OnDemand and Rancher integration

groucho64738 · May 11, 2022, 1:46pm

If you don’t mind, I’m going to create a topic here to discuss the integration of Open Ondemand and Rancher. The theory is that Ondemand doesn’t care about the specific K8S installation, but I have a feeling there will be some things to work through to get it working with the authentication mechanisms that Rancher puts in place which may be different. The topic is meant to be a placeholder for comments/issues as I work through it, and maybe if others have already done this they can put in their experiences.

Thanks.

groucho64738 · May 11, 2022, 1:49pm

My Rancher installation is using our sites Active Directory for authentication, as is our OnDemand instance (through PAM). We’ve created our cluster and created a Project inside of that cluster called ‘ondemand’ so that any namespaces we create can hopefully be all put in there.

I’ve downloaded the kubeconfig for this cluster, and it has lots of certificate info and info about the systems in the cluster, but I think the user info that is in the yaml file is specific to me, but we’ll find out.

This is my starting point, and haven’t gotten further with it at the moment. I’m still working through the OnDemand documentation to see how I’ll have to adapt it.

Right off the bat, it looks like the Rancher concept of projects isn’t going to fly with this. According to the Rancher documentation Rancher Docs: Projects and Kubernetes Namespaces with Rancher, projects are a Rancher thing, and kubectl won’t recognize them as such. This may or may not be a problem for us in the long run, but maybe we do something like create a specific cluster just for ondemand, or accept that there will be namespaces in the ‘default’ project in Rancher. I might be ok with this.

gbyrket · May 11, 2022, 1:59pm

Thanks for the post!

groucho64738 · May 11, 2022, 2:03pm

No problem. Hopefully it’ll be a successful experiment, but if not, at least we tried.

groucho64738 · May 11, 2022, 2:03pm

Rancher has its own available cli which can interface with kubectl and handle projects, but I have a feeling that’ll be a little hacky to get going, so to start, I’ll just set up a single VM as a K8s cluster for ondemand to eliminate this is a thing for right now.

groucho64738 · May 11, 2022, 3:52pm

Ok. I’m taking a break for right now and think I’m almost at a wall on configuration. Here’s what I’ve done so far.

created a new cluster called ondemand for us to use for testing. It’s just one VM. It was deployed with RKE and is up.
using the Rancher UI, I launched a kubectl command to run kubectl apply -f https://raw.githubusercontent.com/OSC/ondemand/master/hooks/k8s-bootstrap/ondemand.yaml (which helped guarantee that the ondemand service account was created in the right cluster)

In Rancher I downloaded the kube config file for my account so that I can work on the CLI at this stage. I transferred it to the ondemand web server.

I grabbed the token as described in the ondemand documentation.
At this stage, rather than generate a new yaml file for authentication, I modified the one I downloaded from Rancher to change these settings:

removed the main rancher cluster information from the file
used the second cluster that was listed (which points directly to the K8s node)
removed the context that referred to the main rancher cluster
set the user in the context that refers to the kubernetes node to ondemand@ondemand
changed the user info to name: ondemand@ondemand, and pasted the token I gathered from before

I was able to run the kubectl cluster-info command.

At this point I’m stopped. One question in this kind of config though, if I have a multi-node cluster, this would only communicate to one of the nodes, how would we do this so we could communicate to all of the nodes? I guess I could put multiple contexts in for each node, but OOD wouldn’t use them.

Also, the next step of what I’m supposed to do for OpenOndemand is a little confusing. I guess I have to do something with the hooks, but if the users themselves are not authenticating to Rancher, how do the tokens for those users get created? We’re not using OIDC so I am not quite sure of what I need to do here to modify it for this environment.

I can provide redacted configs as needed if it helps.

groucho64738 · May 12, 2022, 11:11am

I’m thinking this authentication piece is a big road block. We have no real way to get an api key out of Rancher without going into the GUI as far as I can tell (if someone know of a different way, that might be good to know), which would really diminish the ease of use of this or make it really impossible to manage. Is it true in the docs that OIDC contains the api key and is then places in the users .kube/config file? If that’s the case, I don’t think this setup will ever work with Rancher in the mix.

groucho64738 · May 12, 2022, 11:48am

This command gets me a bearer token from Rancher:

curl -k -s -H ‘content-type: application/json’ ‘https://rancherserver.example.org/v3-public/localProviders/local?action=login’ --data-binary ‘{“username”:“myuser”,“password”:“mypassword”}’ | jq -r .token

I think I found the LDAP version of the same command, so I’m sure I can adapt it to AD. This token can be used with the Rancher CLI to log in, I’m now looking for a rancher cli command to generate a kube config file. The Rancher CLI saves the config info in $HOME/.rancher/cli2.json and the info in there has essentially the same content as the kube config file would have. You can run ‘rancher kubectl’ for any of the commands you would normally do, so maybe there’s a way to hook that directly into OOD instead of kubectl directly, but that might not be feasible.

