Ray Dashboard IAP (GoogleCloudPlatform#409)

* Ray Dashboard IAP Integrate IAP with Ray Dashboard Tested-by: zlq Tested-by: zlq * fmt Tested-by: zlq * fmt Tested-by: zlq * Update after network policy change Tested-by: zlq
artemvmin · Mar 24, 2024 · 2ca02ce · 2ca02ce
1 parent 8f6d420
commit 2ca02ce
Show file tree

Hide file tree

Showing 15 changed files with 410 additions and 6 deletions.
diff --git a/applications/rag/README.md b/applications/rag/README.md
@@ -53,7 +53,7 @@ The following steps set up the cluster, inference server, pgvector CloudSQL inst
 
 2. Edit `workloads.tfvars` to set your project ID, location, cluster name, and GCS bucket name. Optionally, make the following changes:
     * Set `create_cluster = false` if you are using an existing cluster.
-    * (Recommended) Set `jupyter_add_auth = true` and `frontend_add_auth = true` to create load balancers with IAP for your Jupyter notebook and TGI frontend.
+    * (Recommended) Set `jupyter_add_auth = true`, `frontend_add_auth = true` and `ray_dashboard_add_auth = true` to create load balancers with IAP for your Jupyter notebook, TGI frontend and Ray Dashboard.
     * Choose a custom k8s namespace and service account to be used by the application.
     * Set `create_network = true` if you want to create a new VPC network
 

diff --git a/applications/rag/frontend/main.tf b/applications/rag/frontend/main.tf
@@ -80,9 +80,6 @@ resource "kubernetes_service" "rag_frontend_service" {
   metadata {
     name      = "rag-frontend"
     namespace = var.namespace
-    annotations = var.add_auth ? {
-      "beta.cloud.google.com/backend-config" = "{\"default\": \"${var.k8s_backend_config_name}\"}"
-    } : {}
   }
   spec {
     selector = {

diff --git a/applications/rag/main.tf b/applications/rag/main.tf
@@ -202,6 +202,20 @@ module "kuberay-cluster" {
   grafana_host           = module.kuberay-monitoring.grafana_uri
   disable_network_policy = var.disable_ray_cluster_network_policy
   depends_on             = [module.kuberay-operator]
+
+  # IAP Auth parameters
+  add_auth                 = var.ray_dashboard_add_auth
+  create_brand             = var.create_brand
+  support_email            = var.support_email
+  client_id                = var.ray_dashboard_client_id
+  client_secret            = var.ray_dashboard_client_secret
+  k8s_ingress_name         = var.ray_dashboard_k8s_ingress_name
+  k8s_iap_secret_name      = var.ray_dashboard_k8s_iap_secret_name
+  k8s_managed_cert_name    = var.ray_dashboard_k8s_managed_cert_name
+  k8s_backend_config_name  = var.ray_dashboard_k8s_backend_config_name
+  k8s_backend_service_port = var.ray_dashboard_k8s_backend_service_port
+  domain                   = var.ray_dashboard_domain
+  members_allowlist        = var.ray_dashboard_members_allowlist
 }
 
