Add an application to the ML platform
In ML-platform you can add additional apps using kubectl, helm, kustomize.
You can open an app via a URL like https://myapp-yourdomain.mlops.selcloud.ru
or add app to ML-platform start page.
For apps that will be available on the web, you need to configure authorization.
Add a new application to the ML platform
To add a new application to the ML platform, you must create an object of the form Ingress. There is no need to create an Ingress Controller — there is a Traefik controller pre-installed in the ML platform in Managed Kubernetes clusters.
It is not necessary to obtain TLS certificates directly in the ML platform because the certificate is installed on the reverse proxy.
-
Connect to the Managed Kubernetes cluster that was created when connecting ML-platform.
-
Create a yaml file with a manifest for the Ingress object.
Manifesto example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp
namespace: <ml_platform_namespace>
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- "myapp-<ml_platform_domain>"
secretName: myapp-<ml_platform_domain>-cert
rules:
- host: "myapp-<ml_platform_domain>"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp
port:
number: 80Specify:
<ml_platform_namespace>
is the namespace (Namespace) of the ML platform;<ml_platform_domain>
— URL of the formyourdomain.mlops.selcloud.ru
, which was given after connecting the ML platform.
-
Create Ingress:
kubectl apply -f <ingress.yaml>
Specify
<ingress.yaml>
is the name of the yaml file with the manifest for Ingress. -
Open the application at:
https://myapp-<ml_platform_domain>
Specify
<ml_platform_domain>
— a URL of the formyourdomain.mlops.selcloud.ru
that was issued after connecting the ML platform. -
Optional: add-app-to-start-page.
Add the application to the ML-platform home page
The ML platform start page is powered by the Forecastle tool. On the page, you can see all the applications that are running by default in a Managed Kubernetes cluster.
If you added a new app to ML-platform, it can also be placed on the start page.
-
Connect to the Managed Kubernetes cluster that was created when connecting ML-platform.
-
Open the yaml file with the manifest for the Ingress application and add annotations to it:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp
namespace: <ml_platform_namespace>
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: MyApp # The name of the app to be shown on the start page
forecastle.stakater.com/group: MyAppsGroup # The group on the start page to which the app will be added
forecastle.stakater.com/icon: <app_icon_url>Specify:
<ml_platform_namespace>
is the namespace (Namespace) of the ML platform;<app_icon_url>
— optional: image URL for the application icon.
-
Apply the changes for Ingress:
kubectl apply -f <ingress.yaml>
Specify
<ingress.yaml>
is the name of the yaml file with the manifest for Ingress. -
Open the ML platform start page and check that the app has been added:
https://myapp-<ml_platform_domain>
Specify
<ml_platform_domain>
— a URL of the formyourdomain.mlops.selcloud.ru
that was issued after connecting the ML platform.
Configure authorization for the application
If you've added an application to the ML platform, be sure to set up authorization.
The authorization setting depends on the protocols that the application supports:
- If the application supports authorization using OIDC/OAuth2/SAML protocols, create a Keycloak client;
- If the application does not support OIDC/OAuth2/SAML protocols or the application does not have authorization mechanisms, use gogatekeeper — it is a sidecar for Keycloak.
- Авторизация при помощи OIDC
- Авторизация при помощи gogatekeeper
Create a Keycloak client and configure the application to authorize through the Keycloak ML platform. When the user logs in to the application, a request will be sent to the Keycloak client. If he fails it, the user can log into the app. Learn more about using Keycloak in the ML-platform in the Managing Users in Keycloak instructions.
-
Connect to the Managed Kubernetes cluster that was created when connecting ML-platform.
