From e2ae7bc2d4acf73190e86d6b99c2b1b3aee5b0d1 Mon Sep 17 00:00:00 2001 From: Steakley Date: Fri, 24 Feb 2023 09:57:31 -0800 Subject: [PATCH 01/13] kustomize manifests for irsa --- .../s3-static/aws-configuration-patch.yaml | 61 +++ awsconfigs/apps/pipeline/s3-static/config | 20 + .../pipeline/s3-static/deployment_patch.yaml | 16 + .../s3-static/disable-default-secret.yaml | 6 + .../disable-minio-server-resources.yaml | 20 + .../pipeline/s3-static/kustomization.yaml | 41 ++ awsconfigs/apps/pipeline/s3-static/params.env | 3 + awsconfigs/apps/pipeline/s3-static/sync.py | 423 ++++++++++++++++++ .../s3-static/viewer-pod-template.json | 37 ++ awsconfigs/apps/pipeline/s3/config | 9 +- .../pipeline/s3/disable-default-secret.yaml | 8 +- .../s3/disable-minio-server-resources.yaml | 2 +- 12 files changed, 636 insertions(+), 10 deletions(-) create mode 100644 awsconfigs/apps/pipeline/s3-static/aws-configuration-patch.yaml create mode 100644 awsconfigs/apps/pipeline/s3-static/config create mode 100644 awsconfigs/apps/pipeline/s3-static/deployment_patch.yaml create mode 100644 awsconfigs/apps/pipeline/s3-static/disable-default-secret.yaml create mode 100644 awsconfigs/apps/pipeline/s3-static/disable-minio-server-resources.yaml create mode 100644 awsconfigs/apps/pipeline/s3-static/kustomization.yaml create mode 100644 awsconfigs/apps/pipeline/s3-static/params.env create mode 100644 awsconfigs/apps/pipeline/s3-static/sync.py create mode 100644 awsconfigs/apps/pipeline/s3-static/viewer-pod-template.json diff --git a/awsconfigs/apps/pipeline/s3-static/aws-configuration-patch.yaml b/awsconfigs/apps/pipeline/s3-static/aws-configuration-patch.yaml new file mode 100644 index 0000000000..d008e3bc76 --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/aws-configuration-patch.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-ui +spec: + template: + metadata: + labels: + app: ml-pipeline-ui + spec: + volumes: + - name: config-volume + configMap: + name: ml-pipeline-ui-configmap + containers: + - name: ml-pipeline-ui + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + metadata: + labels: + app: ml-pipeline + spec: + containers: + - env: + - name: OBJECTSTORECONFIG_SECURE + value: "true" + - name: OBJECTSTORECONFIG_BUCKETNAME + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: bucketName + - name: OBJECTSTORECONFIG_HOST + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: minioServiceHost + - name: OBJECTSTORECONFIG_REGION + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: minioServiceRegion + - name: OBJECTSTORECONFIG_PORT + value: "" + name: ml-pipeline-api-server \ No newline at end of file diff --git a/awsconfigs/apps/pipeline/s3-static/config b/awsconfigs/apps/pipeline/s3-static/config new file mode 100644 index 0000000000..8b1a1f15a8 --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/config @@ -0,0 +1,20 @@ +{ +artifactRepository: +{ + s3: { + bucket: $(kfp-artifact-bucket-name), + keyPrefix: artifacts, + endpoint: $(kfp-artifact-storage-endpoint), + insecure: false, + accessKeySecret: { + name: mlpipeline-minio-artifact, + key: accesskey + }, + secretKeySecret: { + name: mlpipeline-minio-artifact, + key: secretkey + } + }, + archiveLogs: true +} +} diff --git a/awsconfigs/apps/pipeline/s3-static/deployment_patch.yaml b/awsconfigs/apps/pipeline/s3-static/deployment_patch.yaml new file mode 100644 index 0000000000..39d8e457db --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/deployment_patch.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubeflow-pipelines-profile-controller +spec: + replicas: 1 + template: + spec: + containers: + - name: profile-controller + env: + - name: MINIO_SERVICE_REGION + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: minioServiceRegion \ No newline at end of file diff --git a/awsconfigs/apps/pipeline/s3-static/disable-default-secret.yaml b/awsconfigs/apps/pipeline/s3-static/disable-default-secret.yaml new file mode 100644 index 0000000000..5d8619622b --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/disable-default-secret.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mlpipeline-minio-artifact +$patch: delete + diff --git a/awsconfigs/apps/pipeline/s3-static/disable-minio-server-resources.yaml b/awsconfigs/apps/pipeline/s3-static/disable-minio-server-resources.yaml new file mode 100644 index 0000000000..5563083614 --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/disable-minio-server-resources.yaml @@ -0,0 +1,20 @@ +$patch: delete +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + namespace: kubeflow +--- +$patch: delete +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-pvc + namespace: kubeflow +--- +$patch: delete +apiVersion: v1 +kind: Service +metadata: + name: minio-service + namespace: kubeflow diff --git a/awsconfigs/apps/pipeline/s3-static/kustomization.yaml b/awsconfigs/apps/pipeline/s3-static/kustomization.yaml new file mode 100644 index 0000000000..9aa678851a --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/kustomization.yaml @@ -0,0 +1,41 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +bases: +- ../base +configMapGenerator: +- name: pipeline-install-config + env: params.env + behavior: merge +- name: workflow-controller-configmap + behavior: replace + files: + - config +- name: ml-pipeline-ui-configmap + behavior: replace + files: + - viewer-pod-template.json +- name: kubeflow-pipelines-profile-controller-code + behavior: replace + files: + - sync.py +generatorOptions: + disableNameSuffixHash: true +patchesStrategicMerge: +- disable-minio-server-resources.yaml +- deployment_patch.yaml +- disable-default-secret.yaml +- aws-configuration-patch.yaml +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +commonLabels: + application-crd-id: kubeflow-pipelines +vars: +- name: kfp-artifact-storage-endpoint + objref: + kind: ConfigMap + name: pipeline-install-config + apiVersion: v1 + fieldref: + fieldpath: data.minioServiceHost diff --git a/awsconfigs/apps/pipeline/s3-static/params.env b/awsconfigs/apps/pipeline/s3-static/params.env new file mode 100644 index 0000000000..cf4f4b637d --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/params.env @@ -0,0 +1,3 @@ +bucketName= +minioServiceHost=s3.amazonaws.com +minioServiceRegion= diff --git a/awsconfigs/apps/pipeline/s3-static/sync.py b/awsconfigs/apps/pipeline/s3-static/sync.py new file mode 100644 index 0000000000..cd099f4a14 --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/sync.py @@ -0,0 +1,423 @@ +# Copyright 2020-2021 The Kubeflow Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from http.server import BaseHTTPRequestHandler, HTTPServer +import json +import os +import base64 + + +def main(): + settings = get_settings_from_env() + server = server_factory(**settings) + server.serve_forever() + + +def get_settings_from_env(controller_port=None, + visualization_server_image=None, frontend_image=None, + visualization_server_tag=None, frontend_tag=None, disable_istio_sidecar=None, + minio_access_key=None, minio_secret_key=None, minio_service_region=None, kfp_default_pipeline_root=None): + """ + Returns a dict of settings from environment variables relevant to the controller + + Environment settings can be overridden by passing them here as arguments. + + Settings are pulled from the all-caps version of the setting name. The + following defaults are used if those environment variables are not set + to enable backwards compatibility with previous versions of this script: + visualization_server_image: gcr.io/ml-pipeline/visualization-server + visualization_server_tag: value of KFP_VERSION environment variable + frontend_image: gcr.io/ml-pipeline/frontend + frontend_tag: value of KFP_VERSION environment variable + disable_istio_sidecar: Required (no default) + minio_access_key: Required (no default) + minio_secret_key: Required (no default) + """ + settings = dict() + settings["controller_port"] = \ + controller_port or \ + os.environ.get("CONTROLLER_PORT", "8080") + + settings["visualization_server_image"] = \ + visualization_server_image or \ + os.environ.get("VISUALIZATION_SERVER_IMAGE", "gcr.io/ml-pipeline/visualization-server") + + settings["frontend_image"] = \ + frontend_image or \ + os.environ.get("FRONTEND_IMAGE", "gcr.io/ml-pipeline/frontend") + + # Look for specific tags for each image first, falling back to + # previously used KFP_VERSION environment variable for backwards + # compatibility + settings["visualization_server_tag"] = \ + visualization_server_tag or \ + os.environ.get("VISUALIZATION_SERVER_TAG") or \ + os.environ["KFP_VERSION"] + + settings["frontend_tag"] = \ + frontend_tag or \ + os.environ.get("FRONTEND_TAG") or \ + os.environ["KFP_VERSION"] + + settings["disable_istio_sidecar"] = \ + disable_istio_sidecar if disable_istio_sidecar is not None \ + else os.environ.get("DISABLE_ISTIO_SIDECAR") == "true" + + settings["minio_access_key"] = \ + minio_access_key or \ + base64.b64encode(bytes(os.environ.get("MINIO_ACCESS_KEY"), 'utf-8')).decode('utf-8') + + settings["minio_secret_key"] = \ + minio_secret_key or \ + base64.b64encode(bytes(os.environ.get("MINIO_SECRET_KEY"), 'utf-8')).decode('utf-8') + + settings["minio_service_region"] = \ + minio_service_region or \ + os.environ.get("MINIO_SERVICE_REGION", "us-east-1") + + + # KFP_DEFAULT_PIPELINE_ROOT is optional + settings["kfp_default_pipeline_root"] = \ + kfp_default_pipeline_root or \ + os.environ.get("KFP_DEFAULT_PIPELINE_ROOT") + + return settings + + +def server_factory(visualization_server_image, + visualization_server_tag, frontend_image, frontend_tag, + disable_istio_sidecar, minio_access_key, + minio_secret_key, minio_service_region, kfp_default_pipeline_root=None, + url="", controller_port=8080): + """ + Returns an HTTPServer populated with Handler with customized settings + """ + class Controller(BaseHTTPRequestHandler): + def sync(self, parent, children): + # parent is a namespace + namespace = parent.get("metadata", {}).get("name") + + pipeline_enabled = parent.get("metadata", {}).get( + "labels", {}).get("pipelines.kubeflow.org/enabled") + + if pipeline_enabled != "true": + return {"status": {}, "children": []} + + desired_configmap_count = 1 + desired_resources = [] + if kfp_default_pipeline_root: + desired_configmap_count = 2 + desired_resources += [{ + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "name": "kfp-launcher", + "namespace": namespace, + }, + "data": { + "defaultPipelineRoot": kfp_default_pipeline_root, + }, + }] + + + # Compute status based on observed state. + desired_status = { + "kubeflow-pipelines-ready": + len(children["Secret.v1"]) == 1 and + len(children["ConfigMap.v1"]) == desired_configmap_count and + len(children["Deployment.apps/v1"]) == 2 and + len(children["Service.v1"]) == 2 and + len(children["DestinationRule.networking.istio.io/v1alpha3"]) == 1 and + len(children["AuthorizationPolicy.security.istio.io/v1beta1"]) == 1 and + "True" or "False" + } + + # Generate the desired child object(s). + desired_resources += [ + { + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "name": "metadata-grpc-configmap", + "namespace": namespace, + }, + "data": { + "METADATA_GRPC_SERVICE_HOST": + "metadata-grpc-service.kubeflow", + "METADATA_GRPC_SERVICE_PORT": "8080", + }, + }, + # Visualization server related manifests below + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "ml-pipeline-visualizationserver" + }, + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "selector": { + "matchLabels": { + "app": "ml-pipeline-visualizationserver" + }, + }, + "template": { + "metadata": { + "labels": { + "app": "ml-pipeline-visualizationserver" + }, + "annotations": disable_istio_sidecar and { + "sidecar.istio.io/inject": "false" + } or {}, + }, + "spec": { + "containers": [{ + "image": f"{visualization_server_image}:{visualization_server_tag}", + "imagePullPolicy": + "IfNotPresent", + "name": + "ml-pipeline-visualizationserver", + "ports": [{ + "containerPort": 8888 + }], + "resources": { + "requests": { + "cpu": "50m", + "memory": "200Mi" + }, + "limits": { + "cpu": "500m", + "memory": "1Gi" + }, + } + }], + "serviceAccountName": + "default-editor", + }, + }, + }, + }, + { + "apiVersion": "networking.istio.io/v1alpha3", + "kind": "DestinationRule", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "host": "ml-pipeline-visualizationserver", + "trafficPolicy": { + "tls": { + "mode": "ISTIO_MUTUAL" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "selector": { + "matchLabels": { + "app": "ml-pipeline-visualizationserver" + } + }, + "rules": [{ + "from": [{ + "source": { + "principals": ["cluster.local/ns/kubeflow/sa/ml-pipeline"] + } + }] + }] + } + }, + { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "ports": [{ + "name": "http", + "port": 8888, + "protocol": "TCP", + "targetPort": 8888, + }], + "selector": { + "app": "ml-pipeline-visualizationserver", + }, + }, + }, + # Artifact fetcher related resources below. + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "ml-pipeline-ui-artifact" + }, + "name": "ml-pipeline-ui-artifact", + "namespace": namespace, + }, + "spec": { + "selector": { + "matchLabels": { + "app": "ml-pipeline-ui-artifact" + } + }, + "template": { + "metadata": { + "labels": { + "app": "ml-pipeline-ui-artifact" + }, + "annotations": disable_istio_sidecar