Skip to main content
Add an application to the ML platform
Last update:

Add an application to the ML platform

In the ML platform you can add additional applications with kubectl, helm, kustomize.

You can open an application using a URL of the form https://myapp-yourdomain.mlops.selcloud.ru or add the application to the ML-platform home page.

For applications that will be available online, you need to set up authorization.

Add a new application to the ML platform

To add a new application to the ML-platform, you need to create an object of the form Ingress. Ingress Controller does not need to be created — in the ML platform, the Traefik controller is pre-installed in Managed Kubernetes clusters.

It is not necessary to obtain TLS certificates directly in the ML platform because the certificate is installed on the reverse proxy.

  1. Connect to a Managed Kubernetes cluster which was created under the auspices ML platform connection.

  2. Create a yaml file with a manifest for the Ingress object.

    Manifesto example:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: myapp
      namespace: <ml_platform_namespace>
      annotations:
        traefik.ingress.kubernetes.io/router.tls: "true"
    spec:
      tls:
        - hosts:
            - "myapp-<ml_platform_domain>"
          secretName: myapp-<ml_platform_domain>-cert
      rules:
        - host: "myapp-<ml_platform_domain>"
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: myapp
                    port:
                      number: 80

    Specify:

    • <ml_platform_namespace> — Namespace (Namespace) of the ML platform;
    • <ml_platform_domain> — URL of the form yourdomain.mlops.selcloud.ruthat was issued after the ML platform was connected.

  3. Create Ingress:

    kubectl apply -f <ingress.yaml>

    Specify <ingress.yaml> — name of the yaml file with the manifest for Ingress.

  4. Open the application at:

    https://myapp-<ml_platform_domain>

    Specify <ml_platform_domain> — URL of the form yourdomain.mlops.selcloud.ruthat was issued after the ML platform was connected.

  5. Configure authorization for the application.

  6. Optional: add the application to the home page.

Add an application to the ML-platform start page

The ML platform start page works with the help of the tool Forecastle. The page allows you to see all the applications that are running by default in a Managed Kubernetes cluster.

If you're added a new application into the ML platform, it can also be placed on the home page.

  1. Connect to a Managed Kubernetes cluster which was created under the auspices ML platform connection.

  2. Open the yaml file with the manifest for the Ingress application and add annotations to it:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: myapp
      namespace: <ml_platform_namespace>
      annotations:
        traefik.ingress.kubernetes.io/router.tls: "true"
        forecastle.stakater.com/expose: "true"
        forecastle.stakater.com/appName: MyApp # Название приложения, которое будет показано на стартовой странице
        forecastle.stakater.com/group: MyAppsGroup # Группа на стартовой странице, в которую добавится приложение
        forecastle.stakater.com/icon: <app_icon_url>

    Specify:

    • <ml_platform_namespace> — Namespace (Namespace) of the ML platform;
    • <app_icon_url> — optional: image URL for the application icon.

  3. Apply the changes for Ingress:

    kubectl apply -f <ingress.yaml>

    Specify <ingress.yaml> — name of the yaml file with the manifest for Ingress.

  4. Open the ML platform start page and check that the app has been added:

    https://myapp-<ml_platform_domain>

    Specify <ml_platform_domain> — URL of the form yourdomain.mlops.selcloud.ruthat was issued after the ML platform was connected.

Configure authorization for the application

If you've added an application to the ML platform, be sure to set up authorization.

The authorization setting depends on the protocols that the application supports:

  • If the application supports authorization using OIDC/OAuth2/SAML protocols, create a Keycloak client;
  • If the application does not support OIDC/OAuth2/SAML protocols or the application does not have authorization mechanisms, use gogatekeeper — it is a sidecar for Keycloak.

Create a Keycloak client and configure the application to authorize through the Keycloak ML platform. When the user authorizes in the application, a request will be sent to the Keycloak client. If it fails it, the user will be able to log into the app. Learn more about using Keycloak in the ML-platform in the manual User management in Keycloak.

  1. Connect to a Managed Kubernetes cluster which was created under the auspices ML platform connection.

  2. Create a Keycloak client through the Keycloak control panel at https://keycloak-<ml_platform_domain>/admin/cmlp/console/ or create a yaml file with a manifest for the KeycloakClient object.

    Manifesto example:

    apiVersion: keycloak.org/v1alpha1
    kind: KeycloakClient
    metadata:
      name: myapp-client
      namespace: <ml_platform_namespace>
    spec:
      client:
        # Settings
        enabled: true
        clientId: "<appclient_name>"
        name: ""
        description: ''
        secret: "<password>"
        protocol: "openid-connect"
        redirectUris:
          - "https://<appclient_name>-.<ml_platform_namespace>/*" # URI, с которого будет происходить редирект в Keycloak
        rootUrl: "${authBaseUrl}"
        baseUrl: "/"
        publicClient: false
        bearerOnly: false
        serviceAccountsEnabled: false
        consentRequired: false
        directAccessGrantsEnabled: true
        implicitFlowEnabled: false
        frontchannelLogout: false
        standardFlowEnabled: true
        surrogateAuthRequired: false
        useTemplateConfig: true
        useTemplateMappers: true
        # Scopes
        useTemplateScope: true
        fullScopeAllowed: false
        defaultClientScopes:
          - "profile"
          - "email"
        # Roles
        protocolMappers:
        - config:
            access.token.claim: "true"
            id.token.claim: "false"
            included.custom.audience: <appclient_name>
          consentRequired: false
          name: Audience-forecastle-cmlp
          protocol: openid-connect
          protocolMapper: oidc-audience-mapper
      realmSelector:
        matchLabels:
          app.kubernetes.io/name: keycloak-realm-cmlp
          app.kubernetes.io/instance: keycloak-operator

    Specify:

    • <ml_platform_namespace> — Namespace (Namespace) of the ML platform;
    • <appclient_name> — Keycloak client's unique name;
    • <password> — password for the Keycloak client. Required to configure the application.

  3. Create a Keycloak client:

    kubectl apply -f <keycloakclient.yaml>

    Specify <keycloakclient.yaml> — name of the yaml file with the manifest to create the Keycloak client.

  4. Verify that the client has been created. Open the Security Admin Console application and go to ConfigureClients.

  5. Configure the application to authorize through the created Keycloak client:

    • use the python library python-keycloak;
    • or use Grafana and modify the configuration file by for example from Grafana's documentation.