Add an application to the ML platform

Last update: April 16 2026

In the ML platform, you can add additional applications using kubectl, helm, kustomize.

You can open the app via a URL like https://myapp-yourdomain.mlops.selcloud.ru or add the app to the ML platform start page.

For applications that will be available online, you need to set up authorization.

Add a new application to the ML platform

To add a new application to the ML platform, you need to create an Ingress object. You do not need to create an Ingress Controller - a Traefik controller is pre-installed in the ML-platform in Managed Kubernetes clusters.

It is not necessary to obtain TLS certificates directly in the ML platform because the certificate is installed on the reverse proxy.

1. Connect to the Managed Kubernetes cluster that was created when ML platform.

2. Create a yaml file with a manifest for the Ingress object.

   Manifesto example:

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: myapp
     namespace: <ml_platform_namespace>
     annotations:
       traefik.ingress.kubernetes.io/router.tls: "true"
   spec:
     tls:
       - hosts:
           - "myapp-<ml_platform_domain>"
         secretName: myapp-<ml_platform_domain>-cert
     rules:
       - host: "myapp-<ml_platform_domain>"
         http:
           paths:
             - path: /
               pathType: Prefix
               backend:
                 service:
                   name: myapp
                   port:
                     number: 80

   Specify:

   • <ml_platform_namespace> - Namespace of the ML platform;
   • <ml_platform_domain> - URL of the form yourdomain.mlops.selcloud.ru which was given after connecting ML-platform.

3. Create Ingress:

   kubectl apply -f <ingress.yaml>

   Specify <ingress.yaml> is the name of the yaml file with the manifest for Ingress.

4. Open the application at:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> - URL of the form yourdomain.mlops.selcloud.ru, which was issued after connecting ML-platform.

5. Configure authorization for the application.

6. Optional: add the app to your start page.

Add an application to the ML-platform start page

The ML platform start page is powered by the Forecastle tool. On the page you can see all the applications that are running in the Managed Kubernetes cluster by default.

If you've added a new app to the ML platform, it can also be placed on the home page.

1. Connect to the Managed Kubernetes cluster that was created when ML platform.

2. Open the yaml file with the manifest for the Ingress application and add annotations to it:

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: myapp
     namespace: <ml_platform_namespace>
     annotations:
       traefik.ingress.kubernetes.io/router.tls: "true"
       forecastle.stakater.com/expose: "true"
       forecastle.stakater.com/appName: MyApp # App name shown on the start page
       forecastle.stakater.com/group: MyAppsGroup # Group on the start page where the app will be added
       forecastle.stakater.com/icon: <app_icon_url>

   Specify:

   • <ml_platform_namespace> - Namespace of the ML platform;
   • <app_icon_url> - optional: URL of the image for the app icon.

3. Apply the changes for Ingress:

   kubectl apply -f <ingress.yaml>

   Specify <ingress.yaml> is the name of the yaml file with the manifest for Ingress.

4. Open the ML platform start page and check that the app has been added:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> - URL of the form yourdomain.mlops.selcloud.ru, which was issued after connecting ML-platform.

Configure authorization for the application

If you've added an application to the ML platform, be sure to set up authorization.

The authorization setting depends on the protocols that the application supports:

• If the application supports authorization using OIDC/OAuth2/SAML protocols, create a Keycloak client;
• If the application does not support OIDC/OAuth2/SAML protocols or the application does not have authorization mechanisms, use gogatekeeper - it is a sidecar for Keycloak.

Authorization with OIDC

Create a Keycloak client and configure the application to authorize through the Keycloak ML platform. When the user authorizes in the application, a request will be sent to the Keycloak client. If it fails it, the user will be able to log into the app. For more information about using Keycloak in ML-platform, see the Managing Users in Keycloak instructions.

1. Connect to the Managed Kubernetes cluster that was created when ML platform.

2. Create a Keycloak client through the Keycloak control panel at https://keycloak-<ml_platform_domain>/admin/cmlp/console/ or create a yaml file with a manifest for the KeycloakClient object.