and { + "sidecar.istio.io/inject": "false" + } or {}, + }, + "spec": { + "containers": [{ + "name": + "ml-pipeline-ui-artifact", + "image": f"public.ecr.aws/g0g3n5n9/minio-go-update:jan18", + "imagePullPolicy": + "IfNotPresent", + "ports": [{ + "containerPort": 3000 + }], + "env": [ + { + "name": "MINIO_ACCESS_KEY", + "valueFrom": { + "secretKeyRef": { + "key": "accesskey", + "name": "mlpipeline-minio-artifact" + } + } + }, + { + "name": "MINIO_SECRET_KEY", + "valueFrom": { + "secretKeyRef": { + "key": "secretkey", + "name": "mlpipeline-minio-artifact" + } + } + }, + { + "name": "AWS_ACCESS_KEY_ID", + "valueFrom": { + "secretKeyRef": { + "key": "accesskey", + "name": "mlpipeline-minio-artifact" + } + } + }, + { + "name": "AWS_SECRET_ACCESS_KEY", + "valueFrom": { + "secretKeyRef": { + "key": "secretkey", + "name": "mlpipeline-minio-artifact" + } + } + }, + { + "name": "AWS_REGION", + "value": f"{minio_service_region}" + }, + ], + "resources": { + "requests": { + "cpu": "10m", + "memory": "70Mi" + }, + "limits": { + "cpu": "100m", + "memory": "500Mi" + }, + } + }], + "serviceAccountName": + "default-editor" + } + } + } + }, + { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "ml-pipeline-ui-artifact", + "namespace": namespace, + "labels": { + "app": "ml-pipeline-ui-artifact" + } + }, + "spec": { + "ports": [{ + "name": + "http", # name is required to let istio understand request protocol + "port": 80, + "protocol": "TCP", + "targetPort": 3000 + }], + "selector": { + "app": "ml-pipeline-ui-artifact" + } + } + }, + ] + print('Received request:\n', json.dumps(parent, sort_keys=True)) + print('Desired resources except secrets:\n', json.dumps(desired_resources, sort_keys=True)) + # Moved after the print argument because this is sensitive data. + desired_resources.append({ + "apiVersion": "v1", + "kind": "Secret", + "metadata": { + "name": "mlpipeline-minio-artifact", + "namespace": namespace, + }, + "data": { + "accesskey": minio_access_key, + "secretkey": minio_secret_key, + }, + }) + + return {"status": desired_status, "children": desired_resources} + + def do_POST(self): + # Serve the sync() function as a JSON webhook. + observed = json.loads( + self.rfile.read(int(self.headers.get("content-length")))) + desired = self.sync(observed["parent"], observed["children"]) + + self.send_response(200) + self.send_header("Content-type", "application/json") + self.end_headers() + self.wfile.write(bytes(json.dumps(desired), 'utf-8')) + + return HTTPServer((url, int(controller_port)), Controller) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/awsconfigs/apps/pipeline/s3-static/viewer-pod-template.json b/awsconfigs/apps/pipeline/s3-static/viewer-pod-template.json new file mode 100644 index 0000000000..5cce566794 --- /dev/null +++ b/awsconfigs/apps/pipeline/s3-static/viewer-pod-template.json @@ -0,0 +1,37 @@ +{ + "spec": { + "containers": [ + { + "env": [ + { + "name": "AWS_ACCESS_KEY_ID", + "valueFrom": { + "secretKeyRef": { + "name": "mlpipeline-minio-artifact", + "key": "accesskey" + } + } + }, + { + "name": "AWS_SECRET_ACCESS_KEY", + "valueFrom": { + "secretKeyRef": { + "name": "mlpipeline-minio-artifact", + "key": "secretkey" + } + } + }, + { + "name": "AWS_REGION", + "valueFrom": { + "configMapKeyRef": { + "name": "pipeline-install-config", + "key": "minioServiceRegion" + } + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/awsconfigs/apps/pipeline/s3/config b/awsconfigs/apps/pipeline/s3/config index 8b1a1f15a8..2bc8b48fe3 100644 --- a/awsconfigs/apps/pipeline/s3/config +++ b/awsconfigs/apps/pipeline/s3/config @@ -6,14 +6,7 @@ artifactRepository: keyPrefix: artifacts, endpoint: $(kfp-artifact-storage-endpoint), insecure: false, - accessKeySecret: { - name: mlpipeline-minio-artifact, - key: accesskey - }, - secretKeySecret: { - name: mlpipeline-minio-artifact, - key: secretkey - } + useSDKCreds: true, }, archiveLogs: true } diff --git a/awsconfigs/apps/pipeline/s3/disable-default-secret.yaml b/awsconfigs/apps/pipeline/s3/disable-default-secret.yaml index e50be27e15..3ec1143b5a 100644 --- a/awsconfigs/apps/pipeline/s3/disable-default-secret.yaml +++ b/awsconfigs/apps/pipeline/s3/disable-default-secret.yaml @@ -1,5 +1,11 @@ apiVersion: v1 kind: Secret metadata: + labels: + application-crd-id: kubeflow-pipelines name: mlpipeline-minio-artifact -$patch: delete \ No newline at end of file + namespace: kubeflow +stringData: + accesskey: "" + secretkey: "" +$patch: replace diff --git a/awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml b/awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml index 5563083614..e7c28129a3 100644 --- a/awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml +++ b/awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml @@ -17,4 +17,4 @@ apiVersion: v1 kind: Service metadata: name: minio-service - namespace: kubeflow + namespace: kubeflow \ No newline at end of file From f91e85359a4f02c865b8dd25d798c8c1b43f27ad Mon Sep 17 00:00:00 2001 From: Steakley Date: Wed, 1 Mar 2023 19:51:52 -0800 Subject: [PATCH 02/13] add service-account yaml --- awsconfigs/apps/pipeline/s3/kustomization.yaml | 1 + awsconfigs/apps/pipeline/s3/service-account.yaml | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 awsconfigs/apps/pipeline/s3/service-account.yaml diff --git a/awsconfigs/apps/pipeline/s3/kustomization.yaml b/awsconfigs/apps/pipeline/s3/kustomization.yaml index 9aa678851a..5b91391d38 100644 --- a/awsconfigs/apps/pipeline/s3/kustomization.yaml +++ b/awsconfigs/apps/pipeline/s3/kustomization.yaml @@ -25,6 +25,7 @@ patchesStrategicMerge: - disable-minio-server-resources.yaml - deployment_patch.yaml - disable-default-secret.yaml +- service-account.yaml - aws-configuration-patch.yaml # Identifier for application manager to apply ownerReference. # The ownerReference ensures the resources get garbage collected diff --git a/awsconfigs/apps/pipeline/s3/service-account.yaml b/awsconfigs/apps/pipeline/s3/service-account.yaml new file mode 100644 index 0000000000..92ba950fdb --- /dev/null +++ b/awsconfigs/apps/pipeline/s3/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline + namespace: kubeflow + annotations: + eks.amazonaws.com/role-arn: From 0b58b304b10a67ad1a9cad47ea75f82a8264806a Mon Sep 17 00:00:00 2001 From: Steakley Date: Mon, 6 Mar 2023 10:01:42 -0800 Subject: [PATCH 03/13] refactor s3 static directory and manifest --- .../apps/pipeline-static/kustomization.yaml | 14 + .../s3-static => pipeline-static/s3}/config | 0 .../s3}/disable-default-secret.yaml | 0 .../pipeline-static/s3/kustomization.yaml | 14 + .../s3-static/aws-configuration-patch.yaml | 61 --- .../pipeline/s3-static/deployment_patch.yaml | 16 - .../disable-minio-server-resources.yaml | 20 - .../pipeline/s3-static/kustomization.yaml | 41 -- awsconfigs/apps/pipeline/s3-static/params.env | 3 - awsconfigs/apps/pipeline/s3-static/sync.py | 423 ------------------ .../s3-static/viewer-pod-template.json | 37 -- 11 files changed, 28 insertions(+), 601 deletions(-) create mode 100644 awsconfigs/apps/pipeline-static/kustomization.yaml rename awsconfigs/apps/{pipeline/s3-static => pipeline-static/s3}/config (100%) rename awsconfigs/apps/{pipeline/s3-static => pipeline-static/s3}/disable-default-secret.yaml (100%) create mode 100644 awsconfigs/apps/pipeline-static/s3/kustomization.yaml delete mode 100644 awsconfigs/apps/pipeline/s3-static/aws-configuration-patch.yaml delete mode 100644 awsconfigs/apps/pipeline/s3-static/deployment_patch.yaml delete mode 100644 awsconfigs/apps/pipeline/s3-static/disable-minio-server-resources.yaml delete mode 100644 awsconfigs/apps/pipeline/s3-static/kustomization.yaml delete mode 100644 awsconfigs/apps/pipeline/s3-static/params.env delete mode 100644 awsconfigs/apps/pipeline/s3-static/sync.py delete mode 100644 awsconfigs/apps/pipeline/s3-static/viewer-pod-template.json diff --git a/awsconfigs/apps/pipeline-static/kustomization.yaml b/awsconfigs/apps/pipeline-static/kustomization.yaml new file mode 100644 index 0000000000..076e90fcdd --- /dev/null +++ b/awsconfigs/apps/pipeline-static/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +bases: +- ../pipeline/ +configMapGenerator: +- name: workflow-controller-configmap + behavior: replace + files: + - ./s3/config +generatorOptions: + disableNameSuffixHash: true +patchesStrategicMerge: +- ./s3/disable-default-secret.yaml diff --git a/awsconfigs/apps/pipeline/s3-static/config b/awsconfigs/apps/pipeline-static/s3/config similarity index 100% rename from awsconfigs/apps/pipeline/s3-static/config rename to awsconfigs/apps/pipeline-static/s3/config diff --git a/awsconfigs/apps/pipeline/s3-static/disable-default-secret.yaml b/awsconfigs/apps/pipeline-static/s3/disable-default-secret.yaml similarity index 100% rename from awsconfigs/apps/pipeline/s3-static/disable-default-secret.yaml rename to awsconfigs/apps/pipeline-static/s3/disable-default-secret.yaml diff --git a/awsconfigs/apps/pipeline-static/s3/kustomization.yaml b/awsconfigs/apps/pipeline-static/s3/kustomization.yaml new file mode 100644 index 0000000000..b9edc18272 --- /dev/null +++ b/awsconfigs/apps/pipeline-static/s3/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +bases: +- ../../pipeline/s3/ +configMapGenerator: +- name: workflow-controller-configmap + behavior: replace + files: + - config +generatorOptions: + disableNameSuffixHash: true +patchesStrategicMerge: +- disable-default-secret.yaml \ No newline at end of file diff --git a/awsconfigs/apps/pipeline/s3-static/aws-configuration-patch.yaml b/awsconfigs/apps/pipeline/s3-static/aws-configuration-patch.yaml deleted file mode 100644 index d008e3bc76..0000000000 --- a/awsconfigs/apps/pipeline/s3-static/aws-configuration-patch.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ml-pipeline-ui -spec: - template: - metadata: - labels: - app: ml-pipeline-ui - spec: - volumes: - - name: config-volume - configMap: - name: ml-pipeline-ui-configmap - containers: - - name: ml-pipeline-ui - env: - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: mlpipeline-minio-artifact - key: accesskey - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: mlpipeline-minio-artifact - key: secretkey - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ml-pipeline -spec: - template: - metadata: - labels: - app: ml-pipeline - spec: - containers: - - env: - - name: OBJECTSTORECONFIG_SECURE - value: "true" - - name: OBJECTSTORECONFIG_BUCKETNAME - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: bucketName - - name: OBJECTSTORECONFIG_HOST - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: minioServiceHost - - name: OBJECTSTORECONFIG_REGION - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: minioServiceRegion - - name: OBJECTSTORECONFIG_PORT - value: "" - name: ml-pipeline-api-server \ No newline at end of file diff --git a/awsconfigs/apps/pipeline/s3-static/deployment_patch.yaml b/awsconfigs/apps/pipeline/s3-static/deployment_patch.yaml deleted file mode 100644 index 39d8e457db..0000000000 --- a/awsconfigs/apps/pipeline/s3-static/deployment_patch.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kubeflow-pipelines-profile-controller -spec: - replicas: 1 - template: - spec: - containers: - - name: profile-controller - env: - - name: MINIO_SERVICE_REGION - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: minioServiceRegion \ No newline at end of file diff --git a/awsconfigs/apps/pipeline/s3-static/disable-minio-server-resources.yaml b/awsconfigs/apps/pipeline/s3-static/disable-minio-server-resources.yaml deleted file mode 100644 index 5563083614..0000000000 --- a/awsconfigs/apps/pipeline/s3-static/disable-minio-server-resources.yaml +++ /dev/null @@ -1,20 +0,0 @@ -$patch: delete -apiVersion: apps/v1 -kind: Deployment -metadata: - name: minio - namespace: kubeflow ---- -$patch: delete -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: minio-pvc - namespace: kubeflow ---- -$patch: delete -apiVersion: v1 -kind: Service -metadata: - name: minio-service - namespace: kubeflow diff --git a/awsconfigs/apps/pipeline/s3-static/kustomization.yaml b/awsconfigs/apps/pipeline/s3-static/kustomization.yaml deleted file mode 100644 index 9aa678851a..0000000000 --- a/awsconfigs/apps/pipeline/s3-static/kustomization.