Refactor IAP & Marketplace UI (#359)

* refractor domain and create_brand * refractor domain and create_brand * refractor domain and create_brand * refractor domain and create_brand * lint fix * lint fix * update description * update comments * update comments * add permissions for backend_service * add permissions for backend_service * add permissions for backend_service * add permissions for backend_service * add permissions for backend_service
GoogleCloudPlatform · Mar 19, 2024 · f7b7902 · f7b7902
1 parent 8e2fec9
commit f7b7902
Show file tree

Hide file tree

Showing 23 changed files with 555 additions and 434 deletions.
diff --git a/applications/jupyter/main.tf b/applications/jupyter/main.tf
@@ -127,7 +127,7 @@ module "jupyterhub" {
 
   # IAP Auth parameters
   add_auth                 = var.add_auth
-  brand                    = var.brand
+  create_brand             = var.create_brand
   support_email            = var.support_email
   client_id                = var.client_id
   client_secret            = var.client_secret
@@ -137,8 +137,7 @@ module "jupyterhub" {
   k8s_backend_config_name  = var.k8s_backend_config_name
   k8s_backend_service_name = var.k8s_backend_service_name
   k8s_backend_service_port = var.k8s_backend_service_port
-  url_domain_addr          = var.url_domain_addr
-  url_domain_name          = var.url_domain_name
-  members_allowlist        = var.members_allowlist
+  domain                   = var.domain
+  members_allowlist        = split(",", var.members_allowlist)
   depends_on               = [module.gcs, module.namespace]
 }
diff --git a/applications/jupyter/metadata.display.yaml b/applications/jupyter/metadata.display.yaml
@@ -30,6 +30,10 @@ spec:
   ui:
     input:
       variables:
+        add_auth:
+          name: add_auth
+          title: Enable IAP Authentication
+          section: iap_auth
         autopilot_cluster:
           name: autopilot_cluster
           title: GKE Cluster Type
@@ -39,6 +43,16 @@ spec:
               value: "true"
             - label: Standard Cluster
               value: "false"
+        client_id:
+          name: client_id
+          title: Client Id
+          section: iap_auth
+          invisible: true
+        client_secret:
+          name: client_secret
+          title: Client Secret
+          section: iap_auth
+          invisible: true
         cluster_location:
           name: cluster_location
           title: Cluster Location
@@ -59,6 +73,11 @@ spec:
             gkeCluster:
               locationVariable: cluster_location
               clusterCreationVariable: create_cluster
+        create_brand:
+          name: create_brand
+          title: Create Brand
+          invisible: true
+          section: iap_auth
         create_cluster:
           name: create_cluster
           title: Create GKE Cluster
@@ -69,6 +88,10 @@ spec:
           name: create_gcs_bucket
           title: Create Gcs Bucket
           invisible: true
+        domain:
+          name: domain
+          title: Domain
+          section: iap_auth
         gcs_bucket:
           name: gcs_bucket
           title: GCS Bucket
@@ -78,106 +101,88 @@ spec:
         goog_cm_deployment_name:
           name: goog_cm_deployment_name
           title: Goog Cm Deployment Name
-        kubernetes_namespace:
-          name: kubernetes_namespace
-          title: Kubernetes Namespace
-          section: cluster_details
-        private_cluster:
-          name: private_cluster
-          title: Private Cluster
-          invisible: true
-          section: cluster_details
-        project_id:
-          name: project_id
-          title: Project Id
-          invisible: true
-        workload_identity_service_account:
-          name: workload_identity_service_account
-          title: GCP Workload Identity Service Account
-          section: jupyterhub
-          invisible: true
-        add_auth:
-          name: add_auth
-          title: Enable IAP Authentication
-          section: iap_auth
-        brand:
-          name: brand
-          title: Brand
-          section: iap_auth
-          level: 1
-        support_email:
-          name: support_email
-          title: Support Email
-          section: iap_auth
-          level: 1
-        client_id:
-          name: client_id
-          title: Client Id
-          section: iap_auth
-          level: 1
-        client_secret:
-          name: client_secret
-          title: Client Secret
-          section: iap_auth
-          level: 1
         k8s_backend_config_name:
           name: k8s_backend_config_name
           title: K8s Backend Config Name
-          section: iap_auth
           invisible: true
-          level: 1
+          section: iap_auth
         k8s_backend_service_name:
           name: k8s_backend_service_name
           title: K8s Backend Service Name
+          invisible: true
+          section: iap_auth
+        k8s_backend_service_port:
+          name: k8s_backend_service_port
+          title: K8s Backend Service Port
+          invisible: true
           section: iap_auth
+        k8s_iap_secret_name:
+          name: k8s_iap_secret_name
+          title: K8s Iap Secret Name
           invisible: true
-          level: 1
+          section: iap_auth
         k8s_ingress_name:
           name: k8s_ingress_name
           title: K8s Ingress Name
-          section: iap_auth
           invisible: true
-          level: 1
-        url_domain_addr:
-          name: url_domain_addr
-          title: Url Domain Addr
           section: iap_auth
-          level: 1
-        url_domain_name:
-          name: url_domain_name
-          title: Url Domain Name
+        k8s_managed_cert_name:
+          name: k8s_managed_cert_name
+          title: K8s Managed Cert Name
+          invisible: true
           section: iap_auth
-          level: 1
+        kubernetes_namespace:
+          name: kubernetes_namespace
+          title: Kubernetes Namespace
+          section: cluster_details
         members_allowlist:
           name: members_allowlist
           title: Members Allowlist
           section: iap_auth
-          level: 1
+        private_cluster:
+          name: private_cluster
+          title: Private Cluster
+          invisible: true
+          section: cluster_details
+        project_id:
+          name: project_id
+          title: Project Id
+          invisible: true
+        support_email:
+          name: support_email
+          title: Support Email
+          section: iap_auth
+          invisible: true
