From 5bf300c9b8ef2feed41ae8d49ca551b63071a61e Mon Sep 17 00:00:00 2001 From: Umesh Kumhar Date: Fri, 22 Mar 2024 11:57:17 +0530 Subject: [PATCH] fix marketplace description & sql name (#414) * fix marketplace description, support sql instance name --- applications/jupyter/README.md | 24 +++++++++---------- applications/jupyter/metadata.display.yaml | 12 +++++----- applications/jupyter/metadata.yaml | 2 +- applications/jupyter/profiles.md | 8 +++---- applications/jupyter/variable_definitions.md | 8 +++---- ...workloads-auto-create-brand.example.tfvars | 2 +- ...ng-brand-auto-create-client.example.tfvars | 2 +- ...sting-brand-existing-client.example.tfvars | 2 +- .../workloads-without-iap.example.tfvars | 2 +- applications/jupyter/workloads.tfvars | 2 +- applications/rag/README.md | 6 ++--- applications/rag/main.tf | 5 ++-- applications/rag/metadata.display.yaml | 18 +++++++------- applications/ray/TPU_guide.md | 2 +- applications/ray/metadata.display.yaml | 6 ++--- applications/ray/metadata.yaml | 3 ++- cloudbuild.yaml | 4 ++-- modules/jupyter/authentication/README.MD | 22 ++++++++--------- .../gcpiapjwtauthenticator.py | 4 ++-- modules/jupyter/tests/test_hub.py | 6 ++--- 20 files changed, 71 insertions(+), 69 deletions(-) diff --git a/applications/jupyter/README.md b/applications/jupyter/README.md index e4fbdfc69..a834c0c55 100644 --- a/applications/jupyter/README.md +++ b/applications/jupyter/README.md @@ -30,7 +30,7 @@ This code can also perform auto brand creation. Please check the details [below] * Terraform * Gcloud CLI -Jupyterhub server can use either local storage or GCS to store notebooks and other artifcts. +JupyterHub server can use either local storage or GCS to store notebooks and other artifcts. To use GCS, create a bucket with your username. For example, when authenticating with IAP as username@domain.com, ensure your bucket name is `gcsfuse-` ## Installation @@ -43,7 +43,7 @@ To use GCS, create a bucket with your username. For example, when authenticating cd ai-on-gke/applications/jupyter ``` -2. Edit `workloads.tfvars` with your GCP settings. The `namespace` that you specify will become a K8s namespace for your Jupyterhub services. For more information about what the variables do visit [here](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/applications/jupyter/variable_definitions.md) +2. Edit `workloads.tfvars` with your GCP settings. The `namespace` that you specify will become a K8s namespace for your JupyterHub services. For more information about what the variables do visit [here](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/applications/jupyter/variable_definitions.md) **Important Note:** If using this with the Ray module (`applications/ray/`), it is recommended to use the same k8s namespace @@ -55,12 +55,12 @@ for both i.e. set this to the same namespace as `applications/ray/workloads.tfva | cluster_name | GKE Cluster Name | Yes | | cluster_location | GCP Region | Yes | | cluster_membership_id | Fleet membership name for GKE cluster.
