diff --git a/applications/jupyter/main.tf b/applications/jupyter/main.tf index e497d59a4..3998a5255 100644 --- a/applications/jupyter/main.tf +++ b/applications/jupyter/main.tf @@ -51,7 +51,7 @@ module "project-services" { "servicenetworking.googleapis.com", "serviceusage.googleapis.com", "sourcerepo.googleapis.com", - (var.add_auth ? ["iap.googleapis.com"] : []) + "iap.googleapis.com" ]) } diff --git a/applications/jupyter/metadata.display.yaml b/applications/jupyter/metadata.display.yaml index 9ee7c69a3..bd7e8d562 100644 --- a/applications/jupyter/metadata.display.yaml +++ b/applications/jupyter/metadata.display.yaml @@ -32,12 +32,29 @@ spec: variables: acknowledge: name: acknowledge - title: Confirm that all prerequisites have been met. + title: Check to confirm you enabled Google APIs for your project with this command. section: acknowledge - subtext: This solution will incur additional costs due to resource creation and necessary Google API usage. Please confirm to proceed. + subtext: | +
+ gcloud services enable serviceusage.googleapis.com cloudresourcemanager.googleapis.com
+
enumValueLabels:
- label: Confirm that all prerequisites have been met.
value: "true"
+ solution_deployment_view:
+ name: solution_deployment_view
+ title: Check to confirm that upon deployment completion, you need to go to the Solution deployment page, find your deployment, and follow suggested next steps on the deployment DETAILS tab.
+ section: acknowledge
+ subtext:
+ enumValueLabels:
+ - label: Confirm that all prerequisites have been met.
+ value: "true"
+ iap_consent_info:
+ name: iap_consent_info
+ title: Confirm your OAuth consent screen is configured correctly.
+ section: iap_auth
add_auth:
name: add_auth
title: Enable IAP Authentication
@@ -46,12 +63,16 @@ spec:
name: additional_labels
title: Additional Labels
invisible: true
- section: cluster_details
+ section: required_config
autopilot_cluster:
name: autopilot_cluster
title: GKE Cluster Type
- section: cluster_details
+ section: required_config
invisible: true
+ cluster_name:
+ name: cluster_name
+ title: GKE cluster name
+ section: required_config
client_id:
name: client_id
title: Client Id
@@ -65,18 +86,14 @@ spec:
cluster_location:
name: cluster_location
title: Cluster Location
- section: cluster_details
+ section: required_config
xGoogleProperty:
type: ET_GCE_REGION
cluster_membership_id:
name: cluster_membership_id
title: Cluster Membership Id
invisible: true
- section: cluster_details
- cluster_name:
- name: cluster_name
- title: Cluster Name
- section: cluster_details
+ section: required_config
create_brand:
name: create_brand
title: Create Brand
@@ -85,7 +102,7 @@ spec:
create_cluster:
name: create_cluster
title: Create GKE Cluster
- section: cluster_details
+ section: required_config
invisible: true
create_gcs_bucket:
name: create_gcs_bucket
@@ -97,12 +114,12 @@ spec:
invisible: true
domain:
name: domain
- title: Domain
+ title: Domain to host JupyterHub
section: iap_auth
gcs_bucket:
name: gcs_bucket
title: GCS Bucket
- section: jupyterhub
+ section: required_config
xGoogleProperty:
type: ET_GCS_BUCKET
goog_cm_deployment_name:
@@ -142,10 +159,10 @@ spec:
name: kubernetes_namespace
title: Kubernetes Namespace
invisible: true
- section: cluster_details
+ section: required_config
members_allowlist:
name: members_allowlist
- title: Members Allowlist
+ title: Allowlist users to access JupyterHub
section: iap_auth
network_name:
name: network_name
@@ -155,7 +172,7 @@ spec:
name: private_cluster
title: Private Cluster
invisible: true
- section: cluster_details
+ section: required_config
project_id:
name: project_id
title: Project Id
@@ -173,40 +190,50 @@ spec:
name: workload_identity_service_account
title: GCP Workload Identity Service Account
invisible: true
- section: jupyterhub
+ section: required_config
sections:
- - name: cluster_details
- title: New GKE Cluster Configuration
- - name: jupyterhub
- title: Other Configuration
+ - name: acknowledge
+ title: Before you begin
+ subtext:
+ This solution deploys a sample JupyterHub application on GKE in your project to run your Jupyter notebooks.
