# Setting Up Kubeflow on Google Cloud Platform [UNFINISHED] ## Setting up Project 1. Enable these APIs by running the following command in Cloud Shell: ```gcloud services enable \ compute.googleapis.com \ container.googleapis.com \ iam.googleapis.com \ servicemanagement.googleapis.com \ cloudresourcemanager.googleapis.com \ ml.googleapis.com \ iap.googleapis.com \ sqladmin.googleapis.com \ meshconfig.googleapis.com ``` 2. Initialize your project to prepare it for Anthos Service Mesh installation > note: project id is `kubeflow-ui-dikti-2022` same as current project ```PROJECT_ID=kubeflow-ui-dikti-2022 gcloud beta container clusters create tmp-cluster \ --release-channel regular \ --workload-pool=${PROJECT_ID}.svc.id.goog \ --zone=us-central1-a gcloud beta container clusters delete tmp-cluster \ --zone=us-central1-a curl --request POST \ --header "Authorization: Bearer $(gcloud auth print-access-token)" \ --data '' \ https://meshconfig.googleapis.com/v1alpha1/projects/${PROJECT_ID}:initialize ``` You do not need a running GKE cluster. The deployment process creates a cluster for you. Next Step is to Set up an OAuth credential to use Cloud Identity-Aware Proxy (Cloud IAP). Cloud IAP is recommended for production deployments or deployments with access to sensitive data. ## Set up OAuth Consent Screen and Client Credential If you want to use Cloud Identity-Aware Proxy (Cloud IAP) when deploying Kubeflow on Google Cloud, then you must follow these instructions to create an OAuth client for use with Kubeflow. Cloud IAP is recommended for production deployments or deployments with access to sensitive data. 1. Set up your OAuth consent screen: - In the Application name box, enter the name of your application. we use the name `kubeflow-ui-dikti` - Under Support email, select the email address that you want to display as a public contact. You must use either your email address or a Google Group that you own. - If you see Authorized domains, enter ``` kubeflow-ui-dikti-2022.cloud.goog ``` - Click Save. 2. On the credentials screen: - Click Create credentials, and then click OAuth client ID. - Under Application type, select Web application. - In the Name box enter any name for your OAuth client ID. This is not the name of your application nor the name of your Kubeflow deployment. It’s just a way to help you identify the OAuth client ID. 3. Click Create. Retrieve the Client ID from Credential Details/ Dialog box that appears.  ``` 916466979924-scbl0tpvfaufp2is6ljaept2qt83vh45.apps.googleusercontent.com ``` 4. Copy the client ID shown in the dialog box, because you need the client ID in the next step. 5. On the Create credentials screen, find your newly created OAuth credential and click the pencil icon to edit it 6. In the Authorized redirect URIs box, enter the following (if it’s not already present in the list of authorized redirect URIs): ``` https://iap.googleapis.com/v1/oauth/clientIds/<CLIENT_ID>:handleRedirect ``` > note: Replace `<CLIENT_ID>` with client ID which is `916466979924-scbl0tpvfaufp2is6ljaept2qt83vh45.apps.googleusercontent.com` 7. Press Enter/Return to add the URI. Check that the URI now appears as a confirmed item under Authorized redirect URIs. (The URI should no longer be editable. Except when it isn't that's fine aswell) 8. Click Save. 9. Make note that you can find your OAuth client credentials in the credentials section of the Google Cloud Console. You need to retrieve the client ID and client secret later when you’re ready to enable Cloud IAP Next step is to set up your management cluster and grant your users the IAP-secured Web App User IAM role so they can access the Kubeflow console through IAP. ## Deploy Management cluster