Required when using private clusters with Anthos Connect Gateway | | -| namespace | The namespace that Jupyterhub and rest of the other resources will be installed in. | Yes | +| namespace | The namespace that JupyterHub and rest of the other resources will be installed in. | Yes | | gcs_bucket | GCS bucket to be used for Jupyter storage | | | create_service_account | Create service accounts used for Workload Identity mapping | Yes | | gcp_and_k8s_service_account | GCP service account used for Workload Identity mapping and k8s sa attached with workload | Yes | -For variables under `Jupyterhub with IAP`, please see the section below +For variables under `JupyterHub with IAP`, please see the section below ### Secure endpoint with IAP @@ -78,7 +78,7 @@ See the example `.tfvars` files under `/applications/jupyter` for different bran | Variable | Description | Default Value | Required | | ------------------------ |--------------------------- |:-------------:|:--------:| -| add_auth | Enable IAP on Jupyterhub | true | Yes | +| add_auth | Enable IAP on JupyterHub | true | Yes | | brand | Name of the brand used for creating IAP OAuth clients. Only one is allowed per project. View existing brands: `gcloud iap oauth-brands list`. Leave it empty to create a new brand. Uses [support_email](#support_email) | | | | support_email | Support email assocated with the [brand](#brand). Used as a point of contact for consent for the ["OAuth Consent" in Cloud Console](https://console.cloud.google.com/apis/credentials/consent). Optional field if `brand` is empty. | | | | default_backend_service | default_backend_service | | | @@ -109,11 +109,11 @@ gcloud auth application-default login - Should have `jupyter-proxy-public` in the name eg.: `k8s1-63da503a-jupyter-proxy-public-80-74043627`. * Run `terraform apply --var-file=./workloads.tfvars` -## Using Jupyterhub +## Using JupyterHub ### If Auth with IAP is disabled -1. Extract the randomly generated password for Jupyterhub login +1. Extract the randomly generated password for JupyterHub login ``` terraform output password @@ -137,17 +137,17 @@ Please note there may be some propagation delay after adding IAP principals (5-1 ### Setup Access -In order for users to login to Jupyterhub via IAP, their access needs to be configured. To allow access for users/groups: +In order for users to login to JupyterHub via IAP, their access needs to be configured. To allow access for users/groups: 1. Navigate to the [GCP IAP Cloud Console](https://console.cloud.google.com/security/iap) and select your backend-service for `/proxy-public`. -2. Click on `Add Principal`, insert the username / group name and select under `Cloud IAP` with role `IAP-secured Web App User`. Once presmission is granted, these users / groups can login to Jupyterhub with IAP. Please note there may be some propagation delay after adding IAP principals (5-10 mins). +2. Click on `Add Principal`, insert the username / group name and select under `Cloud IAP` with role `IAP-secured Web App User`. Once presmission is granted, these users / groups can login to JupyterHub with IAP. Please note there may be some propagation delay after adding IAP principals (5-10 mins). ## Persistent Storage -Jupyterhub is configured to provide 2 choices for storage: +JupyterHub is configured to provide 2 choices for storage: -1. Default Jupyterhub Storage - `pd.csi.storage.gke.io` with reclaim policy `Delete` +1. Default JupyterHub Storage - `pd.csi.storage.gke.io` with reclaim policy `Delete` 2. GCSFuse - `gcsfuse.csi.storage.gke.io` uses GCS Buckets and require users to pre-create buckets with name format `gcsfuse-{username}` @@ -192,4 +192,4 @@ This module uses `.nip.io` as the domain name with a global static ipv4 addr ## Additional Information -For more information about Jupyterhub profiles and the preset profiles visit [here](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/applications/jupyter/profiles.md) \ No newline at end of file +For more information about JupyterHub profiles and the preset profiles visit [here](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/applications/jupyter/profiles.md) \ No newline at end of file diff --git a/applications/jupyter/metadata.display.yaml b/applications/jupyter/metadata.display.yaml index 7924f373c..ce7e89649 100644 --- a/applications/jupyter/metadata.display.yaml +++ b/applications/jupyter/metadata.display.yaml @@ -171,18 +171,18 @@ spec: title: Other Configuration - name: iap_auth title: Configure Authenticated Access for JupyterHub - subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. + subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed. runtime: outputMessage: Deployment can take several minutes to complete. suggestedActions: - - heading: "Step 1: Create DNS A Records for Jupyterhub" + - heading: "Step 1: Create DNS A Records for JupyterHub" description: |- - If using custom domains for Jupyterhub, create DNS A record set (Google DNS Record Set). Propagation takes 10-15 minutes and logging in won’t succeed until it’s done. + If using custom domains for JupyterHub, create DNS A record set (Google DNS Record Set). Propagation takes 10-15 minutes and logging in won’t succeed until it’s done. - heading: "Step 2: Go to JupyterHub Application" description: |- -
  • If IAP is enabled, log in with your organization's credentials.
    • -
  • If IAP is disabled, scroll to Ports section and initiate PORT FORWARDING (Run in Cloud Shell) to the front end application. Launch JupyterHub app via OPEN IN WEB PREVIEW button. Log in with Jupyterhub User and Jupyterhub Password (from the Outputs section).