+        workload_identity_service_account:
+          name: workload_identity_service_account
+          title: GCP Workload Identity Service Account
+          invisible: true
+          section: jupyterhub
       sections:
         - name: cluster_details
-          title: Cluster Details
+          title: GKE Cluster Configuration
           tooltip: Select or Create GKE cluster
         - name: jupyterhub
-          title: JupyterHub Application
+          title: Other Configuration
         - name: iap_auth
-          title: JupyterHub IAP Authentication
+          title:  Configure Authenticated Access for JupyterHub
+          subtext: Make sure the <a href="https://developers.google.com/workspace/guides/configure-oauth-consent#configure_oauth_consent"><i>OAuth Consent Screen</i></a> is configured for your project. Ensure <b>User type</b> is set to Internal.
     runtime:
       outputMessage: Deployment can take several minutes to complete.
       suggestedActions:
-        - heading: "Access JupyterHub Application"
+        - heading: "Step 1: Create DNS A Records for Jupyterhub"
           description: |-
-            Go to the JupyterHub Application, log in with <i>Jupyterhub User</i> and <i>Jupyterhub Password</i> (from the Outputs section).
-            Once logged in, choose the appropriate preset and execute notebooks. 
-          showIf: '!variables.add_auth'
-        - heading: "Access JupyterHub Application"
+            If using custom domains for Jupyterhub, create DNS A record set (<a href="https://cloud.google.com/dns/docs/records#add_a_record">Google DNS Record Set</a>). Propagation takes 10-15 minutes and logging in won’t succeed until it’s done.
+        - heading: "Step 2: Go to JupyterHub Application"
           description: |-
-            Go to the JupyterHub Application, log in with your organization's credentials. Once logged in, choose the appropriate preset and execute notebooks. 
-            Note: Application endpoint can take around 15-20 minutes to become accessible.
-          showIf: 'variables.add_auth'
+             <li>If IAP is enabled, log in with your organization's credentials.</li>
+             <li>If IAP is disabled, log in with <i>Jupyterhub User</i> and <i>Jupyterhub Password</i> (from the Outputs section).</li>
+             <li> Once logged in, choose the appropriate preset and execute notebooks.</li>
       outputs:
         jupyterhub_password: {}
-        jupyterhub_user: {}
         jupyterhub_uri:
           openInNewTab: true
           showInNotification: true
           label: Go to JupyterHub Application
+        jupyterhub_user: {}
+        jupyterhub_ip_address: {}
diff --git a/applications/jupyter/metadata.yaml b/applications/jupyter/metadata.yaml
@@ -34,16 +34,11 @@ spec:
   interfaces:
     variables:
       - name: add_auth
-        description: Enable iap authentication on jupyterhub
         varType: bool
         defaultValue: false
       - name: autopilot_cluster
         varType: string
         defaultValue: "false"
-      - name: brand
-        description: name of the brand if there isn't already on the project. If there is already a brand for your project, please leave it blank and empty
-        varType: string
-        defaultValue: ""
       - name: client_id
         description: Client ID used for enabling IAP
         varType: string
@@ -62,15 +57,23 @@ spec:
       - name: cluster_name
         varType: string
         required: true
+      - name: create_brand
+        description: Create Brand OAuth Screen
+        varType: bool
+        defaultValue: false
       - name: create_cluster
         varType: bool
         defaultValue: false
       - name: create_gcs_bucket
         description: Enable flag to create gcs_bucket
         varType: bool
         defaultValue: false
+      - name: domain
+        description: Domain used for SSL certificate. If it's empty, *.nip.io DNS is used.
+        varType: string
+        defaultValue: ""
       - name: gcs_bucket
-        description: GCS bucket to mount on the notebook via GCSFuse and CSI
+        description: Bucket name to store the dataset. The bucket name must be globally unique across google cloud projects
         varType: string
         required: true
       - name: goog_cm_deployment_name
@@ -104,8 +107,9 @@ spec:
         required: true
         defaultValue: ai-on-gke
       - name: members_allowlist
-        varType: list(string)
-        defaultValue: []
+        description: "For example - user:[email protected],serviceAccount:[email protected],group:[email protected],domain:google.com"
+        varType: string
+        defaultValue: ""
       - name: private_cluster
         varType: bool
         defaultValue: false
@@ -117,23 +121,16 @@ spec:
         description: Email for users to contact with questions about their consent
         varType: string
         defaultValue: ""
-      - name: url_domain_addr
-        description: Domain provided by the user. If it's empty, we will create one for you.
-        varType: string
-        defaultValue: ""
-      - name: url_domain_name
-        description: Name of the domain provided by the user. This var will only be used if url_domain_addr is not empty
-        varType: string
-        defaultValue: ""
       - name: workload_identity_service_account
         description: workload identity service account
         varType: string
-        required: true
         defaultValue: jupyter-service-account
     outputs:
+      - name: jupyterhub_ip_address
+        description: JupyterHub gloabl IP address
       - name: jupyterhub_password
-        description: "JupyterHub password is only required for standard authentication. Ignore in case of IAP authentication"
-      - name: jupyterhub_user
-        description: "JupyterHub user is only required for standard authentication. Ignore in case of IAP authentication"
+        description: JupyterHub password is only required for standard authentication. Ignore, in case of IAP authentication
       - name: jupyterhub_uri
-        description: "JupyterHub Endpoint to access user interface. In case of private IP consider port-forwarding."
+        description: JupyterHub Endpoint to access user interface. In case of private IP, consider port-forwarding.
+      - name: jupyterhub_user
+        description: JupyterHub user is only required for standard authentication. Ignore, in case of IAP authentication
diff --git a/applications/jupyter/outputs.tf b/applications/jupyter/outputs.tf
@@ -13,14 +13,22 @@
 # limitations under the License.
 
