Google¶
In this section we will guide you through using Google as an OIDC provider for Arrikto EKF.
See also
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working Rok deployment.
- A working Kubeflow deployment.
- Access to the cluster’s running services.
- Access to the Google admin console.
- An existing Google Cloud organization.
Procedure¶
Create a new project in Google Cloud. From your admin account go to IAM & Admin -> Manage Resources -> Create Project and create a new project:
¶ Project name <PROJECT_NAME>
Organization <ORGANIZATION>
Location <LOCATION>
Replace:
<PROJECT_NAME>
with the desired name for your project.<ORGANIZATION>
with the name of your organization.<LOCATION>
with the locations of your project.
Troubleshooting
I don’t have permissions to create a Google Cloud project.
In this case, you need to either
- Contact your Google Cloud organization administrator.
- Reuse an existing one you have access to.
Select your new project from the drop-down list at the top of the page.
Configure the OAuth consent screen for your Google Cloud project. Google presents this screen to users when they attempt to login, including a summary of your project, its policies and the requested scopes of access.
From your admin account go to APIs & Services -> OAuth consent screen and configure your OAuth consent screen as follows:
¶ User Type Internal App name Rok User support email <USER_SUPPORT_EMAIL>
Developer contact information <DEVELOPER_EMAIL>
Scopes No need to edit any of the scopes options Replace:
<USER_SUPPORT_EMAIL>
with the email where users can contact you with questions about their consent.<DEVELOPER_EMAIL>
with the email address that Google will use to notify you about any changes to your project.
Troubleshooting
My Google Cloud project has specific scope requirements
As long as you allow OIDC applications to request the following scopes:
profile
email
openid
then there shouldn’t be any issue.
Contact Arrikto
If you encounter any issue, please contact the Arrikto Tech Team.
Create an application in Google Cloud. From your admin account go to APIs & Services -> Credentials -> CREATE CREDENTIALS -> OAuth client ID and create the following settings:
¶ Application type Web application Authorized redirect URIs <FQDN>/authservice/oidc/callback
Replace
<FQDN>
with the public URL of your EKF installation, for example,https://arrikto-cluster.apps.example.com
.Copy the client ID and secret that the application generated to your clipboard, as you are going to use them in later steps.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsSpecify the OIDC client ID:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=<Client_ID>Replace
<Client_ID>
with your client ID generated in the steps above.Specify the OIDC client secret:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=<Client_secret>Replace
<Client_secret>
with your client secret generated in the steps above.Render the AuthService credentials:
root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.envSet the public URL of your EKF installation:
root@rok-tools:~/ops/deployments# export FQDN=<FQDN>Replace
<FQDN>
with your installation’s public URL. For example:root@rok-tools:~/ops/deployments# export FQDN=https://arrikto-cluster.apps.example.comConfigure AuthService to convert user emails to usernames:
root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'Replace
<DOMAIN>
with the domain of your organization. For example:root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'Make sure to include
\\
. With this example domain, AuthService will convert user IDs likeuser@example.com
intouser
.Note
USERID_TRANSFORMERS
accepts a JSON formatted list of UserID transformation rules with the following format:USERID_TRANSFORMERS=[{"matches": "regex", "replaces": "value" }]AuthService will transform the UserID by finding the first transformation rule that matches
regex
and replacing it withvalue
.Set the default Google settings and render the AuthService configuration:
root@rok-tools:~/ops/deployments# export USERID_CLAIM=email root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=https://accounts.google.com root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,email,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export TEMPLATE_PATH='' root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.envSee also
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Use the Google OIDC provider for Kubeflow authentication"Apply the manifests:
root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflowFor changes to take effect, restart the pods manually:
root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice
Verify¶
Ensure that the
authservice
StatefulSet
is running. Verify that field STATUS is Running and field READY is 1/1:root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13sLog in with your Google credentials at
<FQDN>
, where<FQDN>
is the public URL of your EKF installation. For example,https://arrikto-cluster.apps.example.com
.