    • -
  • Once logged in, choose the appropriate preset and execute notebooks.
    • +
  • If IAP is enabled, log in with your organization's credentials. SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes.
    • +
  • If IAP is disabled, scroll to Ports section and initiate PORT FORWARDING (Run in Cloud Shell) to the front end application. Launch JupyterHub app via OPEN IN WEB PREVIEW button. Log in with Jupyterhub User and Jupyterhub Password (from the Outputs section).
    • +
  • Once logged in, choose the appropriate preset and execute notebooks. Sample notebooks are provided here
    • outputs: jupyterhub_password: {} jupyterhub_uri: diff --git a/applications/jupyter/metadata.yaml b/applications/jupyter/metadata.yaml index 0b839db57..6d920ce3a 100644 --- a/applications/jupyter/metadata.yaml +++ b/applications/jupyter/metadata.yaml @@ -38,7 +38,7 @@ spec: defaultValue: false - name: autopilot_cluster varType: string - defaultValue: "false" + defaultValue: "true" - name: client_id description: Client ID used for enabling IAP varType: string diff --git a/applications/jupyter/profiles.md b/applications/jupyter/profiles.md index 7d45da937..b9d177b28 100644 --- a/applications/jupyter/profiles.md +++ b/applications/jupyter/profiles.md @@ -1,8 +1,8 @@ -# Jupyterhub Profiles +# JupyterHub Profiles ## Default Profiles -By default, there are 3 pre-set profiles for Jupyterhub: +By default, there are 3 pre-set profiles for JupyterHub: ![Profiles Page](images/image.png) @@ -85,7 +85,7 @@ Similar to overriding images, the resources can also be overwritten by using `ku ### Node/GPU -Jupyterhub config allows the use of [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). This is the way the profiles specify which node/GPU it wants +JupyterHub config allows the use of [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). This is the way the profiles specify which node/GPU it wants ``` yaml nodeSelector: @@ -114,7 +114,7 @@ The possible GPUs are: ### TPUs -Jupyterhub profiles has a TPU option. It utilizes the [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector), and the annotations `cloud.google.com/gke-tpu-accelerator` and `cloud.google.com/gke-tpu-topology` to select the TPU nodes. +JupyterHub profiles has a TPU option. It utilizes the [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector), and the annotations `cloud.google.com/gke-tpu-accelerator` and `cloud.google.com/gke-tpu-topology` to select the TPU nodes. We add the following annotations to `kupespawner_override` diff --git a/applications/jupyter/variable_definitions.md b/applications/jupyter/variable_definitions.md index 111956400..173f17eb2 100644 --- a/applications/jupyter/variable_definitions.md +++ b/applications/jupyter/variable_definitions.md @@ -18,19 +18,19 @@ This README contains all the variables used by Terraform for installing Juypterh ### namespace -The namespace that Jupyterhub and rest of the other resources will be installed/allocated in. If using Jupyterhub with the Ray module (`ai-on-gke/ray-on-gke/`), it is recommanded to have this namespace the same as the one with Ray. +The namespace that JupyterHub and rest of the other resources will be installed/allocated in. If using JupyterHub with the Ray module (`ai-on-gke/ray-on-gke/`), it is recommanded to have this namespace the same as the one with Ray. ### create_service_account -Create k8s and GCP service accounts for Jupyterhub workloads & configures workload identity. +Create k8s and GCP service accounts for JupyterHub workloads & configures workload identity. ### add_auth -Flag that will enable IAP on Jupyterhub. Resources that will be created along with enable IAP: +Flag that will enable IAP on JupyterHub. Resources that will be created along with enable IAP: 1. Global IP Address (If none is provided) 2. Backend Config. Deployment that triggers enabling IAP. 3. Managed Certificate. Deployment that creates a Google Managed object for SSL certificates - 4. Ingress. Deployment that creates an Ingress object that will connect to the Jupyterhub Proxy + 4. Ingress. Deployment that creates an Ingress object that will connect to the JupyterHub Proxy ### project_id diff --git a/applications/jupyter/workloads-auto-create-brand.example.tfvars b/applications/jupyter/workloads-auto-create-brand.example.tfvars index 8ed001499..e8486ca69 100644 --- a/applications/jupyter/workloads-auto-create-brand.example.tfvars +++ b/applications/jupyter/workloads-auto-create-brand.example.tfvars @@ -32,7 +32,7 @@ create_gcs_bucket = true gcs_bucket = "" workload_identity_service_account = "jupyter-service-account" -# Jupyterhub with IAP +# JupyterHub with IAP add_auth = true brand = "" # Leave it empty to auto create support_email = "" diff --git a/applications/jupyter/workloads-existing-brand-auto-create-client.example.tfvars b/applications/jupyter/workloads-existing-brand-auto-create-client.example.tfvars index 95f1b8431..14ecd6770 100644 --- a/applications/jupyter/workloads-existing-brand-auto-create-client.example.tfvars +++ b/applications/jupyter/workloads-existing-brand-auto-create-client.example.tfvars @@ -31,7 +31,7 @@ namespace = "jupyter" gcs_bucket = "" workload_identity_service_account = "jupyter-service-account" -# Jupyterhub with IAP +# JupyterHub with IAP add_auth = true brand = "projects//brands/" # ensure brand is Internal support_email = "" diff --git a/applications/jupyter/workloads-existing-brand-existing-client.example.tfvars b/applications/jupyter/workloads-existing-brand-existing-client.example.tfvars index c9d284ffc..768b8a0f8 100644 --- a/applications/jupyter/workloads-existing-brand-existing-client.example.tfvars +++ b/applications/jupyter/workloads-existing-brand-existing-client.example.tfvars @@ -32,7 +32,7 @@ create_gcs_bucket = true gcs_bucket = "" workload_identity_service_account = "jupyter-service-account" -# Jupyterhub with IAP +# JupyterHub with IAP add_auth = true brand = "projects//brands/" support_email = "" diff --git a/applications/jupyter/workloads-without-iap.example.tfvars b/applications/jupyter/workloads-without-iap.example.tfvars index c7aa89f81..45ed1a2a5 100644 --- a/applications/jupyter/workloads-without-iap.example.tfvars +++ b/applications/jupyter/workloads-without-iap.example.tfvars @@ -32,5 +32,5 @@ gcs_bucket = "" create_gcs_bucket = true workload_identity_service_account = "jupyter-service-account" -# Jupyterhub without IAP +# JupyterHub without IAP add_auth = false diff --git a/applications/jupyter/workloads.tfvars b/applications/jupyter/workloads.tfvars index cf69c28b2..884e99d97 100644 --- a/applications/jupyter/workloads.tfvars +++ b/applications/jupyter/workloads.tfvars @@ -36,7 +36,7 @@ workload_identity_service_account = "jupyter-sa" create_brand = false support_email = "" ## specify if create_brand=true -# Jupyterhub with IAP +# JupyterHub with IAP add_auth = false k8s_ingress_name = "jupyter-ingress" k8s_managed_cert_name = "jupyter-managed-cert" diff --git a/applications/rag/README.md b/applications/rag/README.md index e89f5aa8e..c4e94ae50 100644 --- a/applications/rag/README.md +++ b/applications/rag/README.md @@ -77,7 +77,7 @@ gcloud container clusters get-credentials ${CLUSTER_NAME:?} --location ${CLUSTER 1. Verify Kuberay is setup: run `kubectl get pods -n ${NAMESPACE:?}`. There should be a Ray head (and Ray worker pod on GKE Standard only) in `Running` state (prefixed by `ray-cluster-kuberay-head-` and `ray-cluster-kuberay-worker-workergroup-`). -2. Verify Jupyterhub service is setup: +2. Verify JupyterHub service is setup: * Fetch the service IP/Domain: * IAP disabled: `kubectl get services proxy-public -n $NAMESPACE --output jsonpath='{.spec.clusterIP}'` is not empty. * IAP enabled: Read terraform output: `terraform output jupyterhub_uri`: @@ -124,13 +124,13 @@ gcloud container clusters get-credentials ${CLUSTER_NAME:?