Azure AD¶
This section will guide you through using Azure AD as an OIDC provider for Kubeflow.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working Rok deployment.
- A working Kubeflow deployment.
- Access to the cluster running services.
- An existing Azure account that has an active subscription.
Procedure¶
Sign in to the Azure portal.
Optional
If you have access to multiple tenants, use the Directories+subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
Search for and select Azure Active Directory.
Under the Manage section, select App registrations.
Then, select New registration.
For the new registration:
Enter a display name for your application:
¶ Display Name rok-<REGION>-<CLUSTERNAME>-authservice
Replace:
<REGION>
with the region of your cluster, for examplenorthamerica-northeast1-b
.<CLUSTERNAME>
with the name of your cluster, for examplearrikto-cluster
.
Select Accounts in this organizational directory only.
Note
By selecting this option, you can specify that only the users (or guests) in your tenant will use the application that you are building.
In the Redirect URI section, select Web and enter
https://<FQDN>/authservice/oidc/callback
.Replace
<FQDN>
with the FQDN for your cluster, for examplearrikto-cluster.apps.example.com
.Click Register.
The Azure portal will redirect you to the Overview page. From there, find the Application (client) ID field and copy its value to your clipboard, as you are going to use this value in later steps.
Retrieve the issuer URL.
Click on the Endpoints tab
From the value of the OpenID Connect metadata document field, retrieve the issuer URL by discarding the
well-known
path.For example if the value is
https://login.microsoftonline.com/2bf793e0-71b3-4a6c-ba8a-96a6755de088/v2.0/.well-known/openid-configuration
then the issuer URL will behttps://login.microsoftonline.com/2bf793e0-71b3-4a6c-ba8a-96a6755de088/v2.0
.Copy this value to your clipboard, as you are going to use this value in later steps.
Under the Manage section, select Certificates & secrets.
Then, select New client secret.
For the new client secret:
Add a description.
Determine an expiration date.
Important
The maximum expiration date that you can set is 24 months. After that period of time you will need to regenerate the secret for your client.
Click Add.
Now you can retrieve the generated client secret under the Value column. Copy its value to your clipboard, as you are going to use this value in later steps.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsSpecify the client ID:
root@rok-tools:~/tools/deployments# export OIDC_CLIENT_ID=<CLIENT_ID>Replace
<CLIENT_ID>
with the client ID you copied in step 7.Specify the client secret:
root@rok-tools:~/tools/deployments# export OIDC_CLIENT_SECRET=<CLIENT_SECRET>Replace
<CLIENT_SECRET>
with the client secret you copied in step 12.Render the AuthService credentials:
root@rok-tools:~/tools/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.envSet the public URL of your EKF installation:
root@rok-tools:~/tools/deployments# export FQDN=<FQDN>Replace
<FQDN>
with your installation’s public URL. For example:root@rok-tools:~/tools/deployments# export FQDN=arrikto-cluster.apps.example.comSet the public URL of your application:
root@rok-tools:~/tools/deployments# export OIDC_PROVIDER=<ISSUER>Replace
<ISSUER>
with the issuer URL you copied in step 8b.Configure AuthService to convert user emails to usernames:
root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'Replace
<DOMAIN>
with the domain of your organization. For example:root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'Make sure to include
\\
. With this example domain, AuthService will convert user IDs likeuser@example.com
intouser
.Note
USERID_TRANSFORMERS
accepts a JSON formatted list of UserID transformation rules with the following format:USERID_TRANSFORMERS=[{"matches": "regex", "replaces": "value" }]AuthService will transform the UserID by finding the first transformation rule that matches
regex
and replacing it withvalue
.Set the Azure AD settings and render the AuthService configuration:
root@rok-tools:~/ops/deployments# export USERID_CLAIM=email root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,email,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=https://${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export TEMPLATE_PATH='' root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.envSee also
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Use the Azure AD OIDC provider for Kubeflow authentication"Apply the manifests:
root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflowRestart the pods manually:
root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice
Verify¶
Ensure that the
authservice
StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13sLog in with your Azure AD credentials at
https://<FQDN>
, where<FQDN>
is the public URL of your EKF installation. For example,https://arrikto-cluster.apps.example.com
.