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kubeflow -bases: -- ../base -configMapGenerator: -- name: pipeline-install-config - env: params.env - behavior: merge -- name: workflow-controller-configmap - behavior: replace - files: - - config -- name: ml-pipeline-ui-configmap - behavior: replace - files: - - viewer-pod-template.json -- name: kubeflow-pipelines-profile-controller-code - behavior: replace - files: - - sync.py -generatorOptions: - disableNameSuffixHash: true -patchesStrategicMerge: -- disable-minio-server-resources.yaml -- deployment_patch.yaml -- disable-default-secret.yaml -- aws-configuration-patch.yaml -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines -vars: -- name: kfp-artifact-storage-endpoint - objref: - kind: ConfigMap - name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.minioServiceHost diff --git a/awsconfigs/apps/pipeline/s3-static/params.env b/awsconfigs/apps/pipeline/s3-static/params.env deleted file mode 100644 index cf4f4b637d..0000000000 --- a/awsconfigs/apps/pipeline/s3-static/params.env +++ /dev/null @@ -1,3 +0,0 @@ -bucketName= -minioServiceHost=s3.amazonaws.com -minioServiceRegion= diff --git a/awsconfigs/apps/pipeline/s3-static/sync.py b/awsconfigs/apps/pipeline/s3-static/sync.py deleted file mode 100644 index cd099f4a14..0000000000 --- a/awsconfigs/apps/pipeline/s3-static/sync.py +++ /dev/null @@ -1,423 +0,0 @@ -# Copyright 2020-2021 The Kubeflow Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from http.server import BaseHTTPRequestHandler, HTTPServer -import json -import os -import base64 - - -def main(): - settings = get_settings_from_env() - server = server_factory(**settings) - server.serve_forever() - - -def get_settings_from_env(controller_port=None, - visualization_server_image=None, frontend_image=None, - visualization_server_tag=None, frontend_tag=None, disable_istio_sidecar=None, - minio_access_key=None, minio_secret_key=None, minio_service_region=None, kfp_default_pipeline_root=None): - """ - Returns a dict of settings from environment variables relevant to the controller - - Environment settings can be overridden by passing them here as arguments. - - Settings are pulled from the all-caps version of the setting name. The - following defaults are used if those environment variables are not set - to enable backwards compatibility with previous versions of this script: - visualization_server_image: gcr.io/ml-pipeline/visualization-server - visualization_server_tag: value of KFP_VERSION environment variable - frontend_image: gcr.io/ml-pipeline/frontend - frontend_tag: value of KFP_VERSION environment variable - disable_istio_sidecar: Required (no default) - minio_access_key: Required (no default) - minio_secret_key: Required (no default) - """ - settings = dict() - settings["controller_port"] = \ - controller_port or \ - os.environ.get("CONTROLLER_PORT", "8080") - - settings["visualization_server_image"] = \ - visualization_server_image or \ - os.environ.get("VISUALIZATION_SERVER_IMAGE", "gcr.io/ml-pipeline/visualization-server") - - settings["frontend_image"] = \ - frontend_image or \ - os.environ.get("FRONTEND_IMAGE", "gcr.io/ml-pipeline/frontend") - - # Look for specific tags for each image first, falling back to - # previously used KFP_VERSION environment variable for backwards - # compatibility - settings["visualization_server_tag"] = \ - visualization_server_tag or \ - os.environ.get("VISUALIZATION_SERVER_TAG") or \ - os.environ["KFP_VERSION"] - - settings["frontend_tag"] = \ - frontend_tag or \ - os.environ.get("FRONTEND_TAG") or \ - os.environ["KFP_VERSION"] - - settings["disable_istio_sidecar"] = \ - disable_istio_sidecar if disable_istio_sidecar is not None \ - else os.environ.get("DISABLE_ISTIO_SIDECAR") == "true" - - settings["minio_access_key"] = \ - minio_access_key or \ - base64.b64encode(bytes(os.environ.get("MINIO_ACCESS_KEY"), 'utf-8')).decode('utf-8') - - settings["minio_secret_key"] = \ - minio_secret_key or \ - base64.b64encode(bytes(os.environ.get("MINIO_SECRET_KEY"), 'utf-8')).decode('utf-8') - - settings["minio_service_region"] = \ - minio_service_region or \ - os.environ.get("MINIO_SERVICE_REGION", "us-east-1") - - - # KFP_DEFAULT_PIPELINE_ROOT is optional - settings["kfp_default_pipeline_root"] = \ - kfp_default_pipeline_root or \ - os.environ.get("KFP_DEFAULT_PIPELINE_ROOT") - - return settings - - -def server_factory(visualization_server_image, - visualization_server_tag, frontend_image, frontend_tag, - disable_istio_sidecar, minio_access_key, - minio_secret_key, minio_service_region, kfp_default_pipeline_root=None, - url="", controller_port=8080): - """ - Returns an HTTPServer populated with Handler with customized settings - """ - class Controller(BaseHTTPRequestHandler): - def sync(self, parent, children): - # parent is a namespace - namespace = parent.get("metadata", {}).get("name") - - pipeline_enabled = parent.get("metadata", {}).get( - "labels", {}).get("pipelines.kubeflow.org/enabled") - - if pipeline_enabled != "true": - return {"status": {}, "children": []} - - desired_configmap_count = 1 - desired_resources = [] - if kfp_default_pipeline_root: - desired_configmap_count = 2 - desired_resources += [{ - "apiVersion": "v1", - "kind": "ConfigMap", - "metadata": { - "name": "kfp-launcher", - "namespace": namespace, - }, - "data": { - "defaultPipelineRoot": kfp_default_pipeline_root, - }, - }] - - - # Compute status based on observed state. - desired_status = { - "kubeflow-pipelines-ready": - len(children["Secret.v1"]) == 1 and - len(children["ConfigMap.v1"]) == desired_configmap_count and - len(children["Deployment.apps/v1"]) == 2 and - len(children["Service.v1"]) == 2 and - len(children["DestinationRule.networking.istio.io/v1alpha3"]) == 1 and - len(children["AuthorizationPolicy.security.istio.io/v1beta1"]) == 1 and - "True" or "False" - } - - # Generate the desired child object(s). - desired_resources += [ - { - "apiVersion": "v1", - "kind": "ConfigMap", - "metadata": { - "name": "metadata-grpc-configmap", - "namespace": namespace, - }, - "data": { - "METADATA_GRPC_SERVICE_HOST": - "metadata-grpc-service.kubeflow", - "METADATA_GRPC_SERVICE_PORT": "8080", - }, - }, - # Visualization server related manifests below - { - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "app": "ml-pipeline-visualizationserver" - }, - "name": "ml-pipeline-visualizationserver", - "namespace": namespace, - }, - "spec": { - "selector": { - "matchLabels": { - "app": "ml-pipeline-visualizationserver" - }, - }, - "template": { - "metadata": { - "labels": { - "app": "ml-pipeline-visualizationserver" - }, - "annotations": disable_istio_sidecar and { - "sidecar.istio.io/inject": "false" - } or {}, - }, - "spec": { - "containers": [{ - "image": f"{visualization_server_image}:{visualization_server_tag}", - "imagePullPolicy": - "IfNotPresent", - "name": - "ml-pipeline-visualizationserver", - "ports": [{ - "containerPort": 8888 - }], - "resources": { - "requests": { - "cpu": "50m", - "memory": "200Mi" - }, - "limits": { - "cpu": "500m", - "memory": "1Gi" - }, - } - }], - "serviceAccountName": - "default-editor", - }, - }, - }, - }, - { - "apiVersion": "networking.istio.io/v1alpha3", - "kind": "DestinationRule", - "metadata": { - "name": "ml-pipeline-visualizationserver", - "namespace": namespace, - }, - "spec": { - "host": "ml-pipeline-visualizationserver", - "trafficPolicy": { - "tls": { - "mode": "ISTIO_MUTUAL" - } - } - } - }, - { - "apiVersion": "security.istio.io/v1beta1", - "kind": "AuthorizationPolicy", - "metadata": { - "name": "ml-pipeline-visualizationserver", - "namespace": namespace, - }, - "spec": { - "selector": { - "matchLabels": { - "app": "ml-pipeline-visualizationserver" - } - }, - "rules": [{ - "from": [{ - "source": { - "principals": ["cluster.local/ns/kubeflow/sa/ml-pipeline"] - } - }] - }] - } - }, - { - "apiVersion": "v1", - "kind": "Service", - "metadata": { - "name": "ml-pipeline-visualizationserver", - "namespace": namespace, - }, - "spec": { - "ports": [{ - "name": "http", - "port": 8888, - "protocol": "TCP", - "targetPort": 8888, - }], - "selector": { - "app": "ml-pipeline-visualizationserver", - }, - }, - }, - # Artifact fetcher related resources below. - { - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "app": "ml-pipeline-ui-artifact" - }, - "name": "ml-pipeline-ui-artifact", - "namespace": namespace, - }, - "spec": { - "selector": { - "matchLabels": { - "app": "ml-pipeline-ui-artifact" - } - }, - "template": { - "metadata": { - "labels": { - "app": "ml-pipeline-ui-artifact" - }, - "annotations": disable_istio_sidecar and { - "sidecar.istio.io/inject": "false" - } or {}, - }, - "spec": { - "containers": [{ - "name": - "ml-pipeline-ui-artifact", - "image": f"public.ecr.aws/g0g3n5n9/minio-go-update:jan18", - "imagePullPolicy": - "IfNotPresent", - "ports": [{ - "containerPort": 3000 - }], - "env": [ - { - "name": "MINIO_ACCESS_KEY", - "valueFrom": { - "secretKeyRef": { - "key": "accesskey", - "name": "mlpipeline-minio-artifact" - } - } - }, - { - "name": "MINIO_SECRET_KEY", - "valueFrom": { - "secretKeyRef": { - "key": "secretkey", - "name": "mlpipeline-minio-artifact" - } - } - }, - { - "name": "AWS_ACCESS_KEY_ID", - "valueFrom": { - "secretKeyRef": { - "key": "accesskey", - "name": "mlpipeline-minio-artifact" - } - } - }, - { - "name": "AWS_SECRET_ACCESS_KEY", - "valueFrom": { - "secretKeyRef": { - "key": "secretkey", - "name": "mlpipeline-minio-artifact" - } - } - }, - { - "name": "AWS_REGION", - "value": f"{minio_service_region}" - }, - ], - "resources": { - "requests": { - "cpu": "10m", - "memory": "70Mi" - }, - "limits": { - "cpu": "100m", - "memory": "500Mi" - }, - } - }], - "serviceAccountName": - "default-editor" - } - } - } - }, - { - "apiVersion": "v1", - "kind": "Service", - "metadata": { - "name": "ml-pipeline-ui-artifact", - "namespace": namespace, - "labels": { - "app": "ml-pipeline-ui-artifact" - } - }, - "spec": { - "ports": [{ - "name": - "http", # name is required to let istio understand request protocol - "port": 80, - "protocol": "TCP", - "targetPort": 3000 - }], - "selector": { - "app": "ml-pipeline-ui-artifact" - } - } - }, - ] - print('Received request:\n', json.dumps(parent, sort_keys=True)) - print('Desired resources except secrets:\n', json.dumps(desired_resources, sort_keys=True)) - # Moved after the print argument because this is sensitive data. - desired_resources.append({ - "apiVersion": "v1", - "kind": "Secret", - "metadata": { - "name": "mlpipeline-minio-artifact", - "namespace": namespace, - }, - "data": { - "accesskey": minio_access_key, - "secretkey": minio_secret_key, - }, - }) - - return {"status": desired_status, "children": desired_resources} - - def do_POST(self): - # Serve the sync() function as a JSON webhook. - observed = json.loads( - self.rfile.read(int(self.headers.get("content-length")))) - desired = self.sync(observed["parent"], observed["children"]) - - self.send_response(200) - self.send_header("Content-type", "application/json") - self.end_headers() - self.wfile.write(bytes(json.dumps(desired), 'utf-8')) - - return HTTPServer((url, int(controller_port)), Controller) - - -if __name__ == "__main__": - main() \ No newline at end of file diff --git a/awsconfigs/apps/pipeline/s3-static/viewer-pod-template.json b/awsconfigs/apps/pipeline/s3-static/viewer-pod-template.json deleted file mode 100644 index 5cce566794..0000000000 --- a/awsconfigs/apps/pipeline/s3-static/viewer-pod-template.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "spec": { - "containers": [ - { - "env": [ - { - "name": "AWS_ACCESS_KEY_ID", - "valueFrom": { - "secretKeyRef": { - "name": "mlpipeline-minio-artifact", - "key": "accesskey" - } - } - }, - { - "name": "AWS_SECRET_ACCESS_KEY", - "valueFrom": { - "secretKeyRef": { - "name": "mlpipeline-minio-artifact", - "key": "secretkey" - } - } - }, - { - "name": "AWS_REGION", - "valueFrom": { - "configMapKeyRef": { - "name": "pipeline-install-config", - "key": "minioServiceRegion" - } - } - } - ] - } - ] - } -} \ No newline at end of file From dfde1030eac4427621c854bd60c7398448589ee5 Mon Sep 17 00:00:00 2001 From: Steakley Date: Mon, 6 Mar 2023 11:13:01 -0800 Subject: [PATCH 04/13] update makefile --- Makefile | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 95deb30d25..902bd2ef3f 100644 --- a/Makefile +++ b/Makefile @@ -93,15 +93,24 @@ bootstrap-ack: verify-cluster-variables connect-to-eks-cluster yq e '.cluster.region=env(CLUSTER_REGION)' -i tests/e2e/utils/ack_sm_controller_bootstrap/config.yaml cd tests/e2e && PYTHONPATH=.. python3.8 utils/ack_sm_controller_bootstrap/setup_sm_controller_req.py +bootstrap-pipelines: verify-cluster-variables connect-to-eks-cluster + yq e '.cluster.name=env(CLUSTER_NAME)' -i tests/e2e/utils/pipelines/config.yaml + yq e '.cluster.region=env(CLUSTER_REGION)' -i tests/e2e/utils/pipelines/config.yaml + cd tests/e2e && PYTHONPATH=.. python3 utils/pipelines/setup_pipelines_irsa.py + cleanup-ack-req: verify-cluster-variables yq e '.cluster.name=env(CLUSTER_NAME)' -i tests/e2e/utils/ack_sm_controller_bootstrap/config.yaml yq e '.cluster.region=env(CLUSTER_REGION)' -i tests/e2e/utils/ack_sm_controller_bootstrap/config.yaml - cd tests/e2e && PYTHONPATH=.. python3.8 utils/ack_sm_controller_bootstrap/cleanup_sm_controller_req.py + cd tests/e2e && PYTHONPATH=.. python3 utils/ack_sm_controller_bootstrap/cleanup_sm_controller_req.py deploy-kubeflow: bootstrap-ack $(eval DEPLOYMENT_OPTION:=vanilla) $(eval INSTALLATION_OPTION:=kustomize) - cd tests/e2e && PYTHONPATH=.. python3.8 utils/kubeflow_installation.py --deployment_option $(DEPLOYMENT_OPTION) --installation_option $(INSTALLATION_OPTION) --cluster_name $(CLUSTER_NAME) + $(eval CREDENTIAL_OPTION:=irsa) + if [ "$(CREDENTIAL_OPTION)" = "irsa" ]; then \ + make bootstrap-pipelines; \ + fi + cd tests/e2e && PYTHONPATH=.. python3 utils/kubeflow_installation.py --deployment_option $(DEPLOYMENT_OPTION) --installation_option $(INSTALLATION_OPTION) --credential_option $(CREDENTIAL_OPTION) --cluster_name $(CLUSTER_NAME) delete-kubeflow: $(eval DEPLOYMENT_OPTION:=vanilla) From 1addc93cdd7aa8071ae0156788a982ba842cfc3a Mon Sep 17 00:00:00 2001 