run-ai
diff --git a/‎docs/admin/researcher-setup/email-messaging.md
Lines changed: 159 additions & 0 deletions b/‎docs/admin/researcher-setup/email-messaging.md
Lines changed: 159 additions & 0 deletions
diff --git a/‎docs/admin/runai-setup/authentication/researcher-authentication.md
Lines changed: 16 additions & 6 deletions b/‎docs/admin/runai-setup/authentication/researcher-authentication.md
Lines changed: 16 additions & 6 deletions
diff --git a/‎docs/admin/runai-setup/authentication/sso.md
Lines changed: 17 additions & 26 deletions b/‎docs/admin/runai-setup/authentication/sso.md
Lines changed: 17 additions & 26 deletions
diff --git a/‎docs/admin/runai-setup/self-hosted/k8s/prerequisites.md
Lines changed: 11 additions & 1 deletion b/‎docs/admin/runai-setup/self-hosted/k8s/prerequisites.md
Lines changed: 11 additions & 1 deletion
diff --git a/‎docs/developer/rest-auth.md
Lines changed: 14 additions & 10 deletions b/‎docs/developer/rest-auth.md
Lines changed: 14 additions & 10 deletions
@@ -0,0 +1,159 @@
+# Email notifications
+
+The notifications service listens to events on the Kubernetes cluster and passes notifications of those events via email. The service can be configured to send the notifications to one or more pre configured email addresses, or to the email address of the user that submitted the workload.
+
+Note: In order to send notifications dynamically to the user who submitted the workload, the user should be logged in to the Run:ai UI or CLI.
+
+The service can also be configured using a regular expression to send notifications only for specific namespaces on the cluster. This enables notification only for specific Run:ai projects. The default configuration sends notifications for all the namespaces starting with `runai-`.
+
+## Prerequisites
+
+1. The service should be installed on each cluster used with Run:ai. The installation will be done separately from the Run:ai cluster installation using a new helm chart.
+2. As a part of the installation, the customer should provide their SMTP server address as well as credentials for it.
+
+## Available notifications
+
+Configure the notifications service to send events using the relevant `kind` and event `reason`.
+The following Run:ai notifications are available:
+
+|Event|Kind|Reason|Description|Additional info|
+|:----|:----|:----|:----|:----|
+|Pod scheduled|`Pod`|`Scheduled`|a pod was scheduled on a node|Pod, Job, Project, Namespace, User|
+|Pod evicted|`PodGroup`|`Evict`|a pod was evicted to make room for another pod with higher priority, or to reclaim resources that belong to other project or department|Pod, Job, Project, Namespace, User|
+|Pod unschedulable|`Pod`|`Unschedulable`|a pod was determined as unschedulable and couldn't be scheduled on any node in the cluster| Pod, Job, Project, Namespace, User|
+|Failed scheduling pod|`Pod`|`FailedScheduling`|binding a pod to a node failed| Pod, Job, Project, Namespace, User|
+
+!!! Tip
+    You can configure the notifications service to send event messages about additional Kubernetes events using the relevant `kind` and event `reason`.
+<!--
+The following table shows the expected messages for each event:
+
+|Event| Message |
+|--|--|
+| Pod scheduled | Successfully assigned `namespace`/`pod` to `node`.|
+| Pod evicted | Examples of messages explaining why the pod was evicted: <br /><br />Eviction due to priority within same namespace:<br /> Job `namespace`/`pod` was preempted by a job `namespace`/`pod` which has higher priority.<br /><br />Eviction due to reclaim from queue which is over-quota:<br />Job `namespace`/`pod` was reclaimed by job `namespace`/`podGroup`. The reclaimed project uses `x` GPUs with a quota of `y` GPUs. <br /><br />Eviction for consolidation:<br /> Pod `namespace`/`pod` was removed for bin packing. |
+| Pod unschedulable |Message explaining different reasons for scheduler not being able to schedule on different nodes. <br /> (for example "All nodes are unavailable: 1 node(s) had untolerated taint {node-role.kubernetes.io/control-plane: test}. 2 node(s) didn't have enough resource: GPUs. 2 node(s) didn't have enough resource: MilliCPUs.")|
+| Failed scheduling pod | The error returned from Kubernetes API server, which usually indicates an error in the scheduler or in the cluster. |
+-->
+
+## Installation
+
+Install the notification service using the following commands:
+
+1. Set the helm repo to point to the notification service package using the following command:
+
+```
+helm repo add runai-notifications-service https://storage.googleapis.com/runai-notifications-service/
+
+helm repo update
+```
+
+2. Check for the latest version using the following command
+
+```
+helm repo search runai-notifications-service 
+
