Add an application to the ML platform

Last update: April 08 2024

Add an application to the ML platform

In ML-platform you can add additional apps using kubectl, helm, kustomize.

You can open an app via a URL like https://myapp-yourdomain.mlops.selcloud.ru or add app to ML-platform start page.

For apps that will be available on the web, you need to configure authorization.

Add a new application to the ML platform⁠

To add a new application to the ML platform, you must create an object of the form Ingress. There is no need to create an Ingress Controller — there is a Traefik controller pre-installed in the ML platform in Managed Kubernetes clusters.

It is not necessary to obtain TLS certificates directly in the ML platform because the certificate is installed on the reverse proxy.

1. Connect to the Managed Kubernetes cluster that was created when connecting ML-platform.

2. Create a yaml file with a manifest for the Ingress object.

   Manifesto example:

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: myapp
     namespace: <ml_platform_namespace>
     annotations:
       traefik.ingress.kubernetes.io/router.tls: "true"
   spec:
     tls:
       - hosts:
           - "myapp-<ml_platform_domain>"
         secretName: myapp-<ml_platform_domain>-cert
     rules:
       - host: "myapp-<ml_platform_domain>"
         http:
           paths:
             - path: /
               pathType: Prefix
               backend:
                 service:
                   name: myapp
                   port:
                     number: 80

   Specify:

   • <ml_platform_namespace> is the namespace (Namespace) of the ML platform;
   • <ml_platform_domain> — URL of the form yourdomain.mlops.selcloud.ru, which was given after connecting the ML platform.

3. Create Ingress:

   kubectl apply -f <ingress.yaml>

   Specify <ingress.yaml> is the name of the yaml file with the manifest for Ingress.

4. Open the application at:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> — a URL of the form yourdomain.mlops.selcloud.ru that was issued after connecting the ML platform.

5. Configure authorization for app.

6. Optional: add-app-to-start-page.

Add the application to the ML-platform home page⁠

The ML platform start page is powered by the Forecastle tool. On the page, you can see all the applications that are running by default in a Managed Kubernetes cluster.

If you added a new app to ML-platform, it can also be placed on the start page.

1. Connect to the Managed Kubernetes cluster that was created when connecting ML-platform.

2. Open the yaml file with the manifest for the Ingress application and add annotations to it:

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: myapp
     namespace: <ml_platform_namespace>
     annotations:
       traefik.ingress.kubernetes.io/router.tls: "true"
       forecastle.stakater.com/expose: "true"
       forecastle.stakater.com/appName: MyApp # The name of the app to be shown on the start page
       forecastle.stakater.com/group: MyAppsGroup # The group on the start page to which the app will be added
       forecastle.stakater.com/icon: <app_icon_url>

   Specify:

   • <ml_platform_namespace> is the namespace (Namespace) of the ML platform;
   • <app_icon_url> — optional: image URL for the application icon.

3. Apply the changes for Ingress:

   kubectl apply -f <ingress.yaml>

   Specify <ingress.yaml> is the name of the yaml file with the manifest for Ingress.

4. Open the ML platform start page and check that the app has been added:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> — a URL of the form yourdomain.mlops.selcloud.ru that was issued after connecting the ML platform.

Configure authorization for the application⁠

If you've added an application to the ML platform, be sure to set up authorization.

The authorization setting depends on the protocols that the application supports:

• If the application supports authorization using OIDC/OAuth2/SAML protocols, create a Keycloak client;
• If the application does not support OIDC/OAuth2/SAML protocols or the application does not have authorization mechanisms, use gogatekeeper — it is a sidecar for Keycloak.

Авторизация при помощи OIDC

Create a Keycloak client and configure the application to authorize through the Keycloak ML platform. When the user logs in to the application, a request will be sent to the Keycloak client. If he fails it, the user can log into the app. Learn more about using Keycloak in the ML-platform in the Managing Users in Keycloak instructions.

1. Connect to the Managed Kubernetes cluster that was created when connecting ML-platform.

2. Create a Keycloak client through the Keycloak control panel at https://keycloak-<ml_platform_domain>/admin/cmlp/console/ or create a yaml file with a manifest for the KeycloakClient object.

