I built a deploy pipeline to serve ML models using Kubeflow (v0.6) and Seldon Core, but now that models are deployed I can't figure out how to pass the auth. layer and consume the services.
My kubernetes instance is on bare-metal and setup is identical to this: https://www.kubeflow.org/docs/started/getting-started-k8s/
I was able to follow these instructions launch example-app and issue an IDToken for a staticClient, but when I pass the token as 'Authorization: Bearer' I get redirected to dex logon page.
(part of) Dex configMap:
staticClients:
- id: kubeflow-authservice-oidc
redirectURIs:
# After authenticating and giving consent, dex will redirect to
# this url for the specific client.
- https://10.50.11.180/login/oidc
name: 'Kubeflow AuthService OIDC'
secret: [secret]
- id: model-consumer-1
secret: [secret]
redirectURIs:
- 'http://127.0.0.1:5555/callback'When I try to access the service:
curl -H "Authorization: Bearer $token" -k https://10.50.11.180/seldon/kubeflow/machine-failure-classifier-6e462a70-a995-11e9-b30b-080027dfd9f4/api/v0.1/predictions
<a href="https://10.50.11.180:5556/dex/auth?client_id=kubeflow-authservice-oidc&redirect_uri=https%3A%2F%2F10.50.11.180%2Flogin%2Foidc&response_type=code&scope=openid+profile+email+groups&state=X40FJuKC">Found</a>.What am I missing? :(
Have you tried VirtualService?
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: <name-of-your-choice>
spec:
gateways:
- <your-gateway>
hosts:
- <your-host>
http:
- match:
- uri:
prefix: "<your-api-path-uri>"
rewrite:
uri: "<your-rewrite-logic>"
route:
- destination:
host: <name-of-your-service>.<namespace>.svc.<cluster-domain>
port: <port-of-the-service>Virtual service will help you route traffic as specified.
I found out that serving seldon models with Istio worked better if they were in a namespace other than 'kubeflow'.
I Followed these instructions: https://docs.seldon.io/projects/seldon-core/en/latest/examples/istio_canary.html, (created new gateway and namespaces) and was able to bypass Dex.