Kubeflow

  • Kubeflow Charmers | bundle
  • Cloud
Channel Revision Published
latest/candidate 294 24 Jan 2022
latest/beta 430 30 Aug 2024
latest/edge 423 26 Jul 2024
1.9/stable 426 31 Jul 2024
1.9/beta 420 19 Jul 2024
1.9/edge 425 31 Jul 2024
1.8/stable 414 22 Nov 2023
1.8/beta 411 22 Nov 2023
1.8/edge 413 22 Nov 2023
1.7/stable 409 27 Oct 2023
1.7/beta 408 27 Oct 2023
1.7/edge 407 27 Oct 2023
juju deploy kubeflow --channel latest/edge
Show information

Platform:

This content is intended for system admins.

This guide describes how you can authenticate in Charmed Kubeflow (CKF) via different Identity Providers (IdP) by configuring Dex.

When authenticating through Dex, your identity data is stored using an external user-management system, such as a LDAP directory or a GitHub organisation. Dex uses connectors to authenticate a user against an identity provider.

You can integrate the supported IdPs with dex-auth charm following these steps:

  1. Add a connector.
  2. Configure Dex issuer URL.

Add a connector

Each connector has its own configuration in YAML format, which is best described in each connector’s documentation.

To add a new connector, pass the configuration to dex-auth via the connectors configuration option:

juju config dex-auth connectors=@connectors.yaml

Where connectors.yaml is a .yaml file with a list of connector(s) configuration.

As an example of connector configuration, this is what you might use for connectors.yaml to configure Dex to authenticate against a Microsoft IdP:

- type: microsoft
  id: microsoft
  name: Microsoft
  config:
    clientID: $MICROSOFT_APPLICATION_ID
    clientSecret: $MICROSOFT_CLIENT_SECRET
    redirectURI: http://127.0.0.1:5556/dex/callback

Configure Dex issuer URL

When using a connector, fields like the redirectURI from the connector configuration must match the issuer-url configuration option in the dex-auth charm. To make sure that is the case, you can:

  1. Verify the current value of Dex issuer URL as follows:
juju config dex-auth issuer-url
  1. Set it to match your deployment configuration:
juju config dex-auth issuer-url=http://<domain-name>.cloudname.com/dex

For example, when using a cloud service like Azure it could look like this:

juju config dex-auth issuer-url=https://my-charmed-kubeflow.uksouth.cloudapp.azure.com/dex

After configuring this value, connectors configurations must use this value as Dex issuer URL all where it applies; otherwise this can lead to unexpected behaviour.