GitLab

In this section we will guide you through using GitLab as an OIDC provider for Arrikto EKF.

What You’ll Need

Choose one of the following options based on your GitLab offering.

Procedure

  1. Create an application in GitLab. Choose one of the following options based on your GitLab offering.

    Visit https://gitlab.com, click on your user icon (upper right corner) -> Preferences -> Applications, and create a new application with the following settings:

    Application
    Callback URL <FQDN>/authservice/oidc/callback
    Confidential Y
    Scopes
    • read_user (Read the authenticated user’s personal information)
    • openid (Authenticate using OpenID Connect)
    • profile (Allow read-only access to the user’s personal information using OpenID Connect)
    • email (Allow read-only access to the user’s primary email address using OpenID Connect)

    Visit your GitLab instance, use the admin account, go to Admin area -> Applications -> New Application, and create a new application with the following settings:

    Application
    Callback URL <FQDN>/authservice/oidc/callback
    Trusted N
    Confidential Y
    Scopes
    • read_user (Read the authenticated user’s personal information)
    • openid (Authenticate using OpenID Connect)
    • profile (Allows read-only access to the user’s personal information using OpenID Connect)
    • email (Allows read-only access to the user’s primary email address using OpenID Connect)

    Replace <FQDN> with the public URL of your EKF installation, for example https://arrikto-cluster.apps.example.com.

  2. Copy the client ID and secret that the application generated to your clipboard, as you are going to use them in later steps.

  3. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  4. Specify the OIDC client ID:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=<Client_ID>

    Replace <Client_ID> with your client ID generated in the steps above.

  5. Specify the OIDC client secret:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=<Client_secret>

    Replace <Client_secret> with your client secret generated in the steps above.

  6. Render the AuthService credentials:

    root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env
  7. Set the public URL of your EKF installation:

    root@rok-tools:~/ops/deployments# export FQDN=<FQDN>

    Replace <FQDN> with your installation’s public URL. For example:

    root@rok-tools:~/ops/deployments# export FQDN=https://arrikto-cluster.apps.example.com
  8. Set the public URL of the official GitLab service, or your self-managed installation. Choose one of the following options based on your GitLab offering.

    root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=https://gitlab.com
    root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=<URL>

    Replace <URL> with the public URL of your self-managed GitLab instance, for example, https://gitlab.example.com.

    Note

    AuthService will use it to construct the OIDC_PROVIDER/.well-known/openid-configuration URL and auto-discover the OIDC configuration of your GitLab instance.

  9. Set the default GitLab settings and render the AuthService configuration:

    root@rok-tools:~/ops/deployments# export USERID_CLAIM=nickname root@rok-tools:~/ops/deployments# export OIDC_SCOPES=read_user,profile,email,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS=[] root@rok-tools:~/ops/deployments# export TEMPLATE_PATH=web/templates/gitlab/auto_logout root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env
  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Use the GitLab OIDC provider for Kubeflow authentication"
  11. Apply the manifests:

    root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflow
  12. For changes to take effect, restart the pods manually:

    root@rok-tools:/# kubectl delete pods -n istio-system -l app=authservice

Verify

  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Log in with your GitLab credentials at <FQDN>, where <FQDN> is the public URL of your EKF installation. For example, https://arrikto-cluster.apps.example.com.

Summary

You have successfully configured your EKF installation to allow users to login with their GitLab credentials.

What’s Next

Check out the rest of the services you can integrate Arrikto EKF with.