   Manifesto example:

   apiVersion: keycloak.org/v1alpha1
   kind: KeycloakClient
   metadata:
     name: myapp-client
     namespace: <ml_platform_namespace>
   spec:
     client:
       # Settings
       enabled: true
       clientId: "<appclient_name>"
       name: ""
       description: ""
       secret: "<password>"
       protocol: "openid-connect"
       redirectUris:
         - "https://<appclient_name>-.<ml_platform_namespace>/*" # URI from which to redirect to Keycloak
       rootUrl: "${authBaseUrl}"
       baseUrl: "/"
       publicClient: false
       bearerOnly: false
       serviceAccountsEnabled: false
       consentRequired: false
       directAccessGrantsEnabled: true
       implicitFlowEnabled: false
       frontchannelLogout: false
       standardFlowEnabled: true
       surrogateAuthRequired: false
       useTemplateConfig: true
       useTemplateMappers: true
       # Scopes
       useTemplateScope: true
       fullScopeAllowed: false
       defaultClientScopes:
         - "profile"
         - "email"
       # Roles
       protocolMappers:
       - config:
           access.token.claim: "true"
           id.token.claim: "false"
           included.custom.audience: <appclient_name>
         consentRequired: false
         name: Audience-forecastle-cmlp
         protocol: openid-connect
         protocolMapper: oidc-audience-mapper
     realmSelector:
       matchLabels:
         app.kubernetes.io/name: keycloak-realm-cmlp
         app.kubernetes.io/instance: keycloak-operator

   Specify:

   • <ml_platform_namespace> is the namespace (Namespace) of the ML platform;
   • <appclient_name> is the unique name of the Keycloak client;
   • <password> is the password for the Keycloak client. You will need to customize the application.

3. Create a Keycloak client:

   kubectl apply -f <keycloakclient.yaml>

   Specify <keycloakclient.yaml> is the name of the yaml file with the manifest to create the Keycloak client.

4. Verify that the client has been created. Open the Security Admin Console application and navigate to Configure → Clients.

5. Configure the application to authorize through the created Keycloak client:

   • use the python library python-keycloak;
   • or use Grafana and modify the configuration file at примеру from the Grafana documentation.

Авторизация при помощи gogatekeeper

Gogatekeeper acts as a proxy between the application container and the service, requesting a JWT (JSON Web Token) and validating it to grant access to the application.

The ML platform has gogatekeeper-operator installed as Injector.

1. Connect to the Managed Kubernetes cluster that was created when connecting ML-platform.

2. Create a yaml file with a manifest for the Gogatekeeper object in any namespace.

   Manifesto example:

   apiVersion: gatekeeper.theendbeta.me/v1alpha1
   kind: Gogatekeeper
   metadata:
     name: gatekeeper-for-myapp
     namespace: mynamespace
   spec:
     defaultconfig: |-
       upstream-url: http://127.0.0.1:80 # Port on which the myapp container listens
       listen: :3000 # Port of gogatekeeper to switch traffic to
       listen-admin: :4000
       enable-refresh-tokens: true
       secure-cookie: false
     oidcurl: https://keycloak-<ml_platform_domain>/auth/realms/CMLP # Link to Realm

   Specify <ml_platform_domain> — a URL of the form yourdomain.mlops.selcloud.ru that was issued after connecting the ML platform.

3. Create Gogatekeeper:

   kubectl apply -f <gogatekeeper.yaml>

   Specify <gogatekeeper.yaml> is the name of the yaml file with the manifest to create Gogatekeeper.

4. Open the yaml file with the manifest for the Pod and add annotations to it:

   apiVersion: v1
   kind: Pod
   metadata:
     annotations:
       gatekeeper.gogatekeeper: gatekeeper-for-myapp
       gatekeeper.gogatekeeper/client-id: myapp # ID from KeycloakClient
       gatekeeper.gogatekeeper/client-secret: <password>
       gatekeeper.gogatekeeper/encryption-key: <another_password>
       gatekeeper.gogatekeeper/redirection-url: https://myapp-<ml_platform_domain>
       gatekeeper.gogatekeeper/upstream-url: http://127.0.0.1:80

   Specify:

   • <password> is the password for the Keycloak client. You will need to customize the application;
   • <another_password>-another arbitrary password;
   • <ml_platform_domain> — URL of the form yourdomain.mlops.selcloud.ru, which was given after connecting the ML platform.

5. Apply the changes in the manifest:

   kubectl apply -f <pod.yaml>

   Specify <pod.yaml> is the name of the yaml file with the manifest for the feed.

   gogatekeeper-operator will add the gogatekeeper container to the gogatekeeper container running under myapp. There will be two containers in the pod: the original myapp container and the sidecar container gogatekeeper.

6. Change the port in myapp from 80 (application port) to 3000 (gogatekeeper port).

7. Check that gogatekeeper is running:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> — a URL of the form yourdomain.mlops.selcloud.ru that was issued after connecting the ML platform.

   In incognito mode, the Keycloak login window will appear.