 module "kuberay-monitoring" {

diff --git a/applications/rag/metadata.display.yaml b/applications/rag/metadata.display.yaml
@@ -172,6 +172,53 @@ spec:
           name: gpu_pools
           title: Gpu Pools
           invisible: true
+        ray_dashboard_add_auth:
+          name: ray_dashboard_add_auth
+          title: Enable IAP for Ray Dashboard Application
+          section: ray_iap_auth
+        ray_dashboard_client_id:
+          name: ray_dashboard_client_id
+          title: Ray Dashboard Client Id
+          section: ray_iap_auth
+          invisible: true
+        ray_dashboard_client_secret:
+          name: ray_dashboard_client_secret
+          title: Ray Dashboard Client Secret
+          section: ray_iap_auth
+          invisible: true
+        ray_dashboard_domain:
+          name: ray_dashboard_domain
+          title: Ray Dashboard Domain
+          section: ray_iap_auth
+        ray_dashboard_k8s_backend_config_name:
+          name: ray_dashboard_k8s_backend_config_name
+          title: Ray Dashboard K8s Backend Config Name
+          section: ray_iap_auth
+          invisible: true
+        ray_dashboard_k8s_backend_service_port:
+          name: ray_dashboard_k8s_backend_service_port
+          title: Ray Dashboard K8s Backend Service Port
+          section: ray_iap_auth
+          invisible: true
+        ray_dashboard_k8s_iap_secret_name:
+          name: ray_dashboard_k8s_iap_secret_name
+          title: Ray Dashboard K8s Iap Secret Name
+          section: ray_iap_auth
+          invisible: true
+        ray_dashboard_k8s_ingress_name:
+          name: ray_dashboard_k8s_ingress_name
+          title: Ray Dashboard K8s Ingress Name
+          section: ray_iap_auth
+          invisible: true
+        ray_dashboard_k8s_managed_cert_name:
+          name: ray_dashboard_k8s_managed_cert_name
+          title: Ray Dashboard K8s Managed Cert Name
+          section: ray_iap_auth
+          invisible: true
+        ray_dashboard_members_allowlist:
+          name: ray_dashboard_members_allowlist
+          title: Ray Dashboard Members Allowlist
+          section: ray_iap_auth
         jupyter_add_auth:
           name: jupyter_add_auth
           title: Enable IAP for JupyterHub Application
@@ -271,7 +318,11 @@ spec:
           title: Other Configuration
         - name: rag_iap_auth
           title: Configure Authenticated Access for Frontend
+          subtext: Make sure the <a href="https://developers.google.com/workspace/guides/configure-oauth-consent#configure_oauth_consent"><i>OAuth Consent Screen</i></a> is configured for your project. Ensure <b>User type</b> is set to Internal.
+        - name: ray_iap_auth
+          title: Configure Authenticated Access for Ray Dashboard
           subtext: Make sure the <a href="https://developers.google.com/workspace/guides/configure-oauth-consent#configure_oauth_consent"><i>OAuth Consent Screen</i></a> is configured for your project. Ensure <b>User type</b> is set to <i>Internal</i>. Note that by default, only users within your organization can be allowlisted. To add external users, change the <b>User type</b> to <i>External</i> after the application is deployed.
+
         - name: jupyter_iap_auth
           title:  Configure Authenticated Access for JupyterHub
           subtext: Make sure the <a href="https://developers.google.com/workspace/guides/configure-oauth-consent#configure_oauth_consent"><i>OAuth Consent Screen</i></a> is configured for your project. Ensure <b>User type</b> is set to <i>Internal</i>. Note that by default, only users within your organization can be allowlisted. To add external users, change the <b>User type</b> to <i>External</i> after the application is deployed.
@@ -301,7 +352,11 @@ spec:
         frontend_uri:
           openInNewTab: true
           showInNotification: true
-          label: Go to Frontend Application
+          label: Go to RAG Frontend Application
+        ray_dashboard_uri:
+          openInNewTab: true
+          showInNotification: true
+          label: Go to RAY Dashboard Application
         jupyterhub_password: {}
         jupyterhub_uri:
           openInNewTab: true

diff --git a/applications/rag/metadata.yaml b/applications/rag/metadata.yaml
@@ -121,6 +121,44 @@ spec:
       - name: goog_cm_deployment_name
         varType: string
         defaultValue: ""
+      - name: ray_dashboard_add_auth
+        varType: bool
+        defaultValue: false
+      - name: ray_dashboard_client_id
+        description: Client ID used for enabling IAP. If empty client credentials will be autogenerated.
+        varType: string
+        defaultValue: ""
+      - name: ray_dashboard_client_secret
+        description: Client secret used for enabling IAP. If empty client credentials will be autogenerated.
+        varType: string
+        defaultValue: ""
+      - name: ray_dashboard_domain
+        description: Domain used for application and SSL certificate.
+        varType: string
+        defaultValue: "example.com"
+      - name: ray_dashboard_k8s_backend_config_name
+        description: Name of the Kubernetes Backend Config
+        varType: string
+        defaultValue: ray-dashboard-iap-config
+      - name: ray_dashboard_k8s_backend_service_port
+        description: Name of the Backend Service Port
+        varType: number
+        defaultValue: 8265
+      - name: ray_dashboard_k8s_iap_secret_name
+        description: Name for frontend iap secret
+        varType: string
+        defaultValue: ray-dashboard-iap-secret
+      - name: ray_dashboard_k8s_ingress_name
+        varType: string
+        defaultValue: ray-dashboard-ingress
+      - name: ray_dashboard_k8s_managed_cert_name
+        description: Name for frontend managed certificate
+        varType: string
+        defaultValue: ray-dashboard-managed-cert
+      - name: ray_dashboard_members_allowlist
+        description: "For example - user:[email protected],serviceAccount:[email protected],group:[email protected],domain:google.com"
+        varType: string
+        defaultValue: ""
       - name: jupyter_add_auth
         varType: bool
         defaultValue: false