+ - name: required_config
+ title: Required configuration
- name: iap_auth
- title: Configure Authenticated Access for JupyterHub
- subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed.
+ title: Optional authentication with Identity-Aware Proxy
+ subtext: With IAP authentication, you can control user access to JupyterHub. To use IAP, you will need to do the following:
+ + • Identify a domain for JupyterHub, and + • Create DNS A records for the domain after the application is deployed. +
+ Without IAP, users will need to access the GKE cluster and use port-forward to connect to JupyterHub. runtime: outputMessage: Deployment can take several minutes to complete. suggestedActions: - heading: "Step 1: Create DNS A Records for JupyterHub" description: If using custom domains for JupyterHub, create DNS A record set (Google DNS Record Set). Propagation takes 10-15 minutes and logging in won’t succeed until it’s done. - - heading: "Step 2: Go to JupyterHub Application" + - heading: "Step 2: Launch JupyterHub" description: |- -+ 1) If IAP is disabled, port forward to the JupyterHub service: + • Setup gcloud in your environment. + • Get these values from the Outputs section above: Gke Cluster Name, Gke Cluster Location, Kubernetes Namespace , Project Id, Jupyterhub User and Jupyterhub Password + • Get cluster credentials:
gcloud container clusters get-credentials <Gke Cluster Name> --location=<Gke Cluster Location> --project=<Project Id>
+ • Port forward to JupyterHub: kubectl -n <Kubernetes Namespace> port-forward service/proxy-public 3080:80
+ • Go to localhost:3080 in a browser and log in with Jupyterhub User and Jupyterhub Password
+
+ + 2) If IAP is enabled, log in with your organization's credentials. Troubleshooting access issues: + • SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes. + • If you're unable to login, go to Google Cloud Platform IAP, select the proxy-public service and add the user with the role IAP-secured Web App User. +
+3) Once logged in, choose the appropriate preset and execute notebooks. Sample notebooks are provided here
outputs: jupyterhub_ip_address: {} jupyterhub_password: {} jupyterhub_uri: openInNewTab: true showInNotification: true - label: Go to JupyterHub Application + label: Launch JupyterHub jupyterhub_user: {} kubernetes_namespace: {} gke_cluster_name: {} diff --git a/applications/jupyter/metadata.yaml b/applications/jupyter/metadata.yaml index 6382cd4aa..415f94518 100644 --- a/applications/jupyter/metadata.yaml +++ b/applications/jupyter/metadata.yaml @@ -36,6 +36,13 @@ spec: - name: acknowledge varType: bool required: true + - name: solution_deployment_view + varType: bool + required: true + - name: iap_consent_info + description: Configure the OAuth Consent Screen for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed. + varType: bool + defaultValue: false - name: add_auth description: Enable IAP authentication on jupyterhub varType: bool @@ -55,6 +62,9 @@ spec: description: Client secret used for enabling IAP varType: string defaultValue: "" + - name: cluster_name + varType: string + defaultValue: "ai-on-gke" - name: cluster_location varType: string required: true @@ -62,9 +72,6 @@ spec: description: "require to use connectgateway for private clusters, default: cluster_name" varType: string defaultValue: "" - - name: cluster_name - varType: string - defaultValue: "ai-on-gke" - name: create_brand description: Create Brand OAuth Screen varType: bool @@ -83,7 +90,7 @@ spec: - name: domain description: Domain used for application and SSL certificate. varType: string - defaultValue: "jupyter.example.com" + defaultValue: "
+ gcloud services enable serviceusage.googleapis.com cloudresourcemanager.googleapis.com
+
+ enumValueLabels:
+ - label: Confirm that all prerequisites have been met.
