From e7942110cd53428d1533bba1a4b4a93ecaefeb2e Mon Sep 17 00:00:00 2001 From: Suraj Kota Date: Tue, 14 Jun 2022 12:41:34 -0700 Subject: [PATCH] Sync kubeflow/pipelines manifests 1.8.2 (#2223) * Update kubeflow/pipelines manifests from 1.8.2 * update example, tests --- README.md | 4 +- .../base/cache-deployer/kustomization.yaml | 2 +- .../upstream/base/cache/kustomization.yaml | 2 +- .../generic/pipeline-install-config.yaml | 2 +- .../base/metadata/base/kustomization.yaml | 2 +- .../upstream/base/pipeline/kustomization.yaml | 12 ++--- .../metadata-writer/kustomization.yaml | 2 +- .../cert-manager/base/cache-cert-issuer.yaml | 6 +++ .../env/cert-manager/base/cache-cert.yaml | 15 ++++++ .../base/cache-webhook-config.yaml | 25 ++++++++++ .../env/cert-manager/base/kustomization.yaml | 13 +++++ .../env/cert-manager/base/params.yaml | 13 +++++ .../kustomization.yaml | 7 +++ .../dev/delete-cache-deployer.yaml | 18 +++++++ .../env/cert-manager/dev/kustomization.yaml | 47 +++++++++++++++++++ .../env/cert-manager/dev/namespace.yaml | 4 ++ .../upstream/env/cert-manager/dev/params.yaml | 4 ++ .../delete-cache-deployer.yaml | 36 ++++++++++++++ .../kustomization.yaml | 28 +++++++++++ .../env/gcp/inverse-proxy/kustomization.yaml | 2 +- example/kustomization.yaml | 6 +-- hack/setup-kubeflow-light.sh | 4 +- tests/README.md | 2 +- 23 files changed, 236 insertions(+), 20 deletions(-) create mode 100644 apps/pipeline/upstream/env/cert-manager/base/cache-cert-issuer.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/base/cache-cert.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/base/cache-webhook-config.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/base/params.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/cluster-scoped-resources/kustomization.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/dev/delete-cache-deployer.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/dev/kustomization.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/dev/namespace.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/dev/params.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/delete-cache-deployer.yaml create mode 100644 apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml diff --git a/README.md b/README.md index 429e359cf8..f36dc94318 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ This repo periodically syncs all official Kubeflow components from their respect | Katib | apps/katib/upstream | [v0.13.0](/~https://github.com/kubeflow/katib/tree/v0.13.0/manifests/v1beta1) | | KFServing | apps/kfserving/upstream | [v0.6.1](/~https://github.com/kubeflow/kfserving/releases/tag/v0.6.1) | | KServe | contrib/kserve/upstream | [v0.7.0](/~https://github.com/kserve/kserve/tree/v0.7.0) | -| Kubeflow Pipelines | apps/pipeline/upstream | [1.8.1](/~https://github.com/kubeflow/pipelines/tree/1.8.1/manifests/kustomize) | +| Kubeflow Pipelines | apps/pipeline/upstream | [1.8.2](/~https://github.com/kubeflow/pipelines/tree/1.8.2/manifests/kustomize) | | Kubeflow Tekton Pipelines | apps/kfp-tekton/upstream | [v1.1.1](/~https://github.com/kubeflow/kfp-tekton/tree/v1.1.1/manifests/kustomize) | The following is also a matrix with versions from common components that are @@ -217,7 +217,7 @@ kustomize build common/istio-1-11/kubeflow-istio-resources/base | kubectl apply Install the [Multi-User Kubeflow Pipelines](https://www.kubeflow.org/docs/components/pipelines/multi-user/) official Kubeflow component: ```sh -kustomize build apps/pipeline/upstream/env/platform-agnostic-multi-user | kubectl apply -f - +kustomize build apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user | kubectl apply -f - ``` If your container runtime is not docker, use pns executor instead: diff --git a/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml b/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml index ebaabd51a8..a2b0771c63 100644 --- a/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml +++ b/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml @@ -8,4 +8,4 @@ commonLabels: app: cache-deployer images: - name: gcr.io/ml-pipeline/cache-deployer - newTag: 1.8.1 + newTag: 1.8.2 diff --git a/apps/pipeline/upstream/base/cache/kustomization.yaml b/apps/pipeline/upstream/base/cache/kustomization.yaml index