Add an application to the ML platform

Last update: June 04 2026

In the ML platform, you can add additional applications using kubectl, helm, or kustomize.

You can open the application using a URL like https://myapp-yourdomain.mlops.selcloud.ru or add the application to the ML platform home page.

For applications that will be accessible on the internet, you must configure authorization.

Add a new application to the ML platform

To add a new application to the ML platform, you need to create an object of type Ingress. You do not need to create an Ingress Controller—the Traefik controller is preinstalled in ML platform Managed Kubernetes clusters.

There is no need to obtain TLS certificates directly in the ML platform, as the certificate is installed on the reverse proxy.

1. Connect to the Managed Kubernetes cluster that was created when connecting the ML platform.

2. Create a yaml file with a manifest for the Ingress object.

   Example manifest:

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: myapp
     namespace: <ml_platform_namespace>
     annotations:
       traefik.ingress.kubernetes.io/router.tls: "true"
   spec:
     tls:
       - hosts:
           - "myapp-<ml_platform_domain>"
         secretName: myapp-<ml_platform_domain>-cert
     rules:
       - host: "myapp-<ml_platform_domain>"
         http:
           paths:
             - path: /
               pathType: Prefix
               backend:
                 service:
                   name: myapp
                   port:
                     number: 80

   Specify:

   • <ml_platform_namespace> — ML platform Namespace (Namespace);
   • <ml_platform_domain> — a URL like yourdomain.mlops.selcloud.ru, which was issued after connecting the ML platform.

3. Create an Ingress:

   kubectl apply -f <ingress.yaml>

   Specify <ingress.yaml> — the name of the yaml file with the Ingress manifest.

4. Open the application at the address:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> — a URL like yourdomain.mlops.selcloud.ru, which was issued after connecting the ML platform.

5. Configure authorization for the application.

6. Optional: add the application to the home page.

Add an application to the ML platform home page

The ML platform home page works using the Forecastle tool. You can view all applications that are running by default in the Managed Kubernetes cluster on this page.

If you have added a new application to the ML platform, you can also place it on the home page.

1. Connect to the Managed Kubernetes cluster that was created when connecting the ML platform.

2. Open the yaml file with the manifest for the application Ingress and add annotations to it:

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: myapp
     namespace: <ml_platform_namespace>
     annotations:
       traefik.ingress.kubernetes.io/router.tls: "true"
       forecastle.stakater.com/expose: "true"
       forecastle.stakater.com/appName: MyApp # App name shown on the start page
       forecastle.stakater.com/group: MyAppsGroup # Group on the start page where the app will be added
       forecastle.stakater.com/icon: <app_icon_url>

   Specify:

   • <ml_platform_namespace> — ML platform Namespace (Namespace);
   • <app_icon_url> — optional: URL for the application icon.

3. Apply the changes for the Ingress:

   kubectl apply -f <ingress.yaml>

   Specify <ingress.yaml> — the name of the yaml file with the Ingress manifest.

4. Open the ML platform home page and verify that the application has been added:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> — a URL like yourdomain.mlops.selcloud.ru, which was issued after connecting the ML platform.

Configure authorization for the application

If you have added an application to the ML platform, be sure to configure authorization.

Authorization setup depends on the protocols supported by the application:

• if the application supports authorization using OIDC/OAuth2/SAML protocols, create a Keycloak client;
• if the application does not support OIDC/OAuth2/SAML protocols or has no authorization mechanisms, use gogatekeeper—this is a sidecar for Keycloak.

Authorization using OIDC

Create a Keycloak client and configure authorization for the application via the ML platform's Keycloak. When a user authorizes in the application, a request is sent to the Keycloak client. If validated, the user can access the application. Learn more about using Keycloak in the ML platform in the Managing users in Keycloak guide.

1. Connect to the Managed Kubernetes cluster that was created when connecting the ML platform.

2. Create a Keycloak client via the Keycloak control panel at https://keycloak-<ml_platform_domain>/admin/cmlp/console/ or create a yaml file with a manifest for a KeycloakClient object.

