Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Edit README for automatic brand creation #135

Merged
merged 1 commit into from
Dec 11, 2023
Merged

Edit README for automatic brand creation #135

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 20 additions & 13 deletions jupyter-on-gke/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,24 +38,16 @@ If using this with the Ray module (`ai-on-gke/ray-on-gke/`), it is recommended t
for both i.e. set this to the same namespace as `ai-on-gke/ray-on-gke/user/variables.tf`.
If not, set `enable_create_namespace` to `true` so a new k8s namespace is created for the Jupyter resources.

2. If you have not enabled the IAP API before or created a Brand for your project, you can proceed to the next step. If not, ensure that the following variables within `variables.tf` are set:

* enable_iap_service - Enables the IAP service API. Leave as false if IAP is enabled before.
* brand - creates a brand for the project, only one is currently allowed per project. If there is already a brand, leave the variable empty.
* support_email - used by brand, required field.
* **IMPORTANT** client_id and client_secret - If your brand is `external`, you must provide your own client_id and client_secret. If your brand is `internal`, you can choose to leave the variable as is and allow terraform to create one for you.
* if you do bring your own OAuth client, you must add to the `Authorized redirect URIs` Field: `https://iap.googleapis.com/v1/oauth/clientIds/<client ID>:handleRedirect`

**Note:**
We allow user to set their own domains, in the `variables.tf` file. Since we are also using an Ingress Object, it is required for the Ingress to also have specifiy the name of the global static address.
Visit the [Cloud Console](https://console.cloud.google.com/security/iap) to see if it's enabled. If it's enabled, you will be able to see the page and will not prompt you to enable API:
3. If you have not enabled the IAP API before or created a Brand for your project, please follow these steps:

1. Navigate to [this](https://console.cloud.google.com/security/iap) page to enable the API:
![IAP API Screen](./images/iap_enable_api_screenshot.png)

And the `brand` page, if there is not brand created yet, will have:

2. Navigate to the `brand` [page](https://console.cloud.google.com/apis/credentials/consent) to create your own brand:
![IAP API Screen](./images/consent_screen_screenshot.png)

Go [here](#auto-brand-creation-and-iap-enablement) for more information about to create a brand automatically.

4. Run `terraform init`

5. Edit the `./allowlist` file to set the application users allowlist for Jupyterhub. These are the kinds of principals you can have:
Expand Down Expand Up @@ -152,6 +144,21 @@ This example is adapted from Ray AIR's examples [here](https://docs.ray.io/en/ma

4. This should output a generated text response.

## Auto Brand creation and IAP enablement

**IMPORTANT** If you enable automatic brand creation, only `Internal` brand will be created, meaning that only users under the same org as the project will be able to access the application.

Ensure that the following variables within `variables.tf` are set:

* enable_iap_service - Enables the IAP service API. Leave as false if IAP is enabled before.
* brand - creates a brand for the project, only one is currently allowed per project. If there is already a brand, leave the variable empty.
* support_email - used by brand, required field.
* **IMPORTANT** client_id and client_secret - If your brand is `external`, you must provide your own client_id and client_secret. If your brand is `internal`, you can choose to leave the variable as is and allow terraform to create one for you.
* if you do bring your own OAuth client, you must add to the `Authorized redirect URIs` Field: `https://iap.googleapis.com/v1/oauth/clientIds/<client ID>:handleRedirect`

**Note:**
We allow user to set their own domains, in the `variables.tf` file. Since we are also using an Ingress Object, it is required for the Ingress to also have specifiy the name of the global static address.

## Additional Information

For more information about Jupyterhub profiles and the preset profiles visit [here](https://github.com/GoogleCloudPlatform/ai-on-gke/blob/main/jupyter-on-gke/profiles.md)
Expand Down
Loading