Skip to main content
Version: v1.1.x

Set Up Palette for PaletteAI

Before you can use Palette as the PaletteAI infrastructure provider, you must complete several setup tasks in Palette: create a tenant and project, generate an API key, and deploy and label edge nodes. For the Settings resource that connects PaletteAI to Palette after you complete these tasks, refer to Configure Integrations.

When Palette is integrated with PaletteAI, Palette acts as your infrastructure provider, deploying dedicated or shared Compute Pools to host your artificial intelligence and machine learning (AI/ML) applications.

Integration Prerequisites

Before you can add a Palette integration to your Tenant or Project, you must complete the following tasks in Palette.

info

When PaletteAI is installed with systemDefaultResources: true (the default), a default Tenant and Project are automatically created. You can use these defaults or create custom Tenants and Projects by completing the prerequisites that follow.

  1. Create Palette Tenant - Similar to PaletteAI Tenants, Palette tenants are top-level organizational units that represent a department or business, under which you create individual projects for deploying and managing clusters. If you use Palette in a dedicated- or multi-tenant SaaS environment, tenants are created for you by the Spectro Cloud Customer Support team. In self-hosted Palette environments, you must manually create tenants.

  2. Create Palette Project - Within your Palette tenant, use the default project or create one or more new projects where you deploy your AI/ML applications. Palette projects are similar to PaletteAI projects, allowing you to group clusters and related resources and set role-based access controls. Refer to the Palette Create and Manage Projects guide for instructions. If you have multiple tenants, refer to the Switch Tenant guide to confirm you are in the correct tenant before creating your project.

  3. Create Palette API Key - The Settings resource uses your Palette API key to authenticate PaletteAI with Palette. Once authenticated, PaletteAI can discover edge nodes and use them to create clusters for your AI/ML applications.

Deployment Prerequisites

PaletteAI can communicate with Palette once you add the integration, but you cannot deploy AI/ML applications until PaletteAI's Compute resource discovers enough edge nodes. Complete these tasks in Palette first:

  1. Deploy Edge Nodes - Deploy and use edge nodes to form the clusters that host your AI/ML applications. Turn existing machines into Palette-compatible edge nodes using either the EdgeForge Workflow (Appliance Mode) or Agent Mode, and register the nodes with Palette.

  2. Label Edge Nodes - Edge nodes must be properly labeled with the appropriate PaletteAI tags to be discovered by the Compute resource. To tag your edge nodes, add labels below the stylus.site.tags parameter in your edge node's user-data file or tag edge nodes once they are registered with Palette using Edge Host Grid View.

Cluster Profiles

Cluster Profiles define the base infrastructure used in your Kubernetes clusters and are a required component of Infrastructure and Fullstack Profile Bundles. When you import a Profile Bundle, PaletteAI creates the required Cluster Profiles in Palette automatically.

When PaletteAI provisions a Compute Pool, it references the applicable Cluster Profile to configure the underlying Kubernetes cluster through Palette.

Self-Hosted Palette Setup

This section applies to self-hosted Palette environments only. It does not apply to dedicated or multi-tenant SaaS environments.

SSL and TLS Certificates

By default, self-hosted Palette uses a self-signed Secure Sockets Layer (SSL) certificate. When PaletteAI connects to Palette, the connection uses HTTPS. Palette presents an SSL certificate, and PaletteAI validates that certificate before calling the Palette API.

You configure each side separately. Palette holds the server certificate, and PaletteAI holds the trust configuration that determines whether it accepts that certificate.

Public or Trusted Certificate

When Palette presents a certificate from a public Certificate Authority (CA), you must install the server certificate in the Palette system console. No additional setup is needed, as PaletteAI trusts certificates from public CAs by default. Refer to the Palette System Address Management guide for instructions.

Default Self-Signed Certificate

If Palette uses its built-in self-signed certificate and you have not installed a custom server certificate, configure the Palette integration secret using one of the following options.

  • (Test environments only) Set skipSSLCertificateVerification to true to skip certificate validation.
  • (Production environments) Set tlsSecretRef to the name of a Kubernetes Secret in the same namespace. The Secret must contain a ca.crt key with the authority that signed Palette's server certificate.

Without a PaletteAI trust configuration, PaletteAI cannot call the Palette API.

Private or Internal CA Certificate

If your organization signs Palette's certificate with a private CA that PaletteAI does not trust by default, take the following steps:

  1. In the Palette System console, install the server certificate. Refer to the Palette System Address Management guide for instructions.
  2. In PaletteAI, set tlsSecretRef to the name of a Kubernetes Secret in the same namespace. The Secret must contain a ca.crt key with the authority that signed Palette's server certificate.

Apply the PaletteAI configuration through a manifest or in the PaletteAI UI when you add a Palette integration to your Settings resource. You can complete this step during or after creating or managing a Project.

warning

Leave skipSSLCertificateVerification disabled in production environments. When enabled, all API calls to Palette skip SSL certificate validation. This setting is acceptable for test environments, but it exposes production API traffic to interception and man-in-the-middle attacks. Use a valid SSL certificate signed by a trusted CA, or provide a custom CA certificate through tlsSecretRef.

The following YAML examples show the tlsSecretRef configuration on PaletteAI when Palette uses a self-signed or private CA certificate.

Example Palette secret with custom CA certificate
apiVersion: v1
kind: Secret
metadata:
name: palette-api-secret
namespace: primary-dev
type: Opaque
stringData:
palette: |
{
"apiKey": "***************************",
"defaultProjectID": "<palette-default-project-id>",
"hostUrl": "https://console.spectrocloud.com",
"tenant": "docs",
"skipSSLCertificateVerification": false,
"tlsSecretRef": "palette-ca-cert"
}
Example Kubernetes Secret linked to Palette secret with tlsSecretRef
apiVersion: v1
kind: Secret
metadata:
name: palette-ca-cert
namespace: primary-dev
type: Opaque
stringData:
ca.crt: |
-----BEGIN CERTIFICATE-----
***************************
-----END CERTIFICATE-----

For the full list of Palette secret fields, refer to the Settings CRD reference.

Additional Setup

These tasks are not required to deploy Compute Pools and applications with PaletteAI, but we recommend completing them before deploying clusters in production. Refer to the following Palette guides for additional information:

  • Activate Palette License - After installing self-hosted Palette, you have 30 days to activate it. After the trial expires, existing clusters keep running, but you cannot deploy new clusters or perform Day-2 operations until Palette is activated.

  • Add Pack Registries - Add pack registries to your Palette tenants so that you can use them to create Cluster Profiles. Review the list of Pack registries, select the ones you want to use, and follow the Add System-Level Registry guide to add them to your Palette tenants.

Refer to Palette's System Management guide for other configuration options, such as feature flags and login banners.