+ value: "true"
+ solution_deployment_view:
+ name: solution_deployment_view
+ title: Check to confirm that upon deployment completion, you need to go to the Solution deployment page, find your deployment, and follow suggested next steps on the deployment DETAILS tab.
+ section: acknowledge
+ subtext:
enumValueLabels:
- label: Confirm that all prerequisites have been met.
value: "true"
@@ -26,39 +39,30 @@ spec:
name: additional_labels
title: Additional Labels
invisible: true
- section: cluster_details
+ section: required_config
autopilot_cluster:
name: autopilot_cluster
title: GKE Cluster Type
- section: cluster_details
+ section: required_config
enumValueLabels:
- label: Autopilot Cluster
value: "true"
- label: Standard Cluster
value: "false"
invisible: true
- cloudsql_instance:
- name: cloudsql_instance
- title: CloudSQL Instance
- section: rag
- cloudsql_instance_region:
- name: cloudsql_instance_region
- title: Cloudsql Instance Region
- invisible: true
- section: rag
+ cluster_name:
+ name: cluster_name
+ title: GKE cluster name
+ section: required_config
cluster_location:
name: cluster_location
- title: Cluster Location
- section: cluster_details
+ title: GKE Cluster Location
+ section: required_config
xGoogleProperty:
type: ET_GCE_REGION
# specified regions have L4 & T4 GPUs https://cloud.google.com/compute/docs/gpus/gpu-regions-zones#view-using-tools
gce_region:
allowlisted_regions: ["asia-east1","asia-northeast1","asia-northeast3","asia-south1","asia-southeast1","europe-west1","europe-west2","europe-west3","europe-west4","us-central1","us-east1","us-east4","us-west1","us-west4"]
- cluster_name:
- name: cluster_name
- title: Cluster Name
- section: cluster_details
cpu_pools:
name: cpu_pools
title: Cpu Pools
@@ -70,101 +74,114 @@ spec:
create_cluster:
name: create_cluster
title: Create GKE Cluster
- section: cluster_details
+ section: required_config
invisible: true
create_gcs_bucket:
name: create_gcs_bucket
title: Create Gcs Bucket
invisible: true
- section: rag
+ section: required_config
create_jupyter_service_account:
name: create_jupyter_service_account
title: Create Jupyter Service Account
invisible: true
- section: rag
+ section: required_config
create_network:
name: create_network
title: Create Network
invisible: true
- section: cluster_details
+ section: required_config
create_rag_service_account:
name: create_rag_service_account
title: Create Rag Service Account
invisible: true
- section: rag
+ section: required_config
create_ray_service_account:
name: create_ray_service_account
title: Create Ray Service Account
invisible: true
- section: rag
+ section: required_config
dataset_embeddings_table_name:
name: dataset_embeddings_table_name
title: Dataset Embeddings Table Name
invisible: true
- section: rag
+ section: required_config
disable_ray_cluster_network_policy:
name: disable_ray_cluster_network_policy
title: Disable Ray Cluster Network Policy
invisible: true
- section: rag
+ section: required_config
enable_grafana_on_ray_dashboard:
name: enable_grafana_on_ray_dashboard
title: Enable Grafana On Ray Dashboard
invisible: true
- section: rag
+ section: required_config
+ iap_consent_info:
+ name: iap_consent_info
+ title: Confirm your OAuth consent screen is configured correctly.