b84093af0a..d3431863af 100644 --- a/apps/pipeline/upstream/base/cache/kustomization.yaml +++ b/apps/pipeline/upstream/base/cache/kustomization.yaml @@ -10,4 +10,4 @@ commonLabels: app: cache-server images: - name: gcr.io/ml-pipeline/cache-server - newTag: 1.8.1 + newTag: 1.8.2 diff --git a/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml b/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml index 2aae3a784e..593f3ced30 100644 --- a/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml +++ b/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml @@ -11,7 +11,7 @@ data: until the changes take effect. A quick way to restart all deployments in a namespace: `kubectl rollout restart deployment -n `. appName: pipeline - appVersion: 1.8.1 + appVersion: 1.8.2 dbHost: mysql dbPort: "3306" mlmdDb: metadb diff --git a/apps/pipeline/upstream/base/metadata/base/kustomization.yaml b/apps/pipeline/upstream/base/metadata/base/kustomization.yaml index a621def5b3..c1d4f8f99f 100644 --- a/apps/pipeline/upstream/base/metadata/base/kustomization.yaml +++ b/apps/pipeline/upstream/base/metadata/base/kustomization.yaml @@ -9,4 +9,4 @@ resources: - metadata-grpc-sa.yaml images: - name: gcr.io/ml-pipeline/metadata-envoy - newTag: 1.8.1 + newTag: 1.8.2 diff --git a/apps/pipeline/upstream/base/pipeline/kustomization.yaml b/apps/pipeline/upstream/base/pipeline/kustomization.yaml index c320f89c19..3d9efd23e3 100644 --- a/apps/pipeline/upstream/base/pipeline/kustomization.yaml +++ b/apps/pipeline/upstream/base/pipeline/kustomization.yaml @@ -37,14 +37,14 @@ resources: - kfp-launcher-configmap.yaml images: - name: gcr.io/ml-pipeline/api-server - newTag: 1.8.1 + newTag: 1.8.2 - name: gcr.io/ml-pipeline/persistenceagent - newTag: 1.8.1 + newTag: 1.8.2 - name: gcr.io/ml-pipeline/scheduledworkflow - newTag: 1.8.1 + newTag: 1.8.2 - name: gcr.io/ml-pipeline/frontend - newTag: 1.8.1 + newTag: 1.8.2 - name: gcr.io/ml-pipeline/viewer-crd-controller - newTag: 1.8.1 + newTag: 1.8.2 - name: gcr.io/ml-pipeline/visualization-server - newTag: 1.8.1 + newTag: 1.8.2 diff --git a/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml b/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml index 5b49a9ffbf..b5b762683b 100644 --- a/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml +++ b/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml @@ -7,4 +7,4 @@ resources: - metadata-writer-sa.yaml images: - name: gcr.io/ml-pipeline/metadata-writer - newTag: 1.8.1 + newTag: 1.8.2 diff --git a/apps/pipeline/upstream/env/cert-manager/base/cache-cert-issuer.yaml b/apps/pipeline/upstream/env/cert-manager/base/cache-cert-issuer.yaml new file mode 100644 index 0000000000..1c0ba59611 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base/cache-cert-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: kfp-cache-selfsigned-issuer +spec: + selfSigned: {} \ No newline at end of file diff --git a/apps/pipeline/upstream/env/cert-manager/base/cache-cert.yaml b/apps/pipeline/upstream/env/cert-manager/base/cache-cert.yaml new file mode 100644 index 0000000000..7d1136729a --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base/cache-cert.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kfp-cache-cert +spec: + commonName: kfp-cache-cert + isCA: true + dnsNames: + - cache-server + - cache-server.$(kfp-namespace) + - cache-server.$(kfp-namespace).svc + issuerRef: + kind: Issuer + name: kfp-cache-selfsigned-issuer + secretName: webhook-server-tls \ No newline at end of file diff --git a/apps/pipeline/upstream/env/cert-manager/base/cache-webhook-config.yaml b/apps/pipeline/upstream/env/cert-manager/base/cache-webhook-config.yaml new file mode 100644 index 0000000000..0f6b43c4fd --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base/cache-webhook-config.yaml @@ -0,0 +1,25 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: cache-webhook-kubeflow + annotations: + cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-cache-cert +webhooks: + - name: cache-server.