Enable SSO for Kubernetes deployment
You can use JetBrains Hub (further in the article referred to as Hub) for user authentication and user management in Datalore. Hub supports most popular auth modules.
This procedure explains how to enable Hub for Datalore On-Premises installed using Kubernetes.
Install Hub
Create a hub.values.yaml file and add there the configuration of your volumes. Refer to the examples below.
HostPath volumes example
Create directories:
mkdir -p /data/hub/{data,conf,logs,backups} chown -R 0:0 /data/hubAdd the following code to hub.values.yaml:
volumes: - name: data hostPath: path: /opt/hub/data type: Directory - name: conf hostPath: path: /opt/hub/conf type: Directory - name: logs hostPath: path: /opt/hub/logs type: Directory - name: backups hostPath: path: /opt/hub/backups type: Directory volumeMounts: - name: data mountPath: /opt/hub/data - name: conf mountPath: /opt/hub/conf - name: logs mountPath: /opt/hub/logs - name: backups mountPath: /opt/hub/backups
volumeClaimTemplates example
Add the following code to hub.values.yaml:
volumeClaimTemplates: - metadata: name: hub spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi volumeMounts: - name: hub mountPath: /opt/hub/data subPath: data - name: hub mountPath: /opt/hub/conf subPath: conf - name: hub mountPath: /opt/hub/logs subPath: logs - name: hub mountPath: /opt/hub/backups subPath: backups
Install the Hub Helm chart using the
helm install -f hub.values.yaml hub datalore/hub --version 0.2.18
command.Check the container output (using the
kubectl logs service/hub
command) for awizard_token
. The output should have a line like this:JetBrains Hub 2022.3 Configuration Wizard will listen inside container on {0.0.0.0:8080}/ after start and can be accessed by this URL: [http://<put-your-docker-HOST-name-here>:<put-host-port-mapped-to-container-port-8080-here>/?wizard_token=pPXTShp4NXceXqGYzeAq].Copy the
wizard_token
value to the clipboard.For further configuration, forward a Hub port from kubernetes to your local machine:
kubectl port-forward --address 0.0.0.0 service/hub 8082Go to http://localhost:8082/ and insert the
wizard_token
into the Token field.Click the Log in button.
Click the Set Up link.
Generate a URL (referred to as
HUB_ROOT_URL
later) to access Hub from Datalore. Consider the following:The URL must be accessible from both the cluster pods and the browser (by the end users of your Datalore installation).
The URL must point to the
/
path of your Hub installation, i.e. http://127.0.0.1:8080/ inside the container where Hub is launched (by default, the hub-0 pod).How you set up your cluster to serve such a URL depends on the specifics of your cluster configuration.
In Base URL, enter
HUB_ROOT_URL
. Do not change the Application Listen Port setting.Click the Next button.
Configure the admin account by setting the admin password.
Click the Next button.
Click the Finish button and wait for Hub to start.
Configure Hub
Go to HUB_ROOT_URL and log into Hub via admin account.
Configure the Datalore service
Generate one more URL (referred to as
DATALORE_ROOT_URL
later) to access Datalore. Consider the following:The URL must be accessible from the browser (by the end users of your Datalore installation).
The URL must point to the
/
path of your Datalore installation, i.e. http://127.0.0.1:8080/ inside the container where Datalore will be launched (by default, it is pod datalore-on-premise-0).How you set up your cluster to serve such a URL depends on the specifics of your cluster configuration.
Go to Services (
${HUB_ROOT_URL}/hub/services
) and click the New service button. Use the namedatalore
and enterDATALORE_ROOT_URL
in Home URL.Copy the ID field value and save it somewhere: it is used when configuring Datalore (
$HUB_DATALORE_SERVICE_ID
property).Click the Change... button next to the Secret label.
Copy the generated secret and save it somewhere: it will be used when configuring Datalore (
$HUB_DATALORE_SERVICE_SECRET
property).Click the Change secret button.
Enter
DATALORE_ROOT_URL
in the Base URLs field.Enter the line
/api/hub/openid/login
in the Redirect URIs field.Click the Trust Service button in the upper right corner.
Click the Save button.
Create a Hub token
Go to Users (
${HUB_ROOT_URL}/hub/users
).Click your admin username.
Switch to the Account Security tab.
Click the New token... button.
Add Hub and Datalore into Scope. You can use any Name. Click the Create button. Copy the token (with the perm: prefix) and save it somewhere. It will be used when configuring Datalore (
$HUB_PERM_TOKEN
property).
(Optional) Force email verification
Datalore uses user emails from Hub; so it is recommended to force email verification in Hub. When this option is enabled, users with unverified emails will not be able to use Datalore.
Configure the SMTP server:
Go to SMTP (
${HUB_ROOT_URL}/hub/smtp-settings
).Click the Configure SMTP server... button.
Configure your SMTP server parameters.
Click the Save button.
Click the Enable notifications button.
(Optional) To make sure your configuration is working, click the Send Test message button.
Enable email verification:
Go to Auth Modules (
${HUB_ROOT_URL}/hub/authmodules
).Open the Common settings page.
Enable the Email verification option.
Click the Save button.
Set and verify an admin user email:
Go to Users (
${HUB_ROOT_URL}/hub/users
).Click your admin username.
Set an email in the Email field.
Click the Save button.
Click the Send verification email link.
Find the verification email in your inbox and click the Verify email address button.
(Optional) Enable auth modules
Go to Auth Modules (
${HUB_ROOT_URL}/hub/authmodules
).Add or remove auth modules (for example, Google Auth, GitHub Auth, LDAP, and so on). Find more details here.
Configure the Datalore service
Edit the values under the dataloreEnv
key in the datalore.values.yaml file.
Define the following environment values:
| Base public (accessible via browser) URL of your Hub installation ( |
| URL to access Hub used when Hub and Datalore are installed in different namespaces. |
| ID of the Datalore service in Hub (see Configure the Datalore service). |
| Token of the Datalore service in Hub (see Configure the Datalore service). |
| Token for accessing Datalore and Hub scopes (see Create a Hub token). |
| Used to specify whether email verification is required from the Datalore user. Set the parameter to |
Example