} --location ${CLUSTER This step generates the vector embeddings for your input dataset. Currently, the default dataset is [Google Maps Restaurant Reviews](https://www.kaggle.com/datasets/denizbilginn/google-maps-restaurant-reviews). We will use a Jupyter notebook to run a Ray job that generates the embeddings & populates them into the instance `pgvector-instance` created above. -1. Fetch the Jupyterhub service endpoint & navigate to it in a browser. This should display the JupyterLab login UI: +1. Fetch the JupyterHub service endpoint & navigate to it in a browser. This should display the JupyterLab login UI: * IAP disabled: setup port forwarding for the frontend: `kubectl port-forward service/proxy-public -n $NAMESPACE 8081:80 &`, and go to `localhost:8081` in a browser * IAP enabled: Read terraform output: `terraform output jupyterhub_uri`. * From [Google Cloud Platform IAP](https://console.cloud.google.com/security/iap), check if the target user has role `IAP-secured Web App User`. * Wait for the domain status to be `Active` by using `kubectl get managedcertificates jupyter-managed-cert -n $NAMESPACE --output jsonpath='{.status.domainStatus[0].status}'` -2. Login to Jupyterhub: +2. Login to JupyterHub: * IAP disabled: Use placeholder credentials: * username: admin * password: use `terraform output jupyterhub_password` to fetch the password value diff --git a/applications/rag/main.tf b/applications/rag/main.tf index 75083cec8..644d8c1a8 100644 --- a/applications/rag/main.tf +++ b/applications/rag/main.tf @@ -68,6 +68,7 @@ locals { jupyterhub_default_uri = "https://console.cloud.google.com/kubernetes/service/${var.cluster_location}/${var.cluster_name}/${var.kubernetes_namespace}/proxy-public/overview?project=${var.project_id}" ## if cloudsql_instance_region not specified, then default to cluster_location region cloudsql_instance_region = var.cloudsql_instance_region != "" ? var.cloudsql_instance_region : (length(split("-", var.cluster_location)) == 2 ? var.cluster_location : join("-", slice(split("-", var.cluster_location), 0, 2))) + cloudsql_instance = var.goog_cm_deployment_name != "" ? "${var.goog_cm_deployment_name}-${var.cloudsql_instance}" : var.cloudsql_instance } @@ -131,7 +132,7 @@ module "cloudsql" { source = "../../modules/cloudsql" providers = { kubernetes = kubernetes.rag } project_id = var.project_id - instance_name = var.cloudsql_instance + instance_name = local.cloudsql_instance namespace = var.kubernetes_namespace region = local.cloudsql_instance_region depends_on = [module.namespace] @@ -191,7 +192,7 @@ module "kuberay-cluster" { gcs_bucket = var.gcs_bucket autopilot_cluster = local.enable_autopilot db_secret_name = module.cloudsql.db_secret_name - cloudsql_instance_name = var.cloudsql_instance + cloudsql_instance_name = local.cloudsql_instance db_region = local.cloudsql_instance_region google_service_account = local.ray_service_account grafana_host = module.kuberay-monitoring.grafana_uri diff --git a/applications/rag/metadata.display.yaml b/applications/rag/metadata.display.yaml index 82ea38fce..72c3e0dca 100644 --- a/applications/rag/metadata.display.yaml +++ b/applications/rag/metadata.display.yaml @@ -261,37 +261,37 @@ spec: title: Other Configuration - name: rag_iap_auth title: Configure Authenticated Access for Frontend - subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. + subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed. - name: jupyter_iap_auth title: Configure Authenticated Access for JupyterHub - subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. + subtext: Make sure the OAuth Consent Screen is configured for your project. Ensure User type is set to Internal. Note that by default, only users within your organization can be allowlisted. To add external users, change the User type to External after the application is deployed. runtime: outputMessage: Deployment can take several minutes to complete. suggestedActions: - - heading: "Step 1: Create DNS A Records for Jupyterhub and Frontend Domains" + - heading: "Step 1: Create DNS A Records for JupyterHub and Frontend Domains" description: |- - If using custom domains for Jupyterhub or Frontend, create DNS A record sets for them (Google DNS Record Set). Propagation takes 10-15 minutes and logging in won’t succeed until it’s done. + If using custom domains for JupyterHub or Frontend, create DNS A record sets for them (Google DNS Record Set). Propagation takes 10-15 minutes and logging in won’t succeed until it’s done. - heading: "Step 2: Go to JupyterHub Application" description: |- -
  • If IAP is enabled, log in with your organization's credentials.
