Okta¶
This section will guide you through using Okta as an OIDC provider for Kubeflow.
See also
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working Rok deployment.
- A working Kubeflow deployment.
- Access to the cluster running services.
- An admin account on Okta.
Procedure¶
From your admin console go to Applications (left sidebar) -> Applications -> Create app integration -> OIDC - OpenID Connect -> Web Application, and create an application with the following settings:
¶ App Integration Name <APPLICATION_NAME>
Sign-in redirect URIs <FQDN>/authservice/oidc/callback
Assignments Allow everyone in your organization to access Replace:
<APPLICATION_NAME>
with the name of your application, for exampleKubeflow
.<FQDN>
with the public URL of your EKF installation, for examplehttps://arrikto-cluster.apps.example.com
.
Click on the General tab and copy the following info, which will be used in the next steps:
CLIENT ID
CLIENT SECRET
OKTA DOMAIN
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsSpecify the client ID:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=<CLIENT ID>Replace
<CLIENT ID>
with the client ID you copied from the General tab.Specify the client secret:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=<CLIENT SECRET>Replace
<CLIENT SECRET>
with the client secret you copied from the General tab.Render the AuthService credentials:
root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.envSet the public URL of your EKF installation:
root@rok-tools:~/ops/deployments# export FQDN=<FQDN>Replace
<FQDN>
with your installation’s public URL. For example:root@rok-tools:~/ops/deployments# export FQDN=https://arrikto-cluster.apps.example.comSet the public URL of your application:
root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=https://<OKTA DOMAIN>Replace
<OKTA DOMAIN>
with the Okta domain URL you copied from the General tab.Configure AuthService to convert user emails to usernames:
root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'Replace
<DOMAIN>
with the domain of your organization. For example:root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'Make sure to include
\\
. With this example domain, AuthService will convert user IDs likeuser@example.com
intouser
.Note
USERID_TRANSFORMERS
accepts a JSON formatted list of UserID transformation rules with the following format:USERID_TRANSFORMERS=[{"matches": "regex", "replaces": "value" }]AuthService will transform the UserID by finding the first transformation rule that matches
regex
and replacing it withvalue
.Set the default Okta settings and render the AuthService configuration:
root@rok-tools:~/ops/deployments# export USERID_CLAIM=preferred_username root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export TEMPLATE_PATH='' root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.envSee also
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Use the Okta OIDC provider for Kubeflow authentication"Apply the manifests:
root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflowRestart the pods manually:
root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice
Verify¶
Ensure that the
authservice
StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13sLog in with your Okta credentials at
<FQDN>
, where<FQDN>
is the public URL of your EKF installation. For example,https://arrikto-cluster.apps.example.com
.