$(kfp-namespace).svc + clientConfig: + service: + name: cache-server + namespace: $(kfp-namespace) + path: "/mutate" + failurePolicy: Ignore + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None + timeoutSeconds: 5 + objectSelector: + matchLabels: + pipelines.kubeflow.org/cache_enabled: "true" + admissionReviewVersions: ["v1beta1"] \ No newline at end of file diff --git a/apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml new file mode 100644 index 0000000000..14cacd9316 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow + +resources: + - cache-cert-issuer.yaml + - cache-cert.yaml + - cache-webhook-config.yaml +commonLabels: + app: cache-server-cert-manager + +configurations: +- params.yaml diff --git a/apps/pipeline/upstream/env/cert-manager/base/params.yaml b/apps/pipeline/upstream/env/cert-manager/base/params.yaml new file mode 100644 index 0000000000..8ee2b1b3c9 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base/params.yaml @@ -0,0 +1,13 @@ +varReference: + - path: spec/commonName + kind: Certificate + - path: spec/dnsNames + kind: Certificate + - path: spec/issuerRef/name + kind: Certificate + - path: metadata/annotations + kind: MutatingWebhookConfiguration + - path: webhooks/clientConfig/service/namespace + kind: MutatingWebhookConfiguration + - path: webhooks/name + kind: MutatingWebhookConfiguration \ No newline at end of file diff --git a/apps/pipeline/upstream/env/cert-manager/cluster-scoped-resources/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/cluster-scoped-resources/kustomization.yaml new file mode 100644 index 0000000000..c5df9e990b --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/cluster-scoped-resources/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ../../../third-party/application/cluster-scoped +- ../../../third-party/argo/installs/namespace/cluster-scoped +- ../../../base/pipeline/cluster-scoped \ No newline at end of file diff --git a/apps/pipeline/upstream/env/cert-manager/dev/delete-cache-deployer.yaml b/apps/pipeline/upstream/env/cert-manager/dev/delete-cache-deployer.yaml new file mode 100644 index 0000000000..07e2f878c7 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/dev/delete-cache-deployer.yaml @@ -0,0 +1,18 @@ +# Delete cache deployer related resources as we use the cert-manager instead +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cache-deployer-deployment +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubeflow-pipelines-cache-deployer-role +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubeflow-pipelines-cache-deployer-rolebinding +$patch: delete \ No newline at end of file diff --git a/apps/pipeline/upstream/env/cert-manager/dev/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/dev/kustomization.yaml new file mode 100644 index 0000000000..e4dc5ed009 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/dev/kustomization.yaml @@ -0,0 +1,47 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: + - ../../dev + - ../base +namespace: kubeflow + +# Delete the cache deployer as we use the cert-manager instead +patchesStrategicMerge: + - ./delete-cache-deployer.yaml + +resources: +- namespace.yaml + +vars: +# NOTE: var name must be unique globally to allow composition of multiple kustomize +# packages. Therefore, we added prefix `kfp-dev-` to distinguish it from +# others. +- name: kfp-dev-namespace + objref: + # ml-pipeline sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml + # so that we only need to change kustomization.yaml's namespace field for namespace customization. + kind: ServiceAccount + name: ml-pipeline + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +configurations: +- params.yaml + +# Pass proper arguments to cache-server to use cert-manager certificate +patches: +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_cert_filename=tls.crt" + target: + kind: Deployment + name: cache-server +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_key_filename=tls.key" + target: + kind: Deployment + name: cache-server diff --git a/apps/pipeline/upstream/env/cert-manager/dev/namespace.yaml b/apps/pipeline/upstream/env/cert-manager/dev/namespace.yaml new file mode 100644 index 0000000000..51de7acfd8 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/dev/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: '$(kfp-dev-namespace)' diff --git a/apps/pipeline/upstream/env/cert-manager/dev/params.yaml b/apps/pipeline/upstream/env/cert-manager/dev/params.yaml new file mode 100644 index 0000000000..cc253fe266 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/dev/params.yaml @@ -0,0 +1,4 @@ +# Allow Kustomize var to replace following fields. +varReference: +- path: metadata/name + kind: Namespace diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/delete-cache-deployer.