GitLab¶
In this section we will guide you through using GitLab as an OIDC provider for Arrikto EKF.
See also
Overview
What You’ll Need¶
Choose one of the following options based on your GitLab offering.
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working Rok deployment.
- A working Kubeflow deployment.
- Access to the cluster’s running services.
- An account on GitLab.
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working Rok deployment.
- A working Kubeflow deployment.
- Access to the cluster’s running services.
- Access to the GitLab admin console.
Procedure¶
Create an application in GitLab. Choose one of the following options based on your GitLab offering.
Visit https://gitlab.com, click on your user icon (upper right corner) -> Preferences -> Applications, and create a new application with the following settings:
¶ Callback URL <FQDN>/authservice/oidc/callback
Confidential Y Scopes read_user
(Read the authenticated user’s personal information)openid
(Authenticate using OpenID Connect)profile
(Allow read-only access to the user’s personal information using OpenID Connect)email
(Allow read-only access to the user’s primary email address using OpenID Connect)
Visit your GitLab instance, use the admin account, go to Admin area -> Applications -> New Application, and create a new application with the following settings:
¶ Callback URL <FQDN>/authservice/oidc/callback
Trusted N Confidential Y Scopes read_user
(Read the authenticated user’s personal information)openid
(Authenticate using OpenID Connect)profile
(Allows read-only access to the user’s personal information using OpenID Connect)email
(Allows read-only access to the user’s primary email address using OpenID Connect)
Replace
<FQDN>
with the public URL of your EKF installation, for examplehttps://arrikto-cluster.apps.example.com
.Copy the client ID and secret that the application generated to your clipboard, as you are going to use them in later steps.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsSpecify the OIDC client ID:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=<Client_ID>Replace
<Client_ID>
with your client ID generated in the steps above.Specify the OIDC client secret:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=<Client_secret>Replace
<Client_secret>
with your client secret generated in the steps above.Render the AuthService credentials:
root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.envSet the public URL of your EKF installation:
root@rok-tools:~/ops/deployments# export FQDN=<FQDN>Replace
<FQDN>
with your installation’s public URL. For example:root@rok-tools:~/ops/deployments# export FQDN=https://arrikto-cluster.apps.example.comSet the public URL of the official GitLab service, or your self-managed installation. Choose one of the following options based on your GitLab offering.
root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=https://gitlab.comroot@rok-tools:~/ops/deployments# export OIDC_PROVIDER=<URL>Replace
<URL>
with the public URL of your self-managed GitLab instance, for example,https://gitlab.example.com
.Note
AuthService will use it to construct the
OIDC_PROVIDER/.well-known/openid-configuration
URL and auto-discover the OIDC configuration of your GitLab instance.Set the default GitLab settings and render the AuthService configuration:
root@rok-tools:~/ops/deployments# export USERID_CLAIM=nickname root@rok-tools:~/ops/deployments# export OIDC_SCOPES=read_user,profile,email,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS=[] root@rok-tools:~/ops/deployments# export TEMPLATE_PATH=web/templates/gitlab/auto_logout root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.envSee also
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Use the GitLab OIDC provider for Kubeflow authentication"Apply the manifests:
root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflowFor changes to take effect, restart the pods manually:
root@rok-tools:/# kubectl delete pods -n istio-system -l app=authservice
Verify¶
Ensure that the
authservice
StatefulSet
is running. Verify that field STATUS is Running and field READY is 1/1:root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13sLog in with your GitLab credentials at
<FQDN>
, where<FQDN>
is the public URL of your EKF installation. For example,https://arrikto-cluster.apps.example.com
.