+ section: iap_auth_info
frontend_add_auth:
name: frontend_add_auth
- title: Enable IAP for Frontend Application
- section: rag_iap_auth
+ title: Enable IAP for the chat application
+ section: iap_auth_info
frontend_domain:
name: frontend_domain
- title: Frontend Domain
- section: rag_iap_auth
+ title: Domain to host the chat interface
+ section: iap_auth_info
frontend_members_allowlist:
name: frontend_members_allowlist
- title: Frontend Members Allowlist
- section: rag_iap_auth
+ title: Allowlist users to access the chat application
+ section: iap_auth_info
gcs_bucket:
name: gcs_bucket
- title: GCS Bucket
- section: rag
+ title: GCS bucket
+ section: required_config
xGoogleProperty:
type: ET_GCS_BUCKET
+ cloudsql_instance:
+ name: cloudsql_instance
+ title: CloudSQL Instance
+ section: required_config
+ cloudsql_instance_region:
+ name: cloudsql_instance_region
+ title: Cloudsql Instance Region
+ invisible: true
+ section: required_config
goog_cm_deployment_name:
name: goog_cm_deployment_name
title: Goog Cm Deployment Name
jupyter_add_auth:
name: jupyter_add_auth
- title: Enable IAP for JupyterHub Application
- section: jupyter_iap_auth
+ title: Enable IAP for JupyterHub
+ section: iap_auth_info
jupyter_domain:
name: jupyter_domain
- title: Jupyter Domain
- section: jupyter_iap_auth
+ title: Domain to host JupyterHub
+ section: iap_auth_info
jupyter_members_allowlist:
name: jupyter_members_allowlist
- title: Jupyter Members Allowlist
- section: jupyter_iap_auth
+ title: Allowlist users to access JupyterHub
+ section: iap_auth_info
jupyter_service_account:
name: jupyter_service_account
title: Jupyter Service Account
invisible: true
- section: rag
+ section: required_config
kubernetes_namespace:
name: kubernetes_namespace
title: Kubernetes Namespace
invisible: true
- section: cluster_details
+ section: required_config
network_name:
name: network_name
title: Network Name
invisible: true
- section: cluster_details
+ section: required_config
private_cluster:
name: private_cluster
title: Private Cluster
invisible: true
- section: cluster_details
+ section: required_config
project_id:
name: project_id
title: Project Id
@@ -173,90 +190,111 @@ spec:
name: rag_service_account
title: Rag Service Account
invisible: true
- section: rag
+ section: required_config
ray_dashboard_add_auth:
name: ray_dashboard_add_auth
- title: Enable IAP for Ray Dashboard Application
- section: ray_iap_auth
+ title: Enable IAP for Ray dashboard
+ section: iap_auth_info
ray_dashboard_domain:
name: ray_dashboard_domain
- title: Ray Dashboard Domain
- section: ray_iap_auth
+ title: Domain to host the Ray dashboard
+ section: iap_auth_info
ray_dashboard_members_allowlist:
name: ray_dashboard_members_allowlist
- title: Ray Dashboard Members Allowlist
- section: ray_iap_auth
+ title: Allowlist users to access the Ray dashboard
+ section: iap_auth_info
ray_service_account:
name: ray_service_account
title: Ray Service Account
invisible: true
- section: rag
+ section: required_config
sections:
- name: acknowledge
title: Before you begin
- - name: cluster_details
- title: New GKE Cluster Configuration
- - name: rag
- title: Other Configuration
+ subtext:
+ This solution deploys a sample RAG application on GKE in your project with the following components:
+ 1) Inference server using LLM (Hugging Face Mistral-7B)
+ 2) A Jupyter notebook provided with code that:
+ • Writes a sample TV shows/movies dataset to a GCS bucket.
+ • Runs a Ray job to generate vector embeddings for the data.
+ • Writes generated vector embeddings to Cloud SQL pgvector database.
+ 3) Chat frontend application for prompt interactions which:
+ • Fetches context from the generated vector embeddings related to your prompt.
+ • Augments the original prompt with the context.
+ • Queries the LLM with the augmented prompt to return more relevant results.