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/delete-cache-deployer.yaml new file mode 100644 index 0000000000..de57ccce1b --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/delete-cache-deployer.yaml @@ -0,0 +1,36 @@ +# Delete cache deployer as we use the cert-manager instead +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipelines-cache-deployer-clusterrole +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeflow-pipelines-cache-deployer-clusterrolebinding +$patch: delete +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubeflow-pipelines-cache-deployer-sa +$patch: delete +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cache-deployer-deployment +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubeflow-pipelines-cache-deployer-role +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubeflow-pipelines-cache-deployer-rolebinding +$patch: delete \ No newline at end of file diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml new file mode 100644 index 0000000000..3d21848789 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: + - ../../platform-agnostic-multi-user + - ../base +namespace: kubeflow + +# Delete the cache deployer as we use the cert-manager instead +patchesStrategicMerge: + - ./delete-cache-deployer.yaml + +# Pass proper arguments to cache-server to use cert-manager certificate +patches: +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_cert_filename=tls.crt" + target: + kind: Deployment + name: cache-server +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_key_filename=tls.key" + target: + kind: Deployment + name: cache-server diff --git a/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml b/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml index f9081522b4..0f2dbd865c 100644 --- a/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml +++ b/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: gcr.io/ml-pipeline/inverse-proxy-agent - newTag: 1.8.1 + newTag: 1.8.2 resources: - proxy-configmap.yaml - proxy-deployment.yaml diff --git a/example/kustomization.yaml b/example/kustomization.yaml index b333d40715..48bb9fb92f 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -26,7 +26,7 @@ resources: # Kubeflow Pipelines -- ../apps/pipeline/upstream/env/platform-agnostic-multi-user +- ../apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user # KFServing - ../apps/kfserving/upstream/overlays/kubeflow # Katib @@ -35,9 +35,9 @@ resources: - ../apps/centraldashboard/upstream/overlays/kserve # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager -# Notebook Controller -- ../apps/jupyter/jupyter-web-app/upstream/overlays/istio # Jupyter Web App +- ../apps/jupyter/jupyter-web-app/upstream/overlays/istio +# Notebook Controller - ../apps/jupyter/notebook-controller/upstream/overlays/kubeflow # Profiles + KFAM - ../apps/profiles/upstream/overlays/kubeflow diff --git a/hack/setup-kubeflow-light.sh b/hack/setup-kubeflow-light.sh index 417e184f15..5556f47b2a 100755 --- a/hack/setup-kubeflow-light.sh +++ b/hack/setup-kubeflow-light.sh @@ -14,7 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# This shell script is used to setup Katib deployment. +# This shell script is used to setup Kubeflow deployment. set -euo pipefail TIMEOUT=600s # 10mins @@ -58,7 +58,7 @@ kubectl wait --timeout=${TIMEOUT} -n knative-serving --all --for=condition=Ready echo "Deploying KFP." function install_kfp { - kustomize build apps/pipeline/upstream/env/platform-agnostic-multi-user | kubectl apply -f - --validate=false + kustomize build apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user | kubectl apply -f - --validate=false } while ! install_kfp; diff --git a/tests/README.md b/tests/README.md index ad8c8f801a..e0804b6ee8 100644 --- a/tests/README.md +++ b/tests/README.md @@ -4,7 +4,7 @@ There are 2 goals for the e2e tests: 1. Verify that core components can be applied and become Ready -2. Virify that core CRDs can be created and succeed +2. Verify that core CRDs can be created and succeed ### Components