Alauda AI

Configure Alauda AI Global Resources

Starting from Alauda AI 2.6, Alauda AI is deployed as a single-cluster application. The global resources (OIDC client and product entry) are no longer delivered as a cluster plugin. Instead, they are configured using the global-install.sh script.

WARNING

If the Alauda AI Essentials cluster plugin was installed in a previous version, it must be uninstalled after upgrading to Alauda AI 2.6 or later. In the Administrator view, navigate to Marketplace / Cluster Plugin, select the global cluster, locate Alauda AI Essentials, and click Uninstall.

The script creates the following resources on the global cluster:

  • OAuth2Client: Enables SSO authentication for Alauda AI via the platform Dex identity provider.
  • Secret: Stores the OIDC client credentials.
  • ProductEntry: Registers Alauda AI as a product entry in the platform console, so it appears in the left navigation menu.

TOC

PrerequisitesProcedure

Prerequisites

  • kubectl is installed and configured to access the global cluster.
  • The productbase.product.alauda.io/base resource exists on the global cluster (the script reads the platform URL and version from it).

Procedure

Downloading the script

Download the global-install.sh script.

Running the script

Run the script with the target cluster name as the argument:

bash global-install.sh \
    <cluster-name>
  1. <cluster-name> is the name of the cluster where Alauda AI is (or will be) installed.

The script reads the platform URLs and version from productbase.product.alauda.io/base on the global cluster, then creates the required OIDC and product entry resources. If an OAuth2Client with the same name already exists, it is safely skipped.

Important notes

OIDC configuration: The OIDC client credentials must match between the OAuth2Client resource on the global cluster and the AmlCluster in the target cluster. The OAuth2Client is named aml under the cpaas-system namespace. Its secret (or secretRef) must be consistent with data.client-secret in the Secret referenced by AmlCluster spec.oidc.clientSecretName (under the kubeflow namespace). If customization is needed, update both sides. Once the OAuth2Client exists, the script skips it—subsequent changes should be made directly to the resource.

Multiple Alauda AI installations: The ProductEntry resource is named aml-<cluster-name>. If multiple Alauda AI instances are deployed across different clusters, each will have a separate ProductEntry with the same display name "Alauda AI". To distinguish them in the platform console navigation menu, edit the spec.displayName field of the corresponding ProductEntry. For example:

kubectl patch productentry aml-<cluster-name> --type=merge -p '{"spec":{"displayName":{"en":"Alauda AI (Prod)","zh":"Alauda AI (Prod)"}}}'

Verification

After running the script, confirm the resources are created:

# Check the OAuth2Client
kubectl get oauth2client -n cpaas-system

# Check the ProductEntry
kubectl get productentry

The Alauda AI entry should appear in the platform console left navigation menu after a short delay.