-
Create a Keycloak client through the Keycloak control panel at
https://keycloak-<ml_platform_domain>/admin/cmlp/console/
or create a yaml file with a manifest for the KeycloakClient object.Manifesto example:
apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
name: myapp-client
namespace: <ml_platform_namespace>
spec:
client:
# Settings
enabled: true
clientId: "<appclient_name>"
name: ""
description: ""
secret: "<password>"
protocol: "openid-connect"
redirectUris:
- "https://<appclient_name>-.<ml_platform_namespace>/*" # URI from which to redirect to Keycloak
rootUrl: "${authBaseUrl}"
baseUrl: "/"
publicClient: false
bearerOnly: false
serviceAccountsEnabled: false
consentRequired: false
directAccessGrantsEnabled: true
implicitFlowEnabled: false
frontchannelLogout: false
standardFlowEnabled: true
surrogateAuthRequired: false
useTemplateConfig: true
useTemplateMappers: true
# Scopes
useTemplateScope: true
fullScopeAllowed: false
defaultClientScopes:
- "profile"
- "email"
# Roles
protocolMappers:
- config:
access.token.claim: "true"
id.token.claim: "false"
included.custom.audience: <appclient_name>
consentRequired: false
name: Audience-forecastle-cmlp
protocol: openid-connect
protocolMapper: oidc-audience-mapper
realmSelector:
matchLabels:
app.kubernetes.io/name: keycloak-realm-cmlp
app.kubernetes.io/instance: keycloak-operatorSpecify:
<ml_platform_namespace>
is the namespace (Namespace) of the ML platform;<appclient_name>
is the unique name of the Keycloak client;<password>
is the password for the Keycloak client. You will need to customize the application.
-
Create a Keycloak client:
kubectl apply -f <keycloakclient.yaml>
Specify
<keycloakclient.yaml>
is the name of the yaml file with the manifest to create the Keycloak client. -
Verify that the client has been created. Open the Security Admin Console application and navigate to Configure → Clients.
-
Configure the application to authorize through the created Keycloak client:
- use the python library python-keycloak;
- or use Grafana and modify the configuration file at примеру from the Grafana documentation.
Gogatekeeper acts as a proxy between the application container and the service, requesting a JWT (JSON Web Token) and validating it to grant access to the application.
The ML platform has gogatekeeper-operator installed as Injector.
-
Connect to the Managed Kubernetes cluster that was created when connecting ML-platform.
-
Create a yaml file with a manifest for the Gogatekeeper object in any namespace.
Manifesto example:
apiVersion: gatekeeper.theendbeta.me/v1alpha1
kind: Gogatekeeper
metadata:
name: gatekeeper-for-myapp
namespace: mynamespace
spec:
defaultconfig: |-
upstream-url: http://127.0.0.1:80 # Port on which the myapp container listens
listen: :3000 # Port of gogatekeeper to switch traffic to
listen-admin: :4000
enable-refresh-tokens: true
secure-cookie: false
oidcurl: https://keycloak-<ml_platform_domain>/auth/realms/CMLP # Link to RealmSpecify
<ml_platform_domain>
— a URL of the formyourdomain.mlops.selcloud.ru
that was issued after connecting the ML platform. -
Create Gogatekeeper:
kubectl apply -f <gogatekeeper.yaml>
Specify
<gogatekeeper.yaml>
is the name of the yaml file with the manifest to create Gogatekeeper. -
Open the yaml file with the manifest for the Pod and add annotations to it:
apiVersion: v1
kind: Pod
metadata:
annotations:
gatekeeper.gogatekeeper: gatekeeper-for-myapp
gatekeeper.gogatekeeper/client-id: myapp # ID from KeycloakClient
gatekeeper.gogatekeeper/client-secret: <password>
gatekeeper.gogatekeeper/encryption-key: <another_password>
gatekeeper.gogatekeeper/redirection-url: https://myapp-<ml_platform_domain>
gatekeeper.gogatekeeper/upstream-url: http://127.0.0.1:80Specify:
<password>
is the password for the Keycloak client. You will need to customize the application;<another_password>
-another arbitrary password;<ml_platform_domain>
— URL of the formyourdomain.mlops.selcloud.ru
, which was given after connecting the ML platform.
-
Apply the changes in the manifest:
kubectl apply -f <pod.yaml>
Specify
<pod.yaml>
is the name of the yaml file with the manifest for the feed.gogatekeeper-operator will add the
gogatekeeper
container to thegogatekeeper
container running undermyapp
. There will be two containers in the pod: the originalmyapp
container and the sidecar containergogatekeeper
. -
Change the port in myapp from 80 (application port) to 3000 (gogatekeeper port).
-
Check that gogatekeeper is running:
https://myapp-<ml_platform_domain>
Specify
<ml_platform_domain>
— a URL of the formyourdomain.mlops.selcloud.ru
that was issued after connecting the ML platform.In incognito mode, the Keycloak login window will appear.