diff --git a/applications/rag/outputs.tf b/applications/rag/outputs.tf
@@ -42,3 +42,8 @@ output "frontend_ip_address" {
   description = "Frontend global IP address"
   value       = module.frontend.frontend_ip_address
 }
+
+output "ray_dashboard_uri" {
+  description = "RAY Dashboard Endpoint to access user interface. In case of private IP, consider port-forwarding."
+  value       = module.kuberay-cluster.ray_dashboard_uri != "" ? "http://${module.kuberay-cluster.ray_dashboard_uri}" : ""
+}
diff --git a/applications/rag/variables.tf b/applications/rag/variables.tf
@@ -169,6 +169,66 @@ variable "frontend_members_allowlist" {
   ## keeping it string type to support single field input for marketplace UI.
 }
 
+# Ray-dashboard IAP settings
+variable "ray_dashboard_add_auth" {
+  type        = bool
+  description = "Enable iap authentication on frontend"
+  default     = true
+}
+
+variable "ray_dashboard_k8s_ingress_name" {
+  type    = string
+  default = "ray-dashboard-ingress"
+}
+
+variable "ray_dashboard_k8s_managed_cert_name" {
+  type        = string
+  description = "Name for frontend managed certificate"
+  default     = "ray-dashboard-managed-cert"
+}
+
+variable "ray_dashboard_k8s_iap_secret_name" {
+  type    = string
+  default = "ray-dashboard-secret"
+}
+
+variable "ray_dashboard_k8s_backend_config_name" {
+  type        = string
+  description = "Name of the Backend Config on GCP"
+  default     = "ray-dashboard-iap-config"
+}
+
+variable "ray_dashboard_k8s_backend_service_port" {
+  type        = number
+  description = "Name of the K8s Backend Service Port"
+  default     = 8265
+}
+
+variable "ray_dashboard_domain" {
+  type        = string
+  description = "Domain used for SSL certificate. If it's empty, *.nip.io DNS is used."
+  default     = ""
+}
+
+variable "ray_dashboard_client_id" {
+  type        = string
+  description = "Client ID used for enabling IAP"
+  default     = ""
+}
+
+variable "ray_dashboard_client_secret" {
+  type        = string
+  description = "Client secret used for enabling IAP"
+  default     = ""
+  sensitive   = false
+}
+
+variable "ray_dashboard_members_allowlist" {
+  type    = string
+  default = ""
+  ## keeping it string type to support single field input for marketplace UI.
+}
+
 # Jupyter IAP settings
 variable "jupyter_add_auth" {
   type        = bool

diff --git a/applications/rag/workloads.tfvars b/applications/rag/workloads.tfvars
@@ -82,3 +82,16 @@ frontend_domain            = "" ## Provide domain for ingress resource and ssl c
 frontend_client_id         = ""
 frontend_client_secret     = ""
 frontend_members_allowlist = "user:<email>,group:<email>,serviceAccount:<email>,domain:google.com"
+
+## Ray Dashboard IAP Settings
+ray_dashboard_add_auth                 = false # Set to true when using auth with IAP
+ray_dashboard_k8s_ingress_name         = "ray-dashboard-ingress"
+ray_dashboard_k8s_managed_cert_name    = "ray-dashboard-managed-cert"
+ray_dashboard_k8s_iap_secret_name      = "ray-dashboard-iap-secret"
+ray_dashboard_k8s_backend_config_name  = "ray-dashboard-iap-config"
+ray_dashboard_k8s_backend_service_port = 8265
+
+ray_dashboard_domain            = "" ## Provide domain for ingress resource and ssl certificate. If it's empty, it will use nip.io wildcard dns
+ray_dashboard_client_id         = ""
+ray_dashboard_client_secret     = ""
+ray_dashboard_members_allowlist = "user:<email>,group:<email>,serviceAccount:<email>,domain:google.com"
diff --git a/applications/ray/main.tf b/applications/ray/main.tf
@@ -155,7 +155,22 @@ module "kuberay-cluster" {
   grafana_host              = var.enable_grafana_on_ray_dashboard ? module.kuberay-monitoring[0].grafana_uri : ""
   network_policy_allow_cidr = var.kuberay_network_policy_allow_cidr
   disable_network_policy    = var.disable_ray_cluster_network_policy
-  depends_on                = [module.gcs, module.kuberay-operator]
+
+  # IAP Auth parameters
+  add_auth                 = var.ray_dashboard_add_auth
+  create_brand             = var.create_brand
+  support_email            = var.ray_dashboard_support_email
+  client_id                = var.ray_dashboard_client_id
+  client_secret            = var.ray_dashboard_client_secret
+  k8s_ingress_name         = var.ray_dashboard_k8s_ingress_name
+  k8s_iap_secret_name      = var.ray_dashboard_k8s_iap_secret_name
+  k8s_managed_cert_name    = var.ray_dashboard_k8s_managed_cert_name
+  k8s_backend_config_name  = var.ray_dashboard_k8s_backend_config_name
+  k8s_backend_service_port = var.ray_dashboard_k8s_backend_service_port
+  domain                   = var.ray_dashboard_domain
+  members_allowlist        = var.ray_dashboard_members_allowlist
+
+  depends_on = [module.gcs, module.kuberay-operator]
 }
 
