Authentication

Configure App Level Authentication for Seldon Deploy

App Level Authentication

Important

Before starting the installation procedure, please download installation resources as explained here and make sure that all pre-requisites are satisfied.

This page also assumes that main Seldon components are installed.

Seldon Deploy can be setup with an app level authentication with an OIDC provider using the auth code flow. This would be particularly useful when a gateway level authentication is not setup for the kubernetes cluster.

This feature can be activated by configuring the values file of the Seldon Deploy helm chart. This is done by setting the variable enableAppAuth boolean to “true” and further providing the OIDC configurations as env variables to connect to OIDC providers like Keycloak or Dex.

# boolean to enable app-level auth (defaults to "false")
enableAppAuth: true

Add config / env variables

Before we run deploy install using the helm chart, we need to make sure that add the OIDC configuration to the env section:

env:
  OIDC_PROVIDER: ... # oidc providerURL
  CLIENT_ID: ... # oidc client ID
  CLIENT_SECRET: ... # oidc client secret
  REDIRECT_URL: ... # `${oidc_redirect_url}/seldon-deploy/auth/callback`
  OIDC_SCOPES: ... # oidc scopes (defaults to "profile email groups")
  USERID_CLAIM_KEY: ... # claim to be used as userid (defaults to "preferred_username")

Hint

Do not forget to run helm upgrade seldon-deploy ... as described on Seldon Deploy configuration section.

Keycloak reference installation

An OIDC provider is needed to authenticate to. A reference installation of keycloak is included with scripts under the following directory

seldon-deploy-install/prerequisites-setup/keycloak

However, customisation of created users, passwords and tokens is highly recommended. Following reverence installation this should be the configuration values:

env:
  CLIENT_ID: "deploy-server"
  CLIENT_SECRET: "deploy-secret"
  OIDC_PROVIDER: "http://${YOUR_INGRESS}/auth/realms/deploy-realm"
  REDIRECT_URL: "http://${YOUR_INGRESS}/seldon-deploy/auth/callback"

With Istio ingress may be obtained with

ISTIO_INGRESS=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
ISTIO_INGRESS+=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

echo "OIDC_PROVIDER: http://${ISTIO_INGRESS}/auth/realms/deploy-realm"
echo "REDIRECT_URL: http://${ISTIO_INGRESS}/seldon-deploy/auth/callback"

Groups/LDAP Configuration

Some customers choose to get groups from LDAP. See LDAP section on that.

Identity Brokering

Sometimes there’s an existing identity server that doesn’t support OIDC and instead supports SAML.

Seldon does not support SAML directly but keycloak can be used to broker to a SAML server.

Debugging

There’s some details on debugging the token content in the LDAP section.

Often the issue is the auth configuration rather than Seldon specifically. In those cases it can be useful to connect a different application that dumps more details.

We provide an example app for debugging purposes. It can be run on the cluster alongside Seldon Deploy.

Or you can edit your Seldon Deploy installation and replace the docker image with that one. To do this, first find the deployment for Seldon Deploy and find what image it is using:

kubectl get deployment -n seldon-system seldon-deploy -o jsonpath="{..image}"

Then make a note of that and save the note. Next edit the deployment with kubectl edt deployment -n seldon-system seldon-deploy. Change the image to seldonio/oauth-test-tool:0.1.

Now when you login to Seldon Deploy it will actually login to the test tool. Its pod logs will give more detail about the login process. After debugging and resolution then the image can be edited back to what it was before.