+```
+
+3. Install the latest version using the following command:
+
+```
+helm install runai-notifications-service/notifications-service --version 0.0.0
+```
+
+## Configuration
+
+The notification service is configured using a `configmap` file. The following is an example of a `configmap` file. Each of the tables below references a section in the `configmap` file.
+
+<!-- Need to better understand this.
+!!! Note:
+    You can change the service configuration values after deployment. Edit the config map and then rerun the `helm install` command above with the `-f` flag.
+-->
+
+### `service` configuration
+
+This section defines the number of events that will be sent by the service. Use the following table to configure options in the `service` section of the `configmap` file.
+
+|Component|Field|Description|Default|
+|:----|:----|:----|:----|
+|`service`|`service.concurrent_limit`|maximum number of events the service will handle in parallel|50|
+|`service`|`service.cached_events`|queue size for events before blocking the listener|1000|
+
+### `listener` configuration
+
+This section defines the objects and events that the service will listen to and send as notifications. Use the following table to configure options in the `listener` section of the `configmap` file.
+
+| Component | Field | Description | Default |
+| --- |  --- |  --- |  --- |
+| `kubelistener` | `listener.relevant_objects` | white list of Kubernetes components for notifications | relevant_objects: <br> `kind:` <br>    `Podreasons:UnschedulableScheduled` <br><br> `kind:` <br>`PodGroupreasons: - Evict` |
+| `kubelistener` | `listener.relevant_namespaces` | white list of namespaces that the service should listen to for events (regex) | `runai-.*` |
+
+### `enrich` configuration
+
+!!! Note
+    This section of the `configmap` is for internal use only. Keep the default values.
+
+| Component | Field | Default |
+| --- | --- | --- |
+|`KubeMetadata`|`enricher.kubeMetadata.lables`| `release: workloadDisplayName` <br><br>`training.kubeflow.org/job-name: workloadDisplayName` <br><br>`serving.knative.dev/service: workloadDisplayName` <br><br>`project: project`|
+|`KubeMetadata`|`enricher.kubeMetadata.annotations`|`"user": "user"`|
+
+### `notify` configuration
+
+This section defines the notification configuration of the service and contains the details for the SMTP server and the recipients list.
+Use the following table to configure options in the `notify` section of the `configmap` file.
+
+|Component|Field|Description|Default|
+|--- |--- |--- |--- |
+|`Email`|`notify.email.smtp_host` (M)|SMTP server host address|Empty|
+|`Email`|`notify.email.smtp_port` (M)|SMTP server port|587|
+|`Email`|`notify.email.from_display_name` (M)|email's "From" display name|Run:ai|
+|`Email`|`notify.email.from` (M)|a valid domain source email address|<test@run.ai>|
+|`Email`|`notify.email.user` (M)|SMTP server user login|user|
+|`Email`|`notify.email.password` (M)|SMTP server user's password |password|
+|`Email`|`notify.email.direct_notifications` (together with Recipients)|when set to true, email notifications will be sent dynamically to the user who submitted the workload|false|
+|`Email`|`notify.email.recipients` (together with Direct Notifications)|additional email address recipients list for all the events - broadcast|Empty list|
+
+**(M)** = mandatory to include in the `configmap` file.
+
+### Example `configmap` file
+
+The following file is an example of a configmap file for the notification service.
+
+```
+  service:
+    concurrent_limit: 50
+    cached_events: 1000
+  listener:
+    relevant_namespaces:
+    - runai.*
+    relevant_objects:
+    - kind: Pod
+      reasons:
+        - Unschedulable
+        - Scheduled
+    - kind: PodGroup
+      reasons:
+        - Evict
+  enrich:
+    kubeMetadata:
+      labels:
+        "release": "workloadDisplayName"
+        "training.kubeflow.org/job-name": "workloadDisplayName"
+        "serving.knative.dev/service": "workloadDisplayName"
+        "project": "project"
+      annotations:
+        "user": "user"
+  notify:
+    email:
+      template_path: path/email.html  # Internal use only.
+      from: my@mail.com
+      user: smtp_user
+      password: smtp_password
+      smtp_host: smtp.mail.com
+      smtp_port: 587
+      from_display_name: Company Name
+      direct_notifications: true
+      recipients:
+      - some@mail.com
+```
@@ -55,8 +55,7 @@ Modifying the API Server configuration differs between Kubernetes distributions:
         always_pull_images: false
         extra_args:
             oidc-client-id: runai  # (1)
-            oidc-issuer-url: https://example.com/auth
-            oidc-username-prefix: "-"
+            ...
             
