Token) and validating it to grant access to the application.
As Injector in the ML-platform is installed gogatekeeper-operator.
-
Connect to a Managed Kubernetes cluster which was created under the auspices ML platform connection.
-
Create a yaml file with a manifest for the Gogatekeeper object in any namespace.
Manifesto example:
apiVersion: gatekeeper.theendbeta.me/v1alpha1
kind: Gogatekeeper
metadata:
name: gatekeeper-for-myapp
namespace: mynamespace
spec:
defaultconfig: |-
upstream-url: http://127.0.0.1:80 # Порт, на котором слушает контейнер myapp
listen: :3000 # Порт gogatekeeper, на который нужно будет переключить трафик
listen-admin: :4000
enable-refresh-tokens: true
secure-cookie: false
oidcurl: https://keycloak-<ml_platform_domain>/auth/realms/CMLP # Ссылка на реалмSpecify
<ml_platform_domain>
— URL of the formyourdomain.mlops.selcloud.ru
that was issued after the ML platform was connected. -
Create Gogatekeeper:
kubectl apply -f <gogatekeeper.yaml>
Specify
<gogatekeeper.yaml>
— name of the yaml file with the manifest to create Gogatekeeper. -
Open the yaml file with the manifest for the Pod and add annotations to it:
apiVersion: v1
kind: Pod
metadata:
annotations:
gatekeeper.gogatekeeper: gatekeeper-for-myapp
gatekeeper.gogatekeeper/client-id: myapp # ID из KeycloakClient
gatekeeper.gogatekeeper/client-secret: <password>
gatekeeper.gogatekeeper/encryption-key: <another_password>
gatekeeper.gogatekeeper/redirection-url: https://myapp-<ml_platform_domain>
gatekeeper.gogatekeeper/upstream-url: http://127.0.0.1:80Specify:
<password>
— password for the Keycloak client. Required to configure the application;<another_password>
- another random password;<ml_platform_domain>
— URL of the formyourdomain.mlops.selcloud.ru
that was issued after the ML platform was connected.
-
Apply the changes in the manifest:
kubectl apply -f <pod.yaml>
Specify
<pod.yaml>
— name of the yaml file with the manifest for the feed.gogatekeeper-operator will add a container
gogatekeeper
into a running submyapp
. There will be two containers in the pod: the original containermyapp
and a sidecar containergogatekeeper
. -
Change the port in myapp from 80 (application port) to 3000 (gogatekeeper port).
-
Check that gogatekeeper is running:
https://myapp-<ml_platform_domain>
Specify
<ml_platform_domain>
— URL of the formyourdomain.mlops.selcloud.ru
that was issued after the ML platform was connected.In incognito mode, the Keycloak login window will appear.