 

diff --git a/applications/ray/variables.tf b/applications/ray/variables.tf
@@ -184,6 +184,78 @@ variable "goog_cm_deployment_name" {
   default = ""
 }
 
+# Ray-dashboard IAP settings
+variable "create_brand" {
+  type        = bool
+  description = "Create Brand OAuth Screen"
+  default     = false
+}
+
+variable "ray_dashboard_add_auth" {
+  type        = bool
+  description = "Enable iap authentication on frontend"
+  default     = true
+}
+
+variable "ray_dashboard_k8s_ingress_name" {
+  type    = string
+  default = "ray-dashboard-ingress"
+}
+
+variable "ray_dashboard_k8s_managed_cert_name" {
+  type        = string
+  description = "Name for frontend managed certificate"
+  default     = "ray-dashboard-managed-cert"
+}
+
+variable "ray_dashboard_k8s_iap_secret_name" {
+  type    = string
+  default = "ray-dashboard-secret"
+}
+
+variable "ray_dashboard_k8s_backend_config_name" {
+  type        = string
+  description = "Name of the Backend Config on GCP"
+  default     = "ray-dashboard-iap-config"
+}
+
+variable "ray_dashboard_k8s_backend_service_port" {
+  type        = number
+  description = "Name of the K8s Backend Service Port"
+  default     = 8265
+}
+
+variable "ray_dashboard_domain" {
+  type        = string
+  description = "Domain used for SSL certificate. If it's empty, *.nip.io DNS is used."
+  default     = ""
+}
+
+variable "ray_dashboard_support_email" {
+  type        = string
+  description = "Email for users to contact with questions about their consent"
+  default     = "<email>"
+}
+
+variable "ray_dashboard_client_id" {
+  type        = string
+  description = "Client ID used for enabling IAP"
+  default     = ""
+}
+
+variable "ray_dashboard_client_secret" {
+  type        = string
+  description = "Client secret used for enabling IAP"
+  default     = ""
+  sensitive   = false
+}
+
+variable "ray_dashboard_members_allowlist" {
+  type    = string
+  default = ""
+  ## keeping it string type to support single field input for marketplace UI.
+}
+
 # These default resource quotas are set intentionally high as an example that won't be limiting for most Ray clusters.
 # Consult https://kubernetes.io/docs/concepts/policy/resource-quotas/ for additional quotas that may be set.
 variable "resource_quotas" {

diff --git a/applications/ray/workloads.tfvars b/applications/ray/workloads.tfvars
@@ -40,3 +40,20 @@ gcs_bucket                      = "ray-bucket-zydg"
 create_ray_cluster              = true
 ray_cluster_name                = "ray-cluster"
 enable_grafana_on_ray_dashboard = false
+
+## IAP config - if you choose to disable IAP authenticated access for your endpoints, ignore everthing below this line.
+create_brand = false
+
+## Ray Dashboard IAP Settings
+ray_dashboard_add_auth                 = false # Set to true when using auth with IAP
+ray_dashboard_support_email            = "<email>"
+ray_dashboard_k8s_ingress_name         = "ray-dashboard-ingress"
+ray_dashboard_k8s_managed_cert_name    = "ray-dashboard-managed-cert"
+ray_dashboard_k8s_iap_secret_name      = "ray-dashboard-iap-secret"
+ray_dashboard_k8s_backend_config_name  = "ray-dashboard-iap-config"
+ray_dashboard_k8s_backend_service_port = 8265
+
+ray_dashboard_domain            = ""
+ray_dashboard_client_id         = ""
+ray_dashboard_client_secret     = ""
+ray_dashboard_members_allowlist = "user:<email>"