Skip to content

Commit

Permalink
Update Ray, RAG and Jupyter Marketplace UI (#558)
Browse files Browse the repository at this point in the history 
* Update Ray, RAG and Jupyter Marketplace UI

* Added new IAP validation block (#559)

* update IAP validation

* beautify code block for MP

* fix ray allowlist

* fix ray allowlist and labels

---------

Co-authored-by: Umesh Kumhar <umeshkumhar@google.com>
  • Loading branch information
@imreddy13 @umeshkumhar
imreddy13 and umeshkumhar authored Apr 4, 2024
1 parent 4e4340c commit 2a93816
Show file tree
Hide file tree
Showing 15 changed files with 368 additions and 217 deletions.
2 changes: 1 addition & 1 deletion applications/jupyter/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ module "project-services" {
"servicenetworking.googleapis.com",
"serviceusage.googleapis.com",
"sourcerepo.googleapis.com",
(var.add_auth ? ["iap.googleapis.com"] : [])
"iap.googleapis.com"
])
}

Expand Down
99 changes: 63 additions & 36 deletions applications/jupyter/metadata.display.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,29 @@ spec:
variables:
acknowledge:
name: acknowledge
title: Confirm that all prerequisites have been met.
title: Check to confirm you enabled Google APIs for your project with this command.
section: acknowledge
subtext: This solution will incur additional costs due to resource creation and necessary Google API usage. Please confirm to proceed.
subtext: |
<pre>
<code style="background: #f4f4f4;border: 1px solid #ddd; border-left: 3px solid #3367d6; color: #6d6868; font-size: 12px; max-width: 100%; padding: 0.5em 0.5em; display: inline; line-height: 45px;">gcloud services enable serviceusage.googleapis.com cloudresourcemanager.googleapis.com</code>
</pre>
enumValueLabels:
- label: Confirm that all prerequisites have been met.
value: "true"
solution_deployment_view:
name: solution_deployment_view
title: Check to confirm that upon deployment completion, you need to go to the Solution deployment page, find your deployment, and follow suggested next steps on the deployment DETAILS tab.
section: acknowledge
subtext: <p>
<a href="https://console.cloud.google.com/products/solutions/deployments"><i>Solution deployment page</i></a>
</p>
enumValueLabels:
- label: Confirm that all prerequisites have been met.
value: "true"
iap_consent_info:
name: iap_consent_info
title: Confirm your OAuth consent screen is configured correctly.
section: iap_auth
add_auth:
name: add_auth
title: Enable IAP Authentication
Expand All @@ -46,12 +63,16 @@ spec:
name: additional_labels
title: Additional Labels
invisible: true
section: cluster_details
section: required_config
autopilot_cluster:
name: autopilot_cluster
title: GKE Cluster Type
section: cluster_details
section: required_config
invisible: true
cluster_name:
name: cluster_name
title: GKE cluster name
section: required_config
client_id:
name: client_id
title: Client Id
Expand All @@ -65,18 +86,14 @@ spec:
cluster_location:
name: cluster_location
title: Cluster Location
section: cluster_details
section: required_config
xGoogleProperty:
type: ET_GCE_REGION
cluster_membership_id:
name: cluster_membership_id
title: Cluster Membership Id
invisible: true
section: cluster_details
cluster_name:
name: cluster_name
title: Cluster Name
section: cluster_details
section: required_config
create_brand:
name: create_brand
title: Create Brand
Expand All @@ -85,7 +102,7 @@ spec:
create_cluster:
name: create_cluster
title: Create GKE Cluster
section: cluster_details
section: required_config
invisible: true
create_gcs_bucket:
name: create_gcs_bucket
Expand All @@ -97,12 +114,12 @@ spec:
invisible: true
domain:
name: domain
title: Domain
title: Domain to host JupyterHub
section: iap_auth
gcs_bucket:
name: gcs_bucket
title: GCS Bucket
section: jupyterhub
section: required_config
xGoogleProperty:
type: ET_GCS_BUCKET
goog_cm_deployment_name:
Expand Down Expand Up @@ -142,10 +159,10 @@ spec:
name: kubernetes_namespace
title: Kubernetes Namespace
invisible: true
section: cluster_details
section: required_config
members_allowlist:
name: members_allowlist
title: Members Allowlist
title: Allowlist users to access JupyterHub
section: iap_auth
network_name:
name: network_name
Expand All @@ -155,7 +172,7 @@ spec:
name: private_cluster
title: Private Cluster
invisible: true
section: cluster_details
section: required_config
project_id:
name: project_id