   Example manifest:

   apiVersion: keycloak.org/v1alpha1
   kind: KeycloakClient
   metadata:
     name: myapp-client
     namespace: <ml_platform_namespace>
   spec:
     client:
       # Settings
       enabled: true
       clientId: "<appclient_name>"
       name: ""
       description: ''
       secret: "<password>"
       protocol: "openid-connect"
       redirectUris:
         - "https://<appclient_name>-.<ml_platform_namespace>/*" # URI from which redirect to Keycloak occurs
       rootUrl: "${authBaseUrl}"
       baseUrl: "/"
       publicClient: false
       bearerOnly: false
       serviceAccountsEnabled: false
       consentRequired: false
       directAccessGrantsEnabled: true
       implicitFlowEnabled: false
       frontchannelLogout: false
       standardFlowEnabled: true
       surrogateAuthRequired: false
       useTemplateConfig: true
       useTemplateMappers: true
       # Scopes
       useTemplateScope: true
       fullScopeAllowed: false
       defaultClientScopes:
         - "profile"
         - "email"
       # Roles
       protocolMappers:
       - config:
           access.token.claim: "true"
           id.token.claim: "false"
           included.custom.audience: <appclient_name>
         consentRequired: false
         name: Audience-forecastle-cmlp
         protocol: openid-connect
         protocolMapper: oidc-audience-mapper
     realmSelector:
       matchLabels:
         app.kubernetes.io/name: keycloak-realm-cmlp
         app.kubernetes.io/instance: keycloak-operator

   Specify:

   • <ml_platform_namespace> — ML platform Namespace (Namespace);
   • <appclient_name> — a unique name for the Keycloak client;
   • <password> — password for the Keycloak client. Required for application configuration.

3. Create a Keycloak client:

   kubectl apply -f <keycloakclient.yaml>

   Specify <keycloakclient.yaml> — the name of the yaml file with the manifest to create the Keycloak client.

4. Verify that the client has been created: open the Security Admin Console application and go to Configure → Clients.

5. Configure the application for authorization via the created Keycloak client:

   • use the python-library python-keycloak;
   • or use Grafana and modify the configuration file following the example from the Grafana documentation.

Authorization using gogatekeeper

Gogatekeeper acts as a proxy between the application container and the service, requests a JWT (JSON Web Token), and validates it to grant access to the application.

The gogatekeeper-operator is installed as the Injector in the ML platform.

1. Connect to the Managed Kubernetes cluster that was created when connecting the ML platform.

2. Create a yaml file with a manifest for a Gogatekeeper object in any namespace.

   Example manifest:

   apiVersion: gatekeeper.theendbeta.me/v1alpha1
   kind: Gogatekeeper
   metadata:
     name: gatekeeper-for-myapp
     namespace: mynamespace
   spec:
     defaultconfig: |-
       upstream-url:          http://127.0.0.1:80 # Port where myapp container listens
       listen:                :3000 # gogatekeeper port that traffic should be switched to
       listen-admin:          :4000
       enable-refresh-tokens: true
       secure-cookie:         false
     oidcurl: https://keycloak-<ml_platform_domain>/auth/realms/CMLP # Realm URL

   Specify <ml_platform_domain> — a URL like yourdomain.mlops.selcloud.ru, which was issued after connecting the ML platform.

3. Create Gogatekeeper:

   kubectl apply -f <gogatekeeper.yaml>

   Specify <gogatekeeper.yaml> — the name of the yaml file with the manifest to create Gogatekeeper.

4. Open the yaml file with the manifest for the Pod and add annotations to it:

   apiVersion: v1
   kind: Pod
   metadata:
     annotations:
       gatekeeper.gogatekeeper: gatekeeper-for-myapp
       gatekeeper.gogatekeeper/client-id: myapp # ID from KeycloakClient
       gatekeeper.gogatekeeper/client-secret: <password>
       gatekeeper.gogatekeeper/encryption-key: <another_password>
       gatekeeper.gogatekeeper/redirection-url: https://myapp-<ml_platform_domain>
       gatekeeper.gogatekeeper/upstream-url: http://127.0.0.1:80

   Specify:

   • <password> — password for the Keycloak client. Required for application configuration;
   • <another_password> — another arbitrary password;
   • <ml_platform_domain> — a URL like yourdomain.mlops.selcloud.ru, which was issued after connecting the ML platform.

5. Apply the changes in the manifest:

   kubectl apply -f <pod.yaml>

   Specify <pod.yaml> — the name of the yaml file with the pod manifest.

   gogatekeeper-operator will add the gogatekeeper container to the running pod myapp. The pod will have two containers: the original container myapp and the sidecar-container gogatekeeper.

6. Change the port in myapp from 80 (application port) to 3000 (gogatekeeper port).

7. Check that gogatekeeper is running:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> — a URL like yourdomain.mlops.selcloud.ru, which was issued after connecting the ML platform.

   In incognito mode, a Keycloak login window will appear.