From: Steakley Date: Mon, 6 Mar 2023 11:14:48 -0800 Subject: [PATCH 05/13] update installation file --- tests/e2e/utils/kubeflow_installation.py | 95 ++++++++++++++++++++++-- 1 file changed, 87 insertions(+), 8 deletions(-) diff --git a/tests/e2e/utils/kubeflow_installation.py b/tests/e2e/utils/kubeflow_installation.py index 411c0f4ebe..de0e65ddd4 100644 --- a/tests/e2e/utils/kubeflow_installation.py +++ b/tests/e2e/utils/kubeflow_installation.py @@ -17,7 +17,16 @@ INSTALLATION_CONFIG_RDS_S3 = "./resources/installation_config/rds-s3.yaml" INSTALLATION_CONFIG_RDS_ONLY = "./resources/installation_config/rds-only.yaml" INSTALLATION_CONFIG_S3_ONLY = "./resources/installation_config/s3-only.yaml" -INSTALLATION_CONFIG_COGNITO_RDS_S3 = "./resources/installation_config/cognito-rds-s3.yaml" +INSTALLATION_CONFIG_COGNITO_RDS_S3 = ( + "./resources/installation_config/cognito-rds-s3.yaml" +) +INSTALLATION_CONFIG_S3_ONLY_STATIC = ( + "./resources/installation_config/s3-only-static.yaml" +) +INSTALLATION_CONFIG_RDS_S3_STATIC = "./resources/installation_config/rds-s3-static.yaml" +INSTALLATION_CONFIG_COGNITO_RDS_S3_STATIC = ( + "./resources/installation_config/cognito-rds-s3-static.yaml" +) Install_Sequence = [ @@ -55,7 +64,11 @@ def install_kubeflow( - installation_option, deployment_option, cluster_name, aws_telemetry=True + installation_option, + deployment_option, + cluster_name, + credentials_option, + aws_telemetry=True, ): print(cluster_name) if deployment_option == "vanilla": @@ -70,6 +83,12 @@ def install_kubeflow( installation_config = load_yaml_file(INSTALLATION_CONFIG_S3_ONLY) elif deployment_option == "cognito-rds-s3": installation_config = load_yaml_file(INSTALLATION_CONFIG_COGNITO_RDS_S3) + elif deployment_option == "rds-s3" and credentials_option == "static": + installation_config = load_yaml_file(INSTALLATION_CONFIG_RDS_S3_STATIC) + elif deployment_option == "s3" and credentials_option == "static": + installation_config = load_yaml_file(INSTALLATION_CONFIG_S3_ONLY_STATIC) + elif deployment_option == "cognito-rds-s3" and credentials_option == "static": + installation_config = load_yaml_file(INSTALLATION_CONFIG_COGNITO_RDS_S3_STATIC) print_banner( f"Installing kubeflow {deployment_option} deployment with {installation_option}" @@ -80,7 +99,8 @@ def install_kubeflow( installation_option, component, installation_config, - cluster_name + cluster_name, + credentials_option, ) if aws_telemetry == True: @@ -89,6 +109,7 @@ def install_kubeflow( "aws-telemetry", installation_config, cluster_name, + credentials_option, ) @@ -97,6 +118,7 @@ def install_component( component_name, installation_config, cluster_name, + credentials_option, crd_established=True, ): # component not applicable for deployment option @@ -105,26 +127,52 @@ def install_component( else: print(f"==========Installing {component_name}==========") # remote repo - if "repo"in installation_config[component_name]["installation_options"][installation_option]: + if ( + "repo" + in installation_config[component_name]["installation_options"][ + installation_option + ] + ): install_remote_component(component_name, cluster_name) # local repo else: - installation_paths = installation_config[component_name]["installation_options"][installation_option]["paths"] + installation_paths = installation_config[component_name][ + "installation_options" + ][installation_option]["paths"] # helm if installation_option == "helm": ##deal with namespace already exist issue for rds-s3 auto set-up script if component_name == "kubeflow-namespace": - for kustomize_path in installation_config[component_name]["installation_options"]["kustomize"]["paths"]: + for kustomize_path in installation_config[component_name][ + "installation_options" + ]["kustomize"]["paths"]: apply_kustomize(kustomize_path) else: + if component_name == "kubeflow-pipelines": + configure_kubeflow_pipelines( + component_name, + installation_paths, + installation_option, + credentials_option, + ) install_helm(component_name, installation_paths) # kustomize else: # crd required to established for installation - if "validations" in installation_config[component_name] and "crds" in installation_config[component_name]["validations"]: + if ( + "validations" in installation_config[component_name] + and "crds" in installation_config[component_name]["validations"] + ): print("need to wait for crds....") crds = installation_config[component_name]["validations"]["crds"] crd_established = False + if component_name == "kubeflow-pipelines": + configure_kubeflow_pipelines( + component_name, + installation_paths, + installation_option, + credentials_option, + ) for kustomize_path in installation_paths: if not crd_established: apply_kustomize(kustomize_path, crds) @@ -172,7 +220,7 @@ def install_certmanager(): f"helm upgrade --install cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ - --version v1.5.0 \ + --version v1.10.1 \ --set installCRDs=true" ) @@ -230,6 +278,27 @@ def install_ack_controller(): ) +def configure_kubeflow_pipelines( + component_name, installation_paths, installation_option, credentials_option +): + cfg = load_yaml_file(file_path="./utils/pipelines/config.yaml") + IAM_ROLE_ARN_FOR_IRSA = cfg["pipeline_oidc_role"] + if installation_option == "kustomize": + CHART_EXPORT_PATH = "../../apps/pipeline/s3/service-account.yaml" + exec_shell( + f'yq e \'.metadata.annotations."eks.amazonaws.com/role-arn"="{IAM_ROLE_ARN_FOR_IRSA}"\' ' + + f"-i {CHART_EXPORT_PATH}" + ) + + else: + IAM_ROLE_ARN_FOR_IRSA = cfg["pipeline_oidc_role"] + CHART_EXPORT_PATH = f"{installation_paths}/templates/ServiceAccount/ml-pipeline-kubeflow-ServiceAccount.yaml" + exec_shell( + f'yq e \'.metadata.annotations."eks.amazonaws.com/role-arn"="{IAM_ROLE_ARN_FOR_IRSA}"\' ' + + f"-i {CHART_EXPORT_PATH}" + ) + + if __name__ == "__main__": parser = argparse.ArgumentParser() INSTALLATION_OPTION_DEFAULT = "kustomize" @@ -272,6 +341,15 @@ def install_ack_controller(): help=f"EKS cluster Name", required=True, ) + CREDENTIAL_OPTION_DEFAULT = "irsa" + parser.add_argument( + "--credentials_option", + type=str, + default=CREDENTIAL_OPTION_DEFAULT, + choices=["irsa", "static"], + help=f"Kubeflow default credential option default is set to irsa", + required=False, + ) args, _ = parser.parse_known_args() @@ -279,5 +357,6 @@ def install_ack_controller(): args.installation_option, args.deployment_option, args.cluster_name, + args.credentials_option, args.aws_telemetry, ) From 17fa315998dbd90f42a8e1d741d7953f8e58276a Mon Sep 17 00:00:00 2001 From: Steakley Date: Fri, 10 Mar 2023 12:50:31 -0800 Subject: [PATCH 06/13] update service-account yaml --- awsconfigs/apps/pipeline/s3/service-account.