title: Project Id
Expand All @@ -173,40 +190,50 @@ spec:
name: workload_identity_service_account
title: GCP Workload Identity Service Account
invisible: true
section: jupyterhub
section: required_config
sections:
- name: cluster_details
title: New GKE Cluster Configuration
- name: jupyterhub
title: Other Configuration
- name: acknowledge
title: Before you begin
subtext:
This solution deploys a sample <a href="https://github.com/GoogleCloudPlatform/ai-on-gke/blob/release-1.1/applications/jupyter/README.md"><i>JupyterHub</i></a> application on GKE in your project to run your Jupyter notebooks.</br>
- name: required_config
title: Required configuration
- name: iap_auth
title: Configure Authenticated Access for JupyterHub
subtext: Make sure the <a href="https://developers.google.com/workspace/guides/configure-oauth-consent#configure_oauth_consent"><i>OAuth Consent Screen</i></a> is configured for your project. Ensure <b>User type</b> is set to <i>Internal</i>. Note that by default, only users within your organization can be allowlisted. To add external users, change the <b>User type</b> to <i>External</i> after the application is deployed.
title: Optional authentication with Identity-Aware Proxy
subtext: With <a href="https://cloud.google.com/iap/docs/enabling-kubernetes-howto"><i>IAP authentication</i></a>, you can control user access to JupyterHub. To use IAP, you will need to do the following:</br>
<p>
&emsp;&emsp;&#x2022; Identify a domain for JupyterHub, and</br>
&emsp;&emsp;&#x2022; Create <a href="https://cloud.google.com/dns/docs/records#add_a_record"<i>DNS A records</i></a> for the domain after the application is deployed.
</p>
Without IAP, users will need to access the GKE cluster and use port-forward to connect to JupyterHub.
runtime:
outputMessage: Deployment can take several minutes to complete.
suggestedActions:
- heading: "Step 1: Create DNS A Records for JupyterHub"
description: If using custom domains for JupyterHub, create DNS A record set (<a href="https://cloud.google.com/dns/docs/records#add_a_record">Google DNS Record Set</a>). Propagation takes 10-15 minutes and logging in won’t succeed until it’s done.
- heading: "Step 2: Go to JupyterHub Application"
- heading: "Step 2: Launch JupyterHub"
description: |-
<li>If IAP is enabled, log in with your organization's credentials. SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes.</li>
<li>If IAP is disabled:
<ul>
<li>(1) Setup gcloud in your environment</li>
<li>(2) Get these values from the Outputs section above: the <i>GKE Cluster Name</i>, <i>GKE Cluster Location</i>, <i>Kubernetes Namespace</i> , <i>Project Id</i>, <i>Jupyterhub User</i> and <i>Jupyterhub Password</i> </li>
<li>(3) Get cluster credentials: <b>gcloud container clusters get-credentials <Gke Cluster Name> --location=<Gke Cluster Location> --project=<Project Id></b> </li>
<li>(4) Port forward to JupyterHub: <b>kubectl -n <Kubernetes Namespace> port-forward service/proxy-public 3080:80</b> </li>
<li>(5) Go to <i>localhost:3080</i> in a browser and log in with <i>Jupyterhub User</i> and <i>Jupyterhub Password</i></li>
<ul>
</li>
<li>Once logged in, choose the appropriate preset and execute notebooks. Sample notebooks are provided <a href="https://github.com/GoogleCloudPlatform/ai-on-gke/tree/main/ray-on-gke/examples/notebooks">here</a></li>
<p>
1&#41; If IAP is disabled, port forward to the JupyterHub service:</br>
&emsp;&#x2022; Setup <a href="https://cloud.google.com/sdk/docs/install">gcloud</a> in your environment.</br>
&emsp;&#x2022; Get these values from the Outputs section above: <b>Gke Cluster Name</b>, <b>Gke Cluster Location</b>, <b>Kubernetes Namespace</b> , <b>Project Id</b>, <b>Jupyterhub User</b> and <b>Jupyterhub Password</b> </br>
&emsp;&#x2022; Get cluster credentials: <pre><code style="background: #f4f4f4;border: 1px solid #ddd; border-left: 3px solid #3367d6; color: #6d6868; font-size: 12px; max-width: 100%; padding: 0.5em 0.5em; display: inline;">gcloud container clusters get-credentials &ltGke Cluster Name&gt --location=&ltGke Cluster Location&gt --project=&ltProject Id&gt</code></pre></br>
&emsp;&#x2022; Port forward to JupyterHub: <pre><code style="background: #f4f4f4;border: 1px solid #ddd; border-left: 3px solid #3367d6; color: #6d6868; font-size: 12px; max-width: 100%; padding: 0.5em 0.5em; display: inline; line-height: 35px;">kubectl -n &ltKubernetes Namespace&gt port-forward service/proxy-public 3080:80</code></pre> </br>