     ```
 
@@ -69,10 +68,11 @@ Modifying the API Server configuration differs between Kubernetes distributions:
 
     ``` YAML title="/etc/rancher/rke2/config.yaml"
     kube-apiserver-arg:
-    - "oidc-client-id=<CLIENT-ID>"
-    - "oidc-issuer-url=<URL>"
-    - "oidc-username-prefix=-"
+    - "oidc-client-id=runai" # (1)
+    ...
     ```
+    
+    1. These are example parameters. Copy the actual parameters from `Settings | General | Researcher Authentication` as described above.
 
     If working via Rancher UI, need to add the flag as part of the cluster provisioning. 
 
@@ -88,9 +88,19 @@ Modifying the API Server configuration differs between Kubernetes distributions:
 
     Install the [yq](https://github.com/mikefarah/yq){target=_blank} utility and run:
 
+    For username-password authentication, run:
+
+    ```
+    kubectl get clientconfig default -n kube-public -o yaml > login-config.yaml
+    yq -i e ".spec +={\"authentication\":[{\"name\":\"oidc\",\"oidc\":{\"clientID\":\"runai\",\"issuerURI\":\"$OIDC_ISSUER_URL\",\"kubectlRedirectURI\":\"http://localhost:8000/callback\",\"userClaim\":\"sub\",\"userPrefix\":\"-\"}}]}" login-config.yaml
+    kubectl apply -f login-config.yaml
+    ```
+
+    For single-sign-on, run:
+
     ```
     kubectl get clientconfig default -n kube-public -o yaml > login-config.yaml
-    yq -i e ".spec +={\"authentication\":[{\"name\":\"oidc\",\"oidc\":{\"clientID\":\"$OIDC_CLIENT_ID\",\"issuerURI\":\"$OIDC_ISSUER_URL\",\"kubectlRedirectURI\":\"http://localhost:8000/callback\",\"userClaim\":\"sub\",\"userPrefix\":\"$OIDC_USERNAME_PREFIX\"}}]}" login-config.yaml
+    yq -i e ".spec +={\"authentication\":[{\"name\":\"oidc\",\"oidc\":{\"clientID\":\"runai\",\"issuerURI\":\"$OIDC_ISSUER_URL\",\"groupClaim\":\"groups\",\"kubectlRedirectURI\":\"http://localhost:8000/callback\",\"userClaim\":\"email\",\"userPrefix\":\"-\"}}]}" login-config.yaml
     kubectl apply -f login-config.yaml
     ```
 
 
@@ -2,7 +2,7 @@
 
 Single Sign-On (SSO) is an authentication scheme that allows a user to log in with a single ID to other, independent, software systems. SSO solves security issues involving multiple user/password data entries, multiple compliance schemes, etc.
 
-Run:ai supports SSO using the [SAML 2.0](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language){target=_blank} protocol and Open ID Connect (OIDC).
+Run:ai supports SSO using the [SAML 2.0](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language){target=_blank} protocol and Open ID Connect or [OIDC](https://openid.net/developers/how-connect-works/){target=_blank}.
 
 !!! Caution
     Single sign-on is only available with SaaS installations where the tenant has been created post-January 2022 or any Self-hosted installation of release 2.0.58 or later. If you are using single sign-on with older versions of Run:ai, please contact Run:ai customer support
@@ -13,8 +13,7 @@ Run:ai supports SSO using the [SAML 2.0](https://en.wikipedia.org/wiki/Security_
 
 ## SAML Prerequisites
 
-* **XML Metadata**&mdash;you must have an *XML Metadata file* retrieved from your IdP. Upload the file to a web server such that you will have a URL to the file. The URL must have the *XML* file extension. For example, to connect using Google, you must create a custom SAML App [here](https://admin.google.com/ac/apps/unified){target=_blank}, download the Metadata file, and upload it to a web server.
-* **Organization Name**&mdash;you must have a Run:ai *Organization Name*. This is the name that appears on the top right of the Run:ai user interface.
+**XML Metadata**&mdash;you must have an *XML Metadata file* retrieved from your IdP. Upload the file to a web server such that you will have a URL to the file. The URL must have the *XML* file extension. For example, to connect using Google, you must create a custom SAML App [here](https://admin.google.com/ac/apps/unified){target=_blank}, download the Metadata file, and upload it to a web server.
 
 ## OIDC Prerequisites
 
@@ -26,15 +25,15 @@ Run:ai supports SSO using the [SAML 2.0](https://en.wikipedia.org/wiki/Security_
 
 You can configure your IdP to map several IdP attributes:
 
-| IdP attribute | Run:ai required name | Description |
+| IdP attribute | Default Run:ai name | Description |
 |--|--|--|
-| User email | email | **(Mandatory)**  `e-mail` is the user identifier with Run:ai. |
-| User role groups | GROUPS | (Optional) If exists, allows assigning Run:ai role groups via the IdP. The IdP attribute must be of a type of list of strings. See more below |
-| Linux User ID | UID (configurable) | (Optional) If exists in IdP, allows Researcher containers to start with the Linux User `UID`. Used to map access to network resources such as file systems to users. The IdP attribute must be of integer type. |
-| Linux Group ID | GID (configurable) | (Optional) If exists in IdP, allows Researcher containers to start with the Linux Group `GID`. The IdP attribute must be of integer type. |
-| Linux Supplementary Groups | SUPPLEMENTARYGROUPS (configurable) | (Optional) If exists in IdP, allows Researcher containers to start with the relevant Linux supplementary groups. The IdP attribute must be of a type of list of integers. |