    • +
  • If IAP is enabled, log in with your organization's credentials. SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes.
  • If IAP is disabled, scroll to Ports section and initiate PORT FORWARDING (Run in Cloud Shell) to the front end application. Launch JupyterHub app via OPEN IN WEB PREVIEW button. Log in with Jupyterhub User and Jupyterhub Password (from the Outputs section).
  • Once logged in, choose the CPU preset.
    • - heading: "Step 3: Generate Vector Embeddings for the Dataset" description: |- Go to File -> Open From URL & upload and execute the notebook rag-kaggle-ray-sql.ipynb. - Follow the README.md for detailed instructions. + Follow the README.md for detailed instructions. - heading: "Step 4: Prompt the Inference Server via a Chatbot" description: |- -
  • Go to the RAG Frontend Application
    • -
  • If IAP is enabled, the existing session's credentials will be used.
    • +
  • Go to the Frontend Application
    • +
  • If IAP is enabled, log in with your organization's credentials. SSL or cert errors indicate the cert is provisioning which takes up to 20 minutes.
  • If IAP is disabled, scroll to Ports section and initiate PORT FORWARDING (Run in Cloud Shell) to the front end application. Launch Fronted Chat app via OPEN IN WEB PREVIEW button.
  • Prompt the LLM. This will fetch context related to your prompt from the generated vector embeddings, augment the original prompt with the context & query the inference model (mistral-7b) with the augmented prompt.
    • outputs: frontend_uri: openInNewTab: true showInNotification: true - label: Go to RAG Frontend Application + label: Go to Frontend Application jupyterhub_password: {} jupyterhub_uri: openInNewTab: true diff --git a/applications/ray/TPU_guide.md b/applications/ray/TPU_guide.md index 62f92451e..73e2f7e95 100644 --- a/applications/ray/TPU_guide.md +++ b/applications/ray/TPU_guide.md @@ -58,7 +58,7 @@ To deploy a multi-host Ray Cluster, modify the `worker` spec [here](https://gith ### Running Sample Workloads -Install Jupyterhub according to the instructions in the [README](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/applications/jupyter/README.md). +Install JupyterHub according to the instructions in the [README](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/applications/jupyter/README.md). A basic JAX program can be found [here](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/applications/ray/example_notebooks/jax-tpu.ipynb). diff --git a/applications/ray/metadata.display.yaml b/applications/ray/metadata.display.yaml index 3696f3242..b22868f03 100644 --- a/applications/ray/metadata.display.yaml +++ b/applications/ray/metadata.display.yaml @@ -122,10 +122,10 @@ spec: suggestedActions: - heading: "Connect to Ray Cluster" description: |- - Connect to Ray Cluster, scroll to Ports section and initiate PORT FORWARDING (Run in Cloud Shell) to the ray cluster head node. - - heading: "Submit Ray Jobs" + Connect to Ray Cluster, scroll to Ports section and initiate PORT FORWARDING (Run in Cloud Shell) to the ray dashboard (port 8265). Open another terminal and follow these instructions to install ray and submit jobs. + - heading: "View Job Status in Ray Dashboard" description: |- - Open the ray dashboard via the OPEN IN WEB PREVIEW button and submit ray jobs following these instructions. + Open the ray dashboard via the OPEN IN WEB PREVIEW button. outputs: ray_cluster_uri: openInNewTab: true diff --git a/applications/ray/metadata.yaml b/applications/ray/metadata.yaml index 673b09380..4253df4f4 100644 --- a/applications/ray/metadata.yaml +++ b/applications/ray/metadata.yaml @@ -19,7 +19,7 @@ spec: variables: - name: autopilot_cluster varType: string - defaultValue: "false" + defaultValue: "true" - name: cluster_location varType: string required: true @@ -47,6 +47,7 @@ spec: varType: bool defaultValue: true - name: enable_gpu + description: Enabling this allows ray workers to use L4 GPU nodes varType: bool defaultValue: true - name: enable_grafana_on_ray_dashboard diff --git