We use analytics and cookies to understand site traffic. Information about your use of our site is shared with Google for that purpose.You can read our privacy policies and terms of use etc by clicking here.
App Level Authentication
Note
Before starting the installation procedure, please download installation resources as explained here and make sure that all pre-requisites are satisfied.
This page also assumes that main Seldon components are installed.
Seldon Deploy can the setup with an app level authentication with an OIDC
provider. This would be particularly useful when a gateway level authentication is not setup for the kubernetes cluster.
This feature can be activated by configuring the values file of the Seldon deploy helm chart. This is done by setting the variable enableAppAuth
boolean to “true” and further providing the OIDC configurations as env variables to connect to OIDC
providers like Keycloak
or Dex
.
# boolean to enable app-level auth (defaults to "false")
enableAppAuth: true
Add config / env variables
Before we run deploy intall using the helm chart, we need to make sure that add the OIDC configuration to the env section:
env:
OIDC_PROVIDER: ... # oidc providerURL
CLIENT_ID: ... # oidc client ID
CLIENT_SECRET: ... # oidc client secret
REDIRECT_URL: ... # `${oidc_redirect_url}/seldon-deploy/auth/callback`
OIDC_SCOPES: ... # oidc scopes (defaults to "profile email groups")
USERID_CLAIM_KEY: ... # claim to be used as userid (defaults to "preferred_username")
Note
Do not forget to runhelm upgrade seldon-deploy ...
as described on Seldon Deploy configuration section.
Keycloak reference installation
The keycloak reference installation is included with scripts under the following directory
seldon-deploy-install/prerequisites-setup/keycloak
However, customisation of created users, passwords and tokens is highly recommended. Following reverence installation this should be the configuration values:
env:
CLIENT_ID: "deploy-server"
CLIENT_SECRET: "deploy-secret"
OIDC_PROVIDER: "http://${YOUR_INGRESS}/auth/realms/deploy-realm"
REDIRECT_URL: "http://${YOUR_INGRESS}/seldon-deploy/auth/callback"
With Istio ingress may be obtained with
ISTIO_INGRESS=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
ISTIO_INGRESS+=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
OIDC_PROVIDER="http://${ISTIO_INGRESS}/auth/realms/deploy-realm"
REDIRECT_URL="http://${ISTIO_INGRESS}/seldon-deploy/auth/callback"