-| User first name | firstName (configurable)| (Optional) Used as the first name showing in the Run:ai user interface. |
-| User last name | lastName (configurable)| (Optional) Used as the last name showing in the Run:ai user interface |
+| User email | email (cannot be changed) | **(Mandatory)**  `e-mail` is the user identifier with Run:ai. |
+| User role groups | GROUPS  | (Optional) If exists, allows assigning Run:ai role groups via the IdP. The IdP attribute must be of a type of list of strings. See more below |
+| Linux User ID | UID  | (Optional) If exists in IdP, allows Researcher containers to start with the Linux User `UID`. Used to map access to network resources such as file systems to users. The IdP attribute must be of integer type. |
+| Linux Group ID | GID  | (Optional) If exists in IdP, allows Researcher containers to start with the Linux Group `GID`. The IdP attribute must be of integer type. |
+| Linux Supplementary Groups | SUPPLEMENTARYGROUPS  | (Optional) If exists in IdP, allows Researcher containers to start with the relevant Linux supplementary groups. The IdP attribute must be of a type of list of integers. |
+| User first name | firstName | (Optional) Used as the first name showing in the Run:ai user interface. |
+| User last name | lastName | (Optional) Used as the last name showing in the Run:ai user interface |
 
 ### Example attribute mapping for Google Suite
 
@@ -54,12 +53,9 @@ You can configure your IdP to map several IdP attributes:
 For `Saml 2`:
 
    1. In the `Metadata XML Url` field, enter the URL to the XML Metadata file.
-   2. In the `GID` field, enter the GID.
-   3. In the `GROUPS` field, enter the groups.
-   4. In the `SUPPLEMENTARYGROUPS` field, enter the supplementary groups.
-   5. In the `UID` field, enter the UID.
-   6. In the `Logout uri` field, enter the desired URL logout page. If left empty, you will be redirected to the Run:ai portal.
-   7.  Press `Save`.
+   2. Find your identity provider's attribute names for `GID`, `GROUPS`, `SUPPLEMENTARYGROUPS` and `UID`. If they are not in line with the Run:ai defaults described in the table above, you can change them here.   
+   3. In the `Logout uri` field, enter the desired URL logout page. If left empty, you will be redirected to the Run:ai portal.
+   4.  Press `Save`.
 
 For `Open ID Connect`:
 
@@ -68,12 +64,9 @@ For `Open ID Connect`:
    1. In the `Discovery Document URL` field, enter the URL to the discovery document.
    2. In the `Client ID` field, enter the client ID.
    3. In the `Client Secret` field, enter the client secret.
-   4. In the `GID` field, enter the GID.
-   5. In the `GROUPS` field, enter the groups.
-   6. In the `SUPPLEMENTARYGROUPS` field, enter the supplementary groups.
-   7. In the `UID` field, enter the UID.
-   8. In the `Logout uri` field, enter the desired URL logout page. If left empty, you will be redirected to the Run:ai portal.
-   9.  Press `Save`.
+   4. Find your identity provider's attribute names for `GID`, `GROUPS`, `SUPPLEMENTARYGROUPS` and `UID`. If they are not in line with the Run:ai defaults described in the table above, you can change them here.   
+   5. In the `Logout uri` field, enter the desired URL logout page. If left empty, you will be redirected to the Run:ai portal.
+   6.  Press `Save`.
 
 Once you press `Save` you will receive a `Redirect URI` and an `Entity ID`. Both values must be set on the IdP side.
 
@@ -86,12 +79,10 @@ Test Connectivity to Administration User Interface:
 
 * Using an incognito browser tab and open the Run:ai user interface.
 * Select the `Login with SSO` button.
-* Provide the `Organization name` obtained above.
 * You will be redirected to the IdP login page. Use the previously entered *Administrator* email* to log in.
 
 ### Troubleshooting
-
-The SSO log in can be separated into two parts:
+The SSO login can be separated into two parts:
 
 1. Run:ai redirects to the IdP (for example, Google) for login using a *SAML Request*.
 2. Upon successful login, IdP redirects back to Run:ai with a *SAML Response*.
 
@@ -41,7 +41,17 @@ See Run:ai Cluster prerequisites [Kubernetes](../../cluster-setup/cluster-prereq
 
 The Run:ai control plane operating system prerequisites are identical.
 
-The Run:ai control-plane requires a default storage class to create persistent volume claims for Run:ai storage. The storage class, as per Kubernetes standards, controls the reclaim behavior: whether the Run:ai persistent data is saved or deleted when the Run:ai control plane is deleted.
+The Run:ai control-plane requires a __default storage class__ to create persistent volume claims for Run:ai storage. The storage class, as per Kubernetes standards, controls the reclaim behavior: whether the Run:ai persistent data is saved or deleted when the Run:ai control plane is deleted. 
+
+
+!!! Note
+    For a simple (nonproduction) storage class example see [Kubernetes Local Storage Class](https://kubernetes.io/docs/concepts/storage/storage-classes/#local){target=_blank}. The storage class will set the directory `/opt/local-path-provisioner` to be used across all nodes as the path for provisioning persistent volumes.
+
+    Then set the new storage class as default:
+
+    ```
+    kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+    ```
 