 output "jupyterhub_uri" {
-  value = "http://${module.jupyterhub.jupyterhub_uri}"
+  description = "JupyterHub Endpoint to access user interface. In case of private IP, consider port-forwarding."
+  value       = "http://${module.jupyterhub.jupyterhub_uri}"
+}
+
+output "jupyterhub_ip_address" {
+  description = "JupyterHub gloabl IP address"
+  value       = module.jupyterhub.jupyterhub_ip_address
 }
 
 output "jupyterhub_user" {
-  value = module.jupyterhub.jupyterhub_user
+  description = "JupyterHub user is only required for standard authentication. Ignore, in case of IAP authentication"
+  value       = module.jupyterhub.jupyterhub_user
 }
 
 output "jupyterhub_password" {
-  value     = module.jupyterhub.jupyterhub_password
-  sensitive = true
+  description = "JupyterHub password is only required for standard authentication. Ignore, in case of IAP authentication"
+  value       = module.jupyterhub.jupyterhub_password
+  sensitive   = true
 }
diff --git a/applications/jupyter/variables.tf b/applications/jupyter/variables.tf
@@ -33,13 +33,13 @@ variable "kubernetes_namespace" {
 
 variable "gcs_bucket" {
   type        = string
-  description = "GCS bucket to mount on the notebook via GCSFuse and CSI"
+  description = "Bucket name to store the dataset"
 }
 
 variable "workload_identity_service_account" {
   type        = string
   description = "workload identity service account"
-  default     = "jupyter-service-account"
+  default     = "jupyter-sa"
 }
 
 variable "project_id" {
@@ -48,8 +48,9 @@ variable "project_id" {
 }
 
 variable "members_allowlist" {
-  type    = list(string)
-  default = []
+  type    = string
+  default = ""
+  ## keeping it string type to support single field input for marketplace UI.
 }
 
 variable "add_auth" {
@@ -92,21 +93,15 @@ variable "k8s_backend_service_port" {
   default     = 80
 }
 
-variable "brand" {
-  type        = string
-  description = "name of the brand if there isn't already on the project. If there is already a brand for your project, please leave it blank and empty"
-  default     = ""
-}
-
-variable "url_domain_addr" {
-  type        = string
-  description = "Domain provided by the user. If it's empty, we will create one for you."
-  default     = ""
+variable "create_brand" {
+  type        = bool
+  description = "Create Brand OAuth Screen"
+  default     = false
 }
 
-variable "url_domain_name" {
+variable "domain" {
   type        = string
-  description = "Name of the domain provided by the user. This var will only be used if url_domain_addr is not empty"
+  description = "Provide domain for ingress resource and ssl certificate. If it's empty, it will use nip.io wildcard dns"
   default     = ""
 }