MLOps - Kubeflow

By Bys on May 23, 2025

MLOps

Kubeflow

Install Kubeflow(Official)

deployKF

Auth

인증을 Keycloak을 통해 처리하기 위해 다음과 같이 values.yaml 파일을 정의했다.

deploykf_core:

  ## --------------------------------------
  ##             deploykf-auth
  ## --------------------------------------
  deploykf_auth:
    namespace: deploykf-auth

    ## dex configs
    ##
    dex:

      ## dex static passwords
      ##  - a list of users to create in dex's built-in password database
      ##  - each element is a map with keys `email` and `password`,
      ##    the `password` is a map with the following keys:
      ##     - `value`: the password value
      ##     - `existingSecret`: the name of a kubernetes secret containing the password (overrides `value`)
      ##     - `existingSecretKey`: the key in the secret that contains the password
      ##     - `type`: how the password is provided (default: "plain")
      ##         - "plain": the password is provided as plain text
      ##         - "hash": the password is provided as a bcrypt hash
      ##  - a bcrypt hash for "PASSWORD_STRING" can be generated with one of the following:
      ##     - echo "PASSWORD_STRING" | htpasswd -BinC 10 NULL | cut -d: -f2
      ##     - python -c 'import bcrypt; print(bcrypt.hashpw(b"PASSWORD_STRING", bcrypt.gensalt(10)).decode())'
      ##
      staticPasswords:
       - email: "bys@amazon.com"
         password:
           value: "bys"
      #  - email: "user2@example.com"
      #    password:
      #      value: "user2"

      ## dex connectors
      ##  - dex connectors which allow bridging trust to external identity providers
      ##    https://dexidp.io/docs/connectors/
      ##  - not all connector types support refresh tokens, notably "SAML 2.0" and "OAUTH 2.0" do not
      ##    however, most providers support "OpenID Connect" which does support refresh tokens
      ##    without refresh tokens, users will be forced to re-authenticate every `expiry.idToken` period
      ##  - each element is a map with keys `type`, `id`, `name`, and `config` (which are the same aas upstream dex)
      ##    additionally, `configExistingSecret` and `configExistingSecretKey` allow you to set `config`
      ##    from a YAML-formatted string in a kubernetes secret
      ##  - in most cases `config.redirectURI` will be set to "https://{DEPLOYKF_HOST}/dex/callback" (if port is 443)
      ##
      connectors:
        - type: oidc
          id: keycloak
          name: Keycloak
          config:
            issuer: https://keycloak.bys.asia/realms/mlops

            clientID: "bys-keycloak-client"
            clientSecret: ""

            ## replace with your deploykf domain
            ## NOTE: this must be an allowed redirect URI in the Keycloak app
            redirectURI: https://kubeflow.bys.asia/dex/callback

            ## openid scopes to request
            scopes:
              - openid
              - email
              - profile
              ## NOTE: offline_access is required for refresh tokens
              - offline_access

            ## keycloak does not always send the `email_verified` claim
            insecureSkipEmailVerified: true

            ## if your Keycloak uses a self-signed certificate
            #insecureSkipVerify: true

      ## dex OpenID Connect clients
      ##
      clients:
        ## OpenID client for oauth2-proxy (deployKF Dashboard)
        oauth2Proxy:
          clientId: "oauth2-proxy"
          clientSecret:
            existingSecret: "generated--dex-oauth2-proxy-client"
            existingSecretKey: "client_secret"
            generateSecret: true

        ## OpenID client for Minio Console
        minioConsole:
          clientId: "minio-console"
          clientSecret:
            existingSecret: "generated--dex-minio-console-client"
            existingSecretKey: "client_secret"
            generateSecret: true

        ## OpenID client for Argo Server
        argoServer:
          clientId: "argo-server"
          clientSecret:
            existingSecret: "generated--dex-argo-server-client"
            existingSecretKey: "client_secret"
            generateSecret: true

    ## oauth2-proxy configs
    ##
    oauth2Proxy:

      ## oauth2-proxy cookie configs
      ##
      cookie:
        secret:
          existingSecret: "generated--oauth2-proxy-cookie-secret"
          existingSecretKey: "cookie_secret"
          generateSecret: true

Keycloak 에서는 OIDC Clients를 설정하기 위해 문서를 참고해서 진행했다.

  1. Client를 생성하고 나면 Client authentication 을 활성화 해야 credential 정보를 생성할 수 있다.
  2. Valid redirect URIs 에는 Redirect URL(https://kubeflow.bys.asia/dex/callback)을 입력한다.
  3. User를 생성한 후 접속

Domain

  • Base Domain (dashboard and other apps) kubeflow.bys.asia

  • Argo Server argo-server.kubeflow.bys.asia

  • MinIO API minio-api.kubeflow.bys.asia

  • MinIO Console minio-console.kubeflow.bys.asia

안녕하세요. Deployment 프로파일 고병수입니다. Deployment 프로파일 내부에서 새로입사하신 분(@yuseung, @boyoungk)을 대상으로 ECS, EKS, Control Tower, CodeSuites 서비스에 대해 교육을 진행할 예정입니다. 교육 세션을 진행할 때 SE 팀 내부에서 추가적으로 참여를 원하는 분들이 계신다면 최대 4분(선착순)까지 같이 진행을 해보려고 합니다. 교육은 최대한 저희 프로파일의 신규 입사자분의 일정과 수준을 고려하여 진행할 예정이며 자세한 일정은 아직 정해지지 않은 상태입니다. 현재는 수요조사차원입니다. 혹시 각 서비스 별로 교육 세션에 참여 원하는 분들이 계신다면 스레드에 답글로 서비스명을 적어주시면 감사하겠습니다.

Tag: [ mlops  kubeflow  ]