search

kubeflow / website

Kubeflow Website
https://www.kubeflow.org
Creative Commons Attribution 4.0 International
150 stars 777 forks source link

Incorrect documentation of "Authentication using OIDC in Azure" #2960

Closed ajinkya933 closed 1 year ago

ajinkya933 commented 3 years ago

As per documentation (https://www.kubeflow.org/docs/distributions/azure/authentication-oidc/), we have to download the kfctl v1.3.0 release from the Kubeflow releases page (https://github.com/kubeflow/kfctl/releases/tag/v1.3.0). But, kfctl v1.3.0 does not exist on the provided link

I took the latest version of kfctl available as of today ( kfctl v1.2.0-0-gbc038f9 )

But still I am unable to authenticate OIDC properly here are the detailed steps taken:

# The following command is optional, to make kfctl binary easier to use.
export PATH=$PATH:<path to where kfctl was unpacked>

# Set KF_NAME to the name of your Kubeflow deployment. This also becomes the
# name of the directory containing your configuration.
# For example, your deployment name can be 'my-kubeflow' or 'kf-test'.
export KF_NAME=<your choice of name for the Kubeflow deployment>

# Set the path to the base directory where you want to store one or more
# Kubeflow deployments. For example, '/opt/'.
# Then set the Kubeflow application directory for this deployment.
export BASE_DIR=<path to a base directory>
export KF_DIR=${BASE_DIR}/${KF_NAME}

# Set the configuration file to use, such as the file specified below:
export CONFIG_URI="https://raw.githubusercontent.com/kubeflow/manifests/v1.2-branch/kfdef/kfctl_azure_aad.v1.2.0.yaml

# Generate and deploy Kubeflow:
mkdir -p ${KF_DIR}
cd ${KF_DIR}
kfctl build -V -f ${CONFIG_URI}

Configure OIDC Auth service settings:

In .cache/manifests/manifests-{kubeflow version}-branch/stacks/azure/application/oidc-authservice/kustomization.yaml update the settings with values corresponding your app registration as follows:

- client_id=<client_id>
- oidc_provider=https://login.microsoftonline.com/<tenant_id>/v2.0
- oidc_redirect_uri=https://<load_balancer_ip> or dns_name>/login/oidc
- oidc_auth_url=https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize
- application_secret=<client_secret>
- skip_auth_uri=
- namespace=istio-system
- userid-header=kubeflow-userid
- userid-prefix=

Configure OIDC scopes:

In .cache/manifests/manifests-{kkubeflow version}-branch/istio/oidc-authservice/base/statefulset.yaml update OIDC scopes to remove groups and keep profile and email.

- name: OIDC_SCOPES
 value: "profile email"

Deploy Kubeflow:

kfctl apply -V -f ./kfctl apply -V -f ./kfctl_azure_aad.v1.2.0.yaml

Check that the resources were deployed correctly in namespace kubeflow:

kubectl get all -n kubeflow

Expose Kubeflow securely over HTTPS

Update Istio Gateway to expose port 443 with HTTPS and make port 80 redirect to 443:

kubectl edit -n kubeflow gateways.networking.istio.io kubeflow-gateway

The Gateway spec should look like the following:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.istio.io/v1alpha3","kind":"Gateway","metadata":{"annotations":{},"name":"kubefl$
  creationTimestamp: "2021-05-19T13:47:46Z"
  generation: 2
  name: kubeflow-gateway
  namespace: kubeflow
  resourceVersion: "18548"
  selfLink: /apis/networking.istio.io/v1alpha3/namespaces/kubeflow/gateways/kubeflow-gateway
  uid: 1cb46e6c-34dd-45c9-8894-3dccc376ef22
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - '*'
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

Expose Kubeflow with a load balancer service:

kubectl patch service -n istio-system istio-ingressgateway -p '{"spec": {"type": "LoadBalancer"}}'

After that, obtain the LoadBalancer IP address or Hostname from its status and create the necessary certificate.

kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0]}'

Note: If you are exposing Ingress gateway through public IP, make sure it matches the IP address of the OIDC REDIRECT_URL by running:

kubectl get statefulset authservice -n istio-system -o yaml

In my case it dosent match so: If it doesn’t match, update REDIRECT_URL in the StatefulSet to be the public IP address from the last step, by running:

kubectl edit statefulset authservice -n istio-system
kubectl rollout restart statefulset authservice -n istio-system

Create a self-signed Certificate with cert-manager:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
    name: istio-ingressgateway-certs
    namespace: istio-system
spec:
    commonName: istio-ingressgateway.istio-system.svc
    # Use ipAddresses if your LoadBalancer issues an IP address
    ipAddresses:
    - <enter your IP>
    # Use dnsNames if your LoadBalancer issues a hostname
    dnsNames:
    - <LoadBalancer HostName>
    isCA: true
    issuerRef:
        kind: ClusterIssuer
        name: kubeflow-self-signing-issuer
    secretName: istio-ingressgateway-certs

Apply certificate.yaml in istio-system namespace

kubectl apply -f certificate.yaml -n istio-system

Add the redirect URI below to the app registered with Microsoft Identity:

https://<YOUR_LOADBALANCER_IP_ADDRESS_OR_DNS_NAME>/login/oidc

Note: Make sure the app’s redirect URI matches the oidc_redirect_uri value in OIDC auth service settings.

Navigate to https://<YOUR_LOADBALANCER_IP_ADDRESS_OR_DNS_NAME>/

Then I see this: 1

Then I click on Advanced and -> proceed

Then I see this: 2

Finally when I enter my credentials and login I see this (HTTP ERROR 504) page took too long to respond. : 3

How can I solve this ?

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

gilvolpe commented 2 years ago

I am facing the same problem; I follow the same steps on Kubeflow Azure; however, I cannot use kubeflow.

mohamedFaris47 commented 1 year ago

I have the same problem but after signing in microsoft I get error 403 access denied to my kubeflow deployment.

thesuperzapper commented 1 year ago

The Azure docs are actually really out of date and are being removed in https://github.com/kubeflow/website/pull/3547, they are now maintained on https://azure.github.io/kubeflow-aks/main/.

If you are still having a problem, please raise your issue there, or try a different distribution of Kubeflow.

Personally, I recommend deployKF, and that's not just because I maintain it! (It will probably make your OIDC integration much easier).

/close

google-oss-prow[bot] commented 1 year ago

@thesuperzapper: Closing this issue.

In response to [this](https://github.com/kubeflow/website/issues/2960#issuecomment-1633394683): >The Azure docs are actually really out of date and are being removed in https://github.com/kubeflow/website/pull/3547, they are now maintained on https://azure.github.io/kubeflow-aks/main/. > >If you are still having a problem, please raise your issue there, or try a [different distribution of Kubeflow](https://www.kubeflow.org/docs/started/installing-kubeflow/#active-distributions). > >Personally, I recommend [deployKF](https://github.com/deployKF/deployKF), and that's not just because I maintain it! >(It will probably make your OIDC integration much easier). > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.