The issue here is the obvious password on the command-line kind of thing, and can OOD provide user/pass to the curl statement from its own authentication mechanisms.

jeff.ohrstrom · May 12, 2022, 1:07pm

Yes, but it’s opt in and it’s because we setup our cluster to use OIDC as well. Looks like Rancher can use OIDC & Keycloak. What type of authentication are you using for Rancher?

You can setup the users ~/.kube/config in an initializer that runs in the user context (not privileged), though we never know you’re password - so I don’t know how you could pass that through from the user to Open OnDemand.

Apache has access to the OIDC token, so we directly use it to create a kube config. I’d be hesitant to store passwords.

Pull requests welcome! But as it stands we use kubectl to submit requests to create Pods, Services, and Secrets directly. So it’s really built to directly talk to kuberentes - unless Rancher can also accept essentially exact same request kubernetes can.

groucho64738 · May 12, 2022, 1:12pm

We’re using AD for our authentication. I’ve not set up keycloak before, but I’m looking at it now, maybe that would be a way to do all of this. It might take me awhile to get there since we have people using Rancher actively at the moment.

groucho64738 · May 16, 2022, 11:07am

I have a new test environment with Keycloak running, and a copy of my ondemand environment on another system which authenticates against the Keycloak server and a test Rancher installation which authenticates to Keycloak as well, we’ll see how this part goes.

groucho64738 · May 16, 2022, 11:57am

I’m trying to work through getting the jupyter app to run. I’m getting this error though: error: error reading input for Password and am a little stuck as to what to do about it. I’m following through Add a Jupyter App on a Kubernetes Cluster — Open OnDemand 2.0.20 documentation and am not changing much in the config to keep it simple, but this error keeps appearing when I try to launch.

jeff.ohrstrom · May 16, 2022, 1:51pm

kubectl is prompting you. Likely because the user being used in your ~/.kube/config doesn’t exist.

If you have OIDC then you should be able to use the pun_root_pre_hook and set the kube config.

I’d

check the contents of your ~/.kube/config. Back it up and remove it as needed
Check your /var/log/ondemand-nginx/$USER/error.log logs for the actual kubectl command you’re issuing. You can see the context and namespace it’s trying to use here.
Given the steps above you’ll know (a) what you’re doing to get setup and (b) how OOD is issuing commands. Something must be off with the username. Note that we can add prefixes to usernames (for validation purposes) so that may be a spot you’re running into on (some piece - like bootstrapping - is using a prefix and another - like kubectl - is not)
I don’t know how to setup Keycloak with domains, but I do know our documentation as information on the same. Which is to say Keycloak to work in this manner isn’t out of the box. Our documentation should say what you’ll need to do to Keycloak, so I’d be sure it’s setup right.

Lastly - I’d suggest get the pun_root_pre_hook working first without having to fool with an OOD app. That is, login to run the pre hook - then in a shell session on the web node, issue kubectl commands to debug what you have and what you’d expect.

groucho64738 · May 16, 2022, 5:10pm

Thanks. That’ll give me some things to look at. I looked at my .kube/config and it has some of the right info in it, but no token of any kind for my user. Looking at the error log I see the kubectl command running, but didn’t see what was after the ‘create’, regardless, I just ran a get pods command using the kubeconfig that was generated and it’s asking for entering the Username/password.

groucho64738 · May 17, 2022, 10:35am

I’ve stepped through the prehook things, and I’m almost there, the namespace is configured in Rancher, so that’s good. The prehook is running and is going to the /opt/ood/hooks/k8s-bootstrap scripts. It seems like the $OOD_OIDC_REFRESH_TOKEN and $OOD_OIDC_ACCESS_TOKEN isn’t being set.

I have OIDC_ACCESS_TOKEN configured as one of the pun_pre_hook_exports configured in ood_portal.yaml, and it is in the generated apache config, but that doesn’t seem to be passing through.

jeff.ohrstrom · May 17, 2022, 12:52pm

Because of sudo rules, anything you export has OOD_ prefixed to it in the script.