+ - name: required_config
+ title: Required configuration
+ - name: iap_auth_info
+ title: Optional authentication with Identity-Aware Proxy
+ subtext: With IAP authentication, you can control user access to the JupyterHub, Ray dashboard and/or chat applications. To use IAP, you will need to do the following:
+ + • Identify domains for each application, and + • Create DNS A records for the domains after the applications are deployed. +
+ Without IAP, users will need to access the GKE cluster and use port-forward to connect to the chat application, JupyterHub, and/or Ray dashboard. - name: rag_iap_auth - title: Configure Authenticated Access for Frontend - subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed. + title: Configure authenticated access for chat interface - name: ray_iap_auth - title: Configure Authenticated Access for Ray Dashboard - subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed. + title: Configure authenticated access for Ray dashboard - name: jupyter_iap_auth - title: Configure Authenticated Access for JupyterHub - subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed. + title: Configure authenticated access for JupyterHub runtime: - outputMessage: Deployment can take several minutes to complete. + outputMessage: Deployment can take 30-40 minutes to complete. suggestedActions: - - heading: "Step 1: Create DNS A Records for JupyterHub and Frontend Domains" - description: If using custom domains for JupyterHub or Frontend, create DNS A record sets for them (Google DNS Record Set). Propagation takes 10-15 minutes and logging in won’t succeed until it’s done. - - heading: "Step 2: Go to JupyterHub Application" + - heading: "Step 1: If you enabled IAP authenticated access, create DNS A records for the JupyterHub and chat application domains." + description: If you enabled IAP for JupyterHub or the chat application, create DNS A record sets for them. The instructions may be different based on your domain provider. Propagation takes 10-15 minutes and logging in won’t succeed until it’s done. + - heading: "Step 2: Launch JupyterHub" description: |- -+ 1) If IAP is disabled, port forward to the JupyterHub service: + • Setup gcloud in your environment. + • Get these values from the Outputs section above: Gke Cluster Name, Gke Cluster Location, Kubernetes Namespace , Project Id, Jupyterhub User and Jupyterhub Password + • Get cluster credentials:
gcloud container clusters get-credentials <Gke Cluster Name> --location=<Gke Cluster Location> --project=<Project Id>
+ • Port forward to JupyterHub: kubectl -n <Kubernetes Namespace> port-forward service/proxy-public 3080:80
+ • Go to localhost:3080 in a browser and log in with Jupyterhub User and Jupyterhub Password
+
+ + 2) If IAP is enabled, log in with your organization's credentials. Troubleshooting access issues: + • SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes. + • If you're unable to login, go to Google Cloud Platform IAP, select the proxy-public service and add the user with the role IAP-secured Web App User. +
+3) Once logged in, choose the CPU with Default Storage option and wait for JupyterLab to load.
- heading: "Step 3: Generate Vector Embeddings for the Dataset" description: |- - Go to File -> Open From URL & upload and execute the notebook - rag-kaggle-ray-sql.ipynb. - Follow the README.md for detailed instructions. - - heading: "Step 4: Prompt the Inference Server via a Chatbot" + Go to File -> Open From URL & upload and execute the notebook rag-kaggle-ray-sql.ipynb. Note that this requires creating a Kaggle account and updating the first notebook cell with your Kaggle credentials to download the sample dataset (TV show/movie reviews). + Follow the README.md for detailed instructions. + - heading: "Step 4: Launch Frontend Chat Application" + description: |- ++ 1) If IAP is disabled, port forward to the frontend chat service: + • Setup gcloud in your environment. + • Get these values from the Outputs section above: Gke Cluster Name, Gke Cluster Location, Kubernetes Namespace , Project Id + • Get cluster credentials:
gcloud container clusters get-credentials <Gke Cluster Name> --location=<Gke Cluster Location> --project=<Project Id>
+ • Port forward to the chat interface: kubectl -n <Kubernetes Namespace> port-forward service/rag-frontend 8080:8080
+ • Go to localhost:8080 in a browser to launch the chat interface.
+
+ + 2) If IAP is enabled, log in with your organization's credentials. Troubleshooting access issues: + • SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes. + • If you're unable to login, go to Google Cloud Platform IAP, select the rag-frontend service and add the user with the role IAP-secured Web App User. +
+ - heading: "Step 5: Prompt the LLM with context from the TV shows/movies dataset" description: |- -
+ gcloud services enable serviceusage.googleapis.com cloudresourcemanager.googleapis.com
+
+ enumValueLabels:
+ - label: Confirm that all prerequisites have been met.