   Manifesto example:

   apiVersion: keycloak.org/v1alpha1
   kind: KeycloakClient
   metadata:
     name: myapp-client
     namespace: <ml_platform_namespace>
   spec:
     client:
       # Settings
       enabled: true
       clientId: "<appclient_name>"
       name: ""
       description: ''
       secret: "<password>"
       protocol: "openid-connect"
       redirectUris:
         - "https://<appclient_name>-.<ml_platform_namespace>/*" # URI from which redirect to Keycloak occurs
       rootUrl: "${authBaseUrl}"
       baseUrl: "/"
       publicClient: false
       bearerOnly: false
       serviceAccountsEnabled: false
       consentRequired: false
       directAccessGrantsEnabled: true
       implicitFlowEnabled: false
       frontchannelLogout: false
       standardFlowEnabled: true
       surrogateAuthRequired: false
       useTemplateConfig: true
       useTemplateMappers: true
       # Scopes
       useTemplateScope: true
       fullScopeAllowed: false
       defaultClientScopes:
         - "profile"
         - "email"
       # Roles
       protocolMappers:
       - config:
           access.token.claim: "true"
           id.token.claim: "false"
           included.custom.audience: <appclient_name>
         consentRequired: false
         name: Audience-forecastle-cmlp
         protocol: openid-connect
         protocolMapper: oidc-audience-mapper
     realmSelector:
       matchLabels:
         app.kubernetes.io/name: keycloak-realm-cmlp
         app.kubernetes.io/instance: keycloak-operator

   Specify:

   • <ml_platform_namespace> - Namespace of the ML platform;
   • <appclient_name> - The unique name of the Keycloak client;
   • <password> - password for the Keycloak client. Required to configure the application.

3. Create a Keycloak client:

   kubectl apply -f <keycloakclient.yaml>

   Specify <keycloakclient.yaml> is the name of the manifest yaml file to create the Keycloak client.

4. Verify that the client has been created: open the Security Admin Console application and go to Configure → Clients.

5. Configure the application to authorize through the created Keycloak client:

   • use the python library python-keycloak;
   • or use Grafana and modify the configuration file following the example in the Grafana documentation.

Authorization with gogatekeeper

Gogatekeeper acts as a proxy between the application container and the service, requesting a JWT (JSON Web Token) and validating it to grant access to the application.

The ML platform has gogatekeeper-operator installed as Injector.

1. Connect to the Managed Kubernetes cluster that was created when ML platform.

2. Create a yaml file with a manifest for the Gogatekeeper object in any namespace.

   Manifesto example:

   apiVersion: gatekeeper.theendbeta.me/v1alpha1
   kind: Gogatekeeper
   metadata:
     name: gatekeeper-for-myapp
     namespace: mynamespace
   spec:
     defaultconfig: |-
       upstream-url:          http://127.0.0.1:80 # Port where myapp container listens
       listen:                :3000 # gogatekeeper port that traffic should be switched to
       listen-admin:          :4000
       enable-refresh-tokens: true
       secure-cookie:         false
     oidcurl: https://keycloak-<ml_platform_domain>/auth/realms/CMLP # Realm URL

   Specify <ml_platform_domain> - URL of the form yourdomain.mlops.selcloud.ru, which was issued after connecting ML-platform.

3. Create Gogatekeeper:

   kubectl apply -f <gogatekeeper.yaml>

   Specify <gogatekeeper.yaml> is the name of the yaml file with the manifest to create Gogatekeeper..

4. Open the yaml file with the manifest for the Pod and add annotations to it:

   apiVersion: v1
   kind: Pod
   metadata:
     annotations:
       gatekeeper.gogatekeeper: gatekeeper-for-myapp
       gatekeeper.gogatekeeper/client-id: myapp # ID from KeycloakClient
       gatekeeper.gogatekeeper/client-secret: <password>
       gatekeeper.gogatekeeper/encryption-key: <another_password>
       gatekeeper.gogatekeeper/redirection-url: https://myapp-<ml_platform_domain>
       gatekeeper.gogatekeeper/upstream-url: http://127.0.0.1:80

   Specify:

   • <password> - password for the Keycloak client. Required to configure the application;
   • <another_password> - another random password;
   • <ml_platform_domain> - URL of the form yourdomain.mlops.selcloud.ru which was given after connecting ML-platform.

5. Apply the changes in the manifest:

   kubectl apply -f <pod.yaml>

   Specify <pod.yaml> is the name of the yaml file with the manifest for the pod.

   gogatekeeper-operator will add a gogatekeeper container to the running under myapp. The pod will have two containers: the original myapp container and the sidecar container of gogatekeeper.

6. Change the port in myapp from 80 (application port) to 3000 (gogatekeeper port).

7. Check that gogatekeeper is running:

   https://myapp-<ml_platform_domain>

   Specify <ml_platform_domain> - URL of the form yourdomain.mlops.selcloud.ru, which was issued after connecting ML-platform.

   In incognito mode, the Keycloak login window will appear.