The docs say the same.
https://osc.github.io/ood-documentation/latest/reference/files/ood-portal-yml.html

You may pass in environment variables from apache to this command, though they are prefixed with OOD_. For example if you configure this to pass OIDC_ACCESS_TOKEN to the pre hook command, you can read the variable as OOD_OIDC_ACCESS_TOKEN.

github.com

OSC/ondemand/blob/3cae2bb0f1720e4d983296d48e9238c9ab8dee8e/hooks/k8s-bootstrap/set-k8s-creds.sh#L30

      
        
              K8S_USERNAME="${ONDEMAND_USERNAME}"
            fi
            
            
# we use pass ACCESS_TOKEN into the id-token arg. That's OK, it works and refreshes.
            sudo -u "$ONDEMAND_USERNAME" kubectl config set-credentials "$K8S_USERNAME" \
               --auth-provider=oidc \
               --auth-provider-arg=idp-issuer-url="$IDP_ISSUER_URL" \
               --auth-provider-arg=client-id="$CLIENT_ID" \
               --auth-provider-arg=client-secret="$CLIENT_SECRET" \
               --auth-provider-arg=refresh-token="$OOD_OIDC_REFRESH_TOKEN" \
               --auth-provider-arg=id-token="$OOD_OIDC_ACCESS_TOKEN"

groucho64738 · May 17, 2022, 1:05pm

Right, I saw that, but those variables are not being set. I configured OIDC_ACCESS_TOKEN as a variable to be exported, but it is not available to the prehook command. The prehook command I have is the same as described in the documentation Kuberenetes — Open OnDemand 2.0.20 documentation. I modified this script to dump the contents of the entire environment and there are no OOD variables being set at all.

I turned on apache debugging, and I do see that an access and refresh token are being offered up by keycloak, so that is at least functional here.

Also in the generated ood_portal.conf file for apache, this is set: SetEnv OOD_PUN_PRE_HOOK_EXPORTS “OIDC_ACCESS_TOKEN”

or am I not reading the docs correctly?

jeff.ohrstrom · May 17, 2022, 1:17pm

Got it. Seems like apache isn’t setting the environment variables (even if it’s getting the response from Keycloak).

What are your OIDC related settings in ood_portal.yml? You may need to specify this as environment.

github.com

zmartzone/mod_auth_openidc/blob/aa96190b669234c2fca4450b804cd54bd2f4c703/auth_openidc.conf#L781

      
        
            # "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
            # "both": claims/tokens are passed as both headers as well as environment variables (default)
            #
            # Since version 2.4.6 one can specify "base64url" as the 2nd argument to apply base64url encoding to
            # all values passed in headers.
            #
            # When not defined the default is "both" and base64url encoding is not applied to the header values.
            #
            # The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires.
            # The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken)
            #OIDCPassClaimsAs [none|headers|environment|both] [base64url]
            
            
# Specify the HTTP header variable name to set with the name of the authenticated user,
            # i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim.
            # When not defined no such header is added.
            # This setting can be configured for both the "openid-connect" and "oauth20" AuthType on
            # a server-wide or directory level.
            #OIDCAuthNHeader <header-name>
            
            
# Timeout in seconds for long duration HTTP calls. This is used for most requests to remote endpoints/servers.
            # When not defined the default of 60 seconds is used.

groucho64738 · May 17, 2022, 1:19pm

In looking at the debug logs I do see apache claiming that it’s setting environment variables (lots of OIDC_CLAIM ones and OIDC_access_token).

My OIDC settings are in auth_openidc.conf (also pretty much copied from the docs):

# Keep sessions alive for 8 hours
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800

# Set REMOTE_USER
OIDCRemoteUserClaim preferred_username

# Don't pass claims to backend servers
OIDCPassClaimsAs environment

# Strip out session cookies before passing to backend
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

jeff.ohrstrom · May 17, 2022, 1:25pm

We’re either overlooking something very simple or you’ve found a bug.

Can you try this one test to export OOD_OIDC_ACCESS_TOKEN and FOO.

pun_pre_hook_exports: 'OIDC_ACCESS_TOKEN,FOO'

I want to see if there’s a bug with giving only one value to export.

Topic		Replies	Views
Are you using / evaluating Open OnDemand? Feature Requests and Roadmap Discussion	5	667	May 26, 2022
Webinar on Open OnDemand at Kubernetes Announcements	0	874	February 7, 2022
Installing open Ondemand General Discussion ondemand2 , question	1	289	April 12, 2023
Installing on Demand on Preexisting Login Servers? Get Help	7	1156	May 26, 2022
Ondemand server supporting clusters with different OS? General Discussion question	2	435	March 3, 2023

OnDemand and Rancher integration

Related Topics