 ### NVIDIA Prerequisites
 
 
@@ -46,16 +46,20 @@ Replace `<COMPANY-URL>` below with  `app.run.ai` for SaaS installations (not `<c
 
 === "Python"
     ``` python
-    import http.client
-
-    conn = http.client.HTTPSConnection("")
-    payload = "grant_type=client_credentials&client_id=<APPLICATION-NAME>&client_secret=<CLIENT_SECRET>"
-    headers = { 'content-type': "application/x-www-form-urlencoded" }
-    conn.request("POST", "/<COMPANY-URL>/auth/realms/<REALM>/protocol/openid-connect/token", payload, headers)
-
-    res = conn.getresponse()
-    data = res.read()
-    print(data.decode("utf-8"))
+    url = <COMPANY-URL> + "/auth/realms/" + <REALM> + "/protocol/openid-connect/token"
+
+    payload = 'grant_type=client_credentials&scope=openid&response_type=id_token&client_id=' + <APPLICATION-NAME> + '&client_secret=' + <CLIENT-SECRET>
+    headers = {
+        'Content-Type': 'application/x-www-form-urlencoded'
+    }
+    
+    response = requests.request("POST", url, headers=headers, data=payload)
+    if response.status_code //100 == 2:
+        j = json.loads(response.text)
+        return j["access_token"]
+    else:
+        print(json.dumps(json.loads(response.text), sort_keys=True, indent=4, separators=(",", ": ")))
+        return
     ```
 
 ### Response