&emsp;&#x2022; Go to <b>localhost:3080</b> in a browser and log in with <b>Jupyterhub User</b> and <b>Jupyterhub Password</b>
</p>
<p>
2&#41; If IAP is enabled, log in with your organization's credentials. Troubleshooting access issues:</br>
&emsp;&#x2022; SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes.</br>
&emsp;&#x2022; If you're unable to login, go to <a href="https://console.cloud.google.com/security/iap">Google Cloud Platform IAP</a>, select the <b>proxy-public</b> service and add the user with the role <b>IAP-secured Web App User</b>.
</p>
<p>3&#41; Once logged in, choose the appropriate preset and execute notebooks. Sample notebooks are provided <a href="https://github.com/GoogleCloudPlatform/ai-on-gke/tree/release-1.1/ray-on-gke/examples/notebooks">here</a></p>
outputs:
jupyterhub_ip_address: {}
jupyterhub_password: {}
jupyterhub_uri:
openInNewTab: true
showInNotification: true
label: Go to JupyterHub Application
label: Launch JupyterHub
jupyterhub_user: {}
kubernetes_namespace: {}
gke_cluster_name: {}
Expand Down
17 changes: 12 additions & 5 deletions applications/jupyter/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,13 @@ spec:
- name: acknowledge
varType: bool
required: true
- name: solution_deployment_view
varType: bool
required: true
- name: iap_consent_info
description: Configure the <a href="https://developers.google.com/workspace/guides/configure-oauth-consent#configure_oauth_consent"><i>OAuth Consent Screen</i></a> for your project. Ensure <b>User type</b> is set to <i>Internal</i>. Note that by default, only users within your organization can be allowlisted. To add external users, change the <b>User type</b> to <i>External</i> after the application is deployed.
varType: bool
defaultValue: false
- name: add_auth
description: Enable IAP authentication on jupyterhub
varType: bool
Expand All @@ -55,16 +62,16 @@ spec:
description: Client secret used for enabling IAP
varType: string
defaultValue: ""
- name: cluster_name
varType: string
defaultValue: "ai-on-gke"
- name: cluster_location
varType: string
required: true
- name: cluster_membership_id
description: "require to use connectgateway for private clusters, default: cluster_name"
varType: string
defaultValue: ""
- name: cluster_name
varType: string
defaultValue: "ai-on-gke"
- name: create_brand
description: Create Brand OAuth Screen
varType: bool
Expand All @@ -83,7 +90,7 @@ spec:
- name: domain
description: Domain used for application and SSL certificate.
varType: string
defaultValue: "jupyter.example.com"
defaultValue: "<your JupyterHub domain here>"
- name: gcs_bucket
description: Bucket name to store the dataset. The bucket name must be globally unique across google cloud projects
varType: string
Expand Down Expand Up @@ -121,7 +128,7 @@ spec:
- name: members_allowlist
description: "For example - user:example@google.com,serviceAccount:serviceAccount@google.com,group:group@google.com,domain:google.com"
varType: string
defaultValue: ""
defaultValue: "user:<your-email-here>"
- name: network_name
description: Network name of VPC
varType: string
Expand Down
1 change: 0 additions & 1 deletion applications/rag/frontend/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,4 +191,3 @@ resource "kubernetes_deployment" "rag_frontend_deployment" {
}
}
}

5 changes: 2 additions & 3 deletions applications/rag/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ module "project-services" {
"serviceusage.googleapis.com",
"sourcerepo.googleapis.com",
"sqladmin.googleapis.com",
(var.frontend_add_auth || var.jupyter_add_auth ? ["iap.googleapis.com"] : [])
"iap.googleapis.com"
])
}

Expand Down Expand Up @@ -255,7 +255,7 @@ module "kuberay-cluster" {
k8s_backend_config_name = var.ray_dashboard_k8s_backend_config_name
k8s_backend_service_port = var.ray_dashboard_k8s_backend_service_port
domain = var.ray_dashboard_domain
members_allowlist = var.ray_dashboard_members_allowlist
members_allowlist = var.ray_dashboard_members_allowlist != "" ? split(",", var.ray_dashboard_members_allowlist) : []
}

module "kuberay-monitoring" {
Expand Down Expand Up @@ -310,4 +310,3 @@ module "frontend" {
members_allowlist = var.frontend_members_allowlist != "" ? split(",", var.frontend_members_allowlist) : []
depends_on = [module.namespace]
}

Loading

0 comments on commit 2a93816

Please sign in to comment.