+ value: "true"
+ solution_deployment_view:
+ name: solution_deployment_view
+ title: Check to confirm that upon deployment completion, you need to go to the Solution deployment page, find your deployment, and follow suggested next steps on the deployment DETAILS tab.
+ section: acknowledge
+ subtext:
enumValueLabels:
- label: Confirm that all prerequisites have been met.
value: "true"
@@ -26,34 +39,33 @@ spec:
name: additional_labels
title: Additional Labels
invisible: true
- section: cluster_details
+ section: required_config
autopilot_cluster:
name: autopilot_cluster
title: GKE Cluster Type
- section: cluster_details
+ section: required_config
invisible: true
+ iap_consent_info:
+ name: iap_consent_info
+ title: Confirm your OAuth consent screen is configured correctly.
+ section: iap_auth
+ cluster_name:
+ name: cluster_name
+ title: Cluster Name
+ section: required_config
cluster_location:
name: cluster_location
title: Cluster Location
- section: cluster_details
+ section: required_config
xGoogleProperty:
type: ET_GCE_REGION
# specified regions have L4 & T4 GPUs https://cloud.google.com/compute/docs/gpus/gpu-regions-zones#view-using-tools
gce_region:
allowlisted_regions: ["asia-east1","asia-northeast1","asia-northeast3","asia-south1","asia-southeast1","europe-west1","europe-west2","europe-west3","europe-west4","us-central1","us-east1","us-east4","us-west1","us-west4"]
- cluster_name:
- name: cluster_name
- title: Cluster Name
- section: cluster_details
- create_brand:
- name: create_brand
- title: Create Brand
- invisible: true
- section: iap_auth
create_cluster:
name: create_cluster
title: Create GKE Cluster
- section: cluster_details
+ section: required_config
invisible: true
create_gcs_bucket:
name: create_gcs_bucket
@@ -67,7 +79,7 @@ spec:
name: create_ray_cluster
title: Create Ray Cluster
invisible: true
- section: ray
+ section: required_config
create_service_account:
name: create_service_account
title: Create Service Account
@@ -76,30 +88,30 @@ spec:
name: disable_ray_cluster_network_policy
title: Disable Ray Cluster Network Policy
invisible: true
- section: ray
+ section: required_config
disable_resource_quotas:
name: disable_resource_quotas
title: Disable Resource Quotas
invisible: true
- section: ray
+ section: required_config
enable_gpu:
name: enable_gpu
- title: Enable GPU
- section: ray
+ title: Enable GPU nodepool for Ray workloads
+ section: required_config
enable_grafana_on_ray_dashboard:
name: enable_grafana_on_ray_dashboard
title: Enable Grafana On Ray Dashboard
invisible: true
- section: ray
+ section: required_config
enable_tpu:
name: enable_tpu
title: Enable Tpu
invisible: true
- section: ray
+ section: required_config
gcs_bucket:
name: gcs_bucket
title: Gcs Bucket
- section: ray
+ section: required_config
xGoogleProperty:
type: ET_GCS_BUCKET
goog_cm_deployment_name:
@@ -109,12 +121,12 @@ spec:
name: kuberay_network_policy_allow_cidr
title: Kuberay Network Policy Allow Cidr
invisible: true
- section: ray
+ section: required_config
kubernetes_namespace:
name: kubernetes_namespace
title: Kubernetes Namespace
invisible: true
- section: cluster_details
+ section: required_config
network_name:
name: network_name
title: Network Name
@@ -123,7 +135,7 @@ spec:
name: private_cluster
title: Private Cluster
invisible: true
- section: cluster_details
+ section: required_config
project_id:
name: project_id
title: Project Id
@@ -149,7 +161,7 @@ spec:
section: iap_auth
ray_dashboard_domain:
name: ray_dashboard_domain
- title: Ray Dashboard Domain
+ title: Domain to host the Ray dashboard
section: iap_auth
ray_dashboard_k8s_backend_config_name:
name: ray_dashboard_k8s_backend_config_name
@@ -178,12 +190,12 @@ spec:
section: iap_auth
ray_dashboard_members_allowlist:
name: ray_dashboard_members_allowlist
- title: Ray Dashboard Members Allowlist
+ title: Allowlist users to access the Ray dashboard
section: iap_auth
ray_version:
name: ray_version
title: Ray Version
- section: ray
+ section: required_config
enumValueLabels:
- label: v2.9.3
value: v2.9.3
@@ -191,7 +203,7 @@ spec:
name: resource_quotas
title: Resource Quotas
invisible: true
- section: ray
+ section: required_config
subnetwork_cidr:
name: subnetwork_cidr
title: Subnetwork Cidr
@@ -204,24 +216,37 @@ spec:
name: workload_identity_service_account
title: GCP Workload Identity Service Account
invisible: true
- section: ray
+ section: required_config
sections:
- name: acknowledge
title: Before you begin
- - name: cluster_details
- title: New GKE Cluster Details
- - name: ray
- title: Ray Application
+ subtext:
+ This solution deploys a sample Ray application on GKE in your project.
