Okta

This section will guide you through using Okta as an OIDC provider for Kubeflow.

What You’ll Need

Procedure

  1. From your admin console go to Applications (left sidebar) -> Applications -> Create app integration -> OIDC - OpenID Connect -> Web Application, and create an application with the following settings:

    Application
    App Integration Name <APPLICATION_NAME>
    Sign-in redirect URIs <FQDN>/authservice/oidc/callback
    Assignments Allow everyone in your organization to access

    Replace:

    • <APPLICATION_NAME> with the name of your application, for example Kubeflow.
    • <FQDN> with the public URL of your EKF installation, for example https://arrikto-cluster.apps.example.com.
  2. Click on the General tab and copy the following info, which will be used in the next steps:

    • CLIENT ID
    • CLIENT SECRET
    • OKTA DOMAIN
  3. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  4. Specify the client ID:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=<CLIENT ID>

    Replace <CLIENT ID> with the client ID you copied from the General tab.

  5. Specify the client secret:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=<CLIENT SECRET>

    Replace <CLIENT SECRET> with the client secret you copied from the General tab.

  6. Render the AuthService credentials:

    root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env
  7. Set the public URL of your EKF installation:

    root@rok-tools:~/ops/deployments# export FQDN=<FQDN>

    Replace <FQDN> with your installation’s public URL. For example:

    root@rok-tools:~/ops/deployments# export FQDN=https://arrikto-cluster.apps.example.com
  8. Set the public URL of your application:

    root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=https://<OKTA DOMAIN>

    Replace <OKTA DOMAIN> with the Okta domain URL you copied from the General tab.

  9. Configure AuthService to convert user emails to usernames:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'

    Replace <DOMAIN> with the domain of your organization. For example:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'

    Make sure to include \\. With this example domain, AuthService will convert user IDs like user@example.com into user.

    Note

    USERID_TRANSFORMERS accepts a JSON formatted list of UserID transformation rules with the following format:

    USERID_TRANSFORMERS=[{"matches": "regex", "replaces": "value" }]

    AuthService will transform the UserID by finding the first transformation rule that matches regex and replacing it with value.

  10. Set the default Okta settings and render the AuthService configuration:

    root@rok-tools:~/ops/deployments# export USERID_CLAIM=preferred_username root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export TEMPLATE_PATH='' root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env
  11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Use the Okta OIDC provider for Kubeflow authentication"
  12. Apply the manifests:

    root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflow
  13. Restart the pods manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice

Verify

  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Log in with your Okta credentials at <FQDN>, where <FQDN> is the public URL of your EKF installation. For example, https://arrikto-cluster.apps.example.com.

Summary

You have successfully configured your EKF installation to allow users to log in with their Okta credentials.

What’s Next

Check out the rest of the services you can integrate Arrikto EKF with.