a/cloudbuild.yaml b/cloudbuild.yaml index fc94faaca..585865b75 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -227,13 +227,13 @@ steps: --address=http://127.0.0.1:8265 -- python -c "import ray; ray.init(); print(ray.cluster_resources())" echo "pass" > /workspace/rag_ray_dashboard_result.txt - # Validate Jupyterhub: Get hub url + # Validate JupyterHub: Get hub url kubectl get services -n rag-$SHORT_SHA-$_BUILD_ID kubectl port-forward -n rag-$SHORT_SHA-$_BUILD_ID service/proxy-public 9443:80 & # Wait port-forwarding to take its place sleep 5s - # Validate Jupyterhub: Test Hub + # Validate JupyterHub: Test Hub cd /workspace/modules/jupyter/tests python3 test_hub.py "127.0.0.1:9443" $_AUTOPILOT_CLUSTER echo "pass" > /workspace/rag_jupyterhub_test_result.txt diff --git a/modules/jupyter/authentication/README.MD b/modules/jupyter/authentication/README.MD index 0989acefc..6bd3fb073 100644 --- a/modules/jupyter/authentication/README.MD +++ b/modules/jupyter/authentication/README.MD @@ -1,6 +1,6 @@ # GCP IAP Authentication -- [Creating Image with Authentication for Jupyterhub](#creating-image) +- [Creating Image with Authentication for JupyterHub](#creating-image) - [Authentication class and handler](#iapuserloginhandler-and-gcpiapauthenticator-class) - [Configuration details for jupyter config yaml](#configuration) - [Terraform variables and resources](#terraform-variables-and-resources) @@ -8,9 +8,9 @@ ## Creating Image -We currently already have a public image containing the authenticator class already configured for Jupyterhub so user's dont need to create their own, but if needed, these are the instructions to do so. +We currently already have a public image containing the authenticator class already configured for JupyterHub so user's dont need to create their own, but if needed, these are the instructions to do so. -We combine the Jupyterhub image and our own authenticator. By default, the JupyterHub images already have pre-installed authenticator classes such as GitHub, Auth0, and Globus. In order to specify our own class for JupyterHub, our authentication class must also live in the JupyterHub image. +We combine the JupyterHub image and our own authenticator. By default, the JupyterHub images already have pre-installed authenticator classes such as GitHub, Auth0, and Globus. In order to specify our own class for JupyterHub, our authentication class must also live in the JupyterHub image. > **_NOTE:_** An Artifact Registry Repo for this docker image is required. Create an AR Repo following [this guide](https://cloud.google.com/artifact-registry/docs/repositories/create-repos) @@ -22,7 +22,7 @@ We combine the Jupyterhub image and our own authenticator. By default, the Jupyt 4. Run `gcloud builds submit --config cloudbuild.yaml .` to upload it to your repository. -5. Change the hub image name and tag in the [Jupyterhub config yaml](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/jupyter-on-gke/jupyter_config/config-selfauth.yaml#L13). +5. Change the hub image name and tag in the [JupyterHub config yaml](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/jupyter-on-gke/jupyter_config/config-selfauth.yaml#L13). ## Configuration @@ -45,7 +45,7 @@ And set the authenticator class within the same file. Ex: ... ``` -This will tell Jupyterhub to use the specified authenticator class. +This will tell JupyterHub to use the specified authenticator class. Pass the required fields needed by 'gcpiapjwtauthenticator.GCPIAPAuthenticator'. Ex: @@ -63,8 +63,8 @@ Fortuantely, few of these steps are already done for you if you follow the Jupyt ## IAPUserLoginHandler and GCPIAPAuthenticator class There are two classes within `gcpiapjwtauthenticator.py`, IAPUserLoginHandler and GCPIAPAuthenticator. -IAPUserLoginHandler is the python class that only has the JWT handler. It is used by the GCPIAPAuthenticator and therefore by Jupyterhub. -GCPIAPAuthenticator contains the `get_handler()` method that Jupyterhub requires for a custom authenticator. When Jupyterhub uses the GCPIAPAuthenticator by calling `get_handler()`, it will receieve the `IAPUserLoginHandler.get()` handler method. +IAPUserLoginHandler is the python class that only has the JWT handler. It is used by the GCPIAPAuthenticator and therefore by JupyterHub. +GCPIAPAuthenticator contains the `get_handler()` method that JupyterHub requires for a custom authenticator. When JupyterHub uses the GCPIAPAuthenticator by calling `get_handler()`, it will receieve the `IAPUserLoginHandler.get()` handler method. ## Terraform Variables and Resources @@ -101,7 +101,7 @@ Google managed SSL certificate. Associates the IAP service with a doamin. #### Ingress -Ingress for the Jupyterhub proxy-public application. Has the annotations: +Ingress for the JupyterHub proxy-public application. Has the annotations: - kubernetes.io/ingress.global-static-ip-name - networking.gke.io/managed-certificates @@ -127,14 +127,14 @@ The `support_email` variable will not be used if the `brand` variable is not fil ## Allowlist for IAP -There are 2 ways to add users to the IAP allowlist so users can access Jupyterhub. +There are 2 ways to add users to the IAP allowlist so users can access JupyterHub. 1. Manually on the Cloud Console 2. Add users to the allowlist file ### Manually -Navigate to [IAP](https://console.cloud.google.com/security/iap) and select the Backend Service associated with Jupyterhub. +Navigate to [IAP](https://console.cloud.google.com/security/iap) and select the Backend Service associated with JupyterHub. Click on `Add Principal`. Add the email of the user/group and select the `IAP-secured Web App User` role to give access to that user/group @@ -142,7 +142,7 @@ Click on `Add Principal`. Add the email of the user/group and select the `IAP-se ### With Allowlist file -We use terraform to automatically add principals to IAP. By filling out the `allowlist` file [here](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/jupyter-on-gke/allowlist), terraform will give the principals the appropriate roles to access Jupyterhub. The file must follow the format of 1 principal per line. +We use terraform to automatically add principals to IAP. By filling out the `allowlist` file [here](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/jupyter-on-gke/allowlist), terraform will give the principals the appropriate roles to access JupyterHub. The file must follow the format of 1 principal per line. Example: diff --git a/modules/jupyter/authentication/authenticator/gcpiapjwtauthenticator/gcpiapjwtauthenticator.py b/modules/jupyter/authentication/authenticator/gcpiapjwtauthenticator/gcpiapjwtauthenticator.py index dd3a6b9f7..48fe41501 100644 --- a/modules/jupyter/authentication/authenticator/gcpiapjwtauthenticator/gcpiapjwtauthenticator.py +++ b/modules/jupyter/authentication/authenticator/gcpiapjwtauthenticator/gcpiapjwtauthenticator.py @@ -89,8 +89,8 @@ def get(self): class GCPIAPAuthenticator(Authenticator): """ Accept the authenticated JSON Web Token from IAP Login. - Used by the Jupyterhub as the Authentication class - The get_handlers is how Jupyterhub know how to handle auth + Used by the JupyterHub as the Authentication class + The get_handlers is how JupyterHub know how to handle auth """ header_name = Unicode( config=True, diff --git a/modules/jupyter/tests/test_hub.py b/modules/jupyter/tests/test_hub.py index 4c06daba6..c2a9309e6 100644 --- a/modules/jupyter/tests/test_hub.py +++ b/modules/jupyter/tests/test_hub.py @@ -14,7 +14,7 @@ def test_hub_up(hub_url): r = requests.get(hub_url) r.raise_for_status() - print("Jupyterhub up.") + print("JupyterHub up.") def test_api_root(hub_url): @@ -29,7 +29,7 @@ def test_api_root(hub_url): r.raise_for_status() info = r.json() assert V("4") <= V(info["version"]) <= V("5") - print("Jupyterhub Rest API is working.") + print("JupyterHub Rest API is working.") def test_hub_login(hub_url): @@ -60,7 +60,7 @@ def test_hub_login(hub_url): ) response.raise_for_status() assert response.url == (hub_url + "/hub/spawn") - print("Jupyterhub login success.") + print("JupyterHub login success.") hub_url = "http://" + sys.argv[1]