+ - name: required_config
+ title: Required configuration
- name: iap_auth
- title: IAP Authentication
- subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed.
+ title: Optional authentication with Identity-Aware Proxy
+ subtext: With IAP authentication, you can control user access to the Ray Dashboard. To use IAP, you will need to do the following:
+ + • Identify a domain for the Ray dashboard, and + • Create DNS A records for the domain after the application is deployed. +
+ Without IAP, users will need to access the GKE cluster and use port-forward to connect to the Ray dashboard. runtime: outputMessage: Deployment can take several minutes to complete. suggestedActions: - heading: Connect to Ray Cluster description: Connect to Ray Cluster, scroll to Ports section and initiate PORT FORWARDING (Run in Cloud Shell) to the ray dashboard (port 8265). Open another terminal and follow these instructions to install ray and submit jobs. - heading: View Job Status in Ray Dashboard - description: "Open the ray dashboard via the OPEN IN WEB PREVIEW button. " + description: |- ++ 1) If IAP is disabled, open the ray dashboard via the OPEN IN WEB PREVIEW button in the port forwarding page. +
++ 2) If IAP is enabled, click the Launch Ray Dashboard button and log in with your organization's credentials. Troubleshooting access issues: + • SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes. + • If you're unable to login, go to Google Cloud Platform IAP, select the ray-cluster-kuberay-head-svc service and add the user with the role IAP-secured Web App User. +
outputs: kubernetes_namespace: {} gke_cluster_name: {} @@ -231,3 +256,8 @@ spec: openInNewTab: true showInNotification: true label: Connect to Ray Cluster + ray_dashboard_ip_address: {} + ray_dashboard_uri: + openInNewTab: true + showInNotification: true + label: Launch Ray Dashboard diff --git a/applications/ray/metadata.yaml b/applications/ray/metadata.yaml index 8cc96181b..59c9edb4f 100644 --- a/applications/ray/metadata.yaml +++ b/applications/ray/metadata.yaml @@ -24,9 +24,19 @@ spec: - name: acknowledge varType: bool required: true + - name: solution_deployment_view + varType: bool + required: true + - name: iap_consent_info + description: Configure the OAuth Consent Screen for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed. + varType: bool + defaultValue: false - name: autopilot_cluster varType: bool defaultValue: false + - name: cluster_name + varType: string + defaultValue: "ai-on-gke" - name: cluster_location varType: string required: true @@ -35,9 +45,6 @@ spec: description: "require to use connectgateway for private clusters, default: cluster_name" varType: string defaultValue: "" - - name: cluster_name - varType: string - defaultValue: "ai-on-gke" - name: create_brand description: Create Brand OAuth Screen varType: bool @@ -121,7 +128,7 @@ spec: - name: ray_dashboard_domain description: Domain used for application and SSL certificate. varType: string - defaultValue: "ray.example.com" + defaultValue: "