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awsconfigs/apps/pipeline/s3/service-account.yaml b/awsconfigs/apps/pipeline/s3/service-account.yaml index 92ba950fdb..b978b93548 100644 --- a/awsconfigs/apps/pipeline/s3/service-account.yaml +++ b/awsconfigs/apps/pipeline/s3/service-account.yaml @@ -4,4 +4,4 @@ metadata: name: ml-pipeline namespace: kubeflow annotations: - eks.amazonaws.com/role-arn: + eks.amazonaws.com/role-arn: '{{ .Values.irsa.roleName }}' From 12146a2fb9b350aa97e8abf90384ef3bfc7d7311 Mon Sep 17 00:00:00 2001 From: Steakley Date: Fri, 10 Mar 2023 13:34:16 -0800 Subject: [PATCH 07/13] pipeline irsa script --- tests/e2e/utils/pipelines/__init__.py | 0 .../utils/pipelines/cleanup_pipeline_irsa.py | 54 +++++++++ tests/e2e/utils/pipelines/common.py | 12 ++ tests/e2e/utils/pipelines/config.yaml | 4 + .../utils/pipelines/setup_pipelines_irsa.py | 112 ++++++++++++++++++ 5 files changed, 182 insertions(+) create mode 100644 tests/e2e/utils/pipelines/__init__.py create mode 100644 tests/e2e/utils/pipelines/cleanup_pipeline_irsa.py create mode 100644 tests/e2e/utils/pipelines/common.py create mode 100644 tests/e2e/utils/pipelines/config.yaml create mode 100644 tests/e2e/utils/pipelines/setup_pipelines_irsa.py diff --git a/tests/e2e/utils/pipelines/__init__.py b/tests/e2e/utils/pipelines/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/e2e/utils/pipelines/cleanup_pipeline_irsa.py b/tests/e2e/utils/pipelines/cleanup_pipeline_irsa.py new file mode 100644 index 0000000000..5be2d1e60e --- /dev/null +++ b/tests/e2e/utils/pipelines/cleanup_pipeline_irsa.py @@ -0,0 +1,54 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +import logging +import json +import boto3 + +from e2e.utils.utils import ( + load_json_file, + get_iam_client, + get_eks_client, +) +from e2e.fixtures.cluster import ( + associate_iam_oidc_provider, +) +from e2e.utils.aws.iam import IAMPolicy +from e2e.utils.pipelines import common +from e2e.utils.config import configure_env_file +from e2e.utils.utils import print_banner, load_yaml_file + + +logging.basicConfig(level=logging.INFO) +logger = logging.getLogger(__name__) + + +def get_account_id(): + return boto3.client("sts").get_caller_identity().get("Account") + +def delete_iam_role(role_name, region): + iam_client = get_iam_client(region=region) + try: + iam_client.detach_role_policy( + RoleName=role_name, PolicyArn="arn:aws:iam::aws:policy/AmazonS3FullAccess" + ) + except: + logger.log("Failed to detach role policy, it may not exist anymore.") + + iam_client.delete_role(RoleName=role_name) + print(f"Deleted IAM Role : {role_name}") + + +if __name__ == "__main__": + print_banner("Reading Config") + config_file_path = common.CONFIG_FILE_PATH + cfg = load_yaml_file(file_path=config_file_path) + cluster_region = cfg["cluster"]["region"] + cluster_name = cfg["cluster"]["name"] + + print_banner("Deleting all resources created for Pipeline IRSA") + role_name = f"{common.PIPELINE_OIDC_ROLE_NAME_PREFIX}-{cluster_name}" + delete_iam_role(role_name, cluster_region) + + print_banner("CLEANUP SUCCESSFUL") + diff --git a/tests/e2e/utils/pipelines/common.py b/tests/e2e/utils/pipelines/common.py new file mode 100644 index 0000000000..c295b02832 --- /dev/null +++ b/tests/e2e/utils/pipelines/common.py @@ -0,0 +1,12 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +import yaml +import logging + +logger = logging.getLogger(__name__) + +CONFIG_FILE_PATH = "./utils/pipelines/config.yaml" +OUTPUT_FILE_PATH = "../../awsconfigs/apps/pipeline/s3/service-account.yaml" + +PIPELINE_OIDC_ROLE_NAME_PREFIX = "kf-pipeline-role" diff --git a/tests/e2e/utils/pipelines/config.yaml b/tests/e2e/utils/pipelines/config.yaml new file mode 100644 index 0000000000..50f085471a --- /dev/null +++ b/tests/e2e/utils/pipelines/config.yaml @@ -0,0 +1,4 @@ +cluster: + name: + region: +pipeline_oidc_role: diff --git a/tests/e2e/utils/pipelines/setup_pipelines_irsa.py b/tests/e2e/utils/pipelines/setup_pipelines_irsa.py new file mode 100644 index 0000000000..3a993bf245 --- /dev/null +++ b/tests/e2e/utils/pipelines/setup_pipelines_irsa.py @@ -0,0 +1,112 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +import logging +import json +import boto3 + +from e2e.utils.utils import ( + load_json_file, + get_iam_client, + get_eks_client, +) +from e2e.fixtures.cluster import ( + associate_iam_oidc_provider, +) +from e2e.utils.aws.iam import IAMPolicy +from e2e.utils.pipelines import common +from e2e.utils.config import configure_env_file +from e2e.utils.utils import print_banner, load_yaml_file, write_env_to_yaml, exec_shell + + +logging.basicConfig(level=logging.INFO) +logger = logging.getLogger(__name__) + + +def profile_trust_policy(cluster, region, account_id): + eks_client = get_eks_client(region=region) + + resp = eks_client.describe_cluster(name=cluster) + oidc_url = resp["cluster"]["identity"]["oidc"]["issuer"].split("https://")[1] + + trust_policy = { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": f"arn:aws:iam::{account_id}:oidc-provider/{oidc_url}" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + f"{oidc_url}:aud": "sts.amazonaws.com", + f"{oidc_url}:sub": [ + "system:serviceaccount:kubeflow:ml-pipeline", + ], + } + }, + } + ], + } + return json.dumps(trust_policy) + + +def create_pipeline_oidc_role(cluster_name, region): + iam_client = get_iam_client(region=region) + acc_id = get_account_id() + role_name = f"{common.PIPELINE_OIDC_ROLE_NAME_PREFIX}-{cluster_name}" + + resp = iam_client.create_role( + RoleName=role_name, + AssumeRolePolicyDocument=profile_trust_policy(cluster_name, region, acc_id), + ) + oidc_role_arn = resp["Role"]["Arn"] + + print(f"Created IAM Role : {oidc_role_arn}") + + iam_client.attach_role_policy( + RoleName=role_name, PolicyArn="arn:aws:iam::aws:policy/AmazonS3FullAccess" + ) + + +def get_role_arn(role_name, region): + iam_client = get_iam_client(region=region) + resp = iam_client.get_role(RoleName=role_name) + oidc_role_arn = resp["Role"]["Arn"] + return oidc_role_arn + + +def get_account_id(): + return boto3.client("sts").get_caller_identity().get("Account") + + +def write_params(oidc_role_arn, region, env_file_path, config_file_path): + write_env_to_yaml({"pipeline_oidc_role": oidc_role_arn}, config_file_path) + print(f"Config file written to : {config_file_path}") + + +if __name__ == "__main__": + print_banner("Reading Config") + config_file_path = common.CONFIG_FILE_PATH + cfg = load_yaml_file(file_path=config_file_path) + cluster_region = cfg["cluster"]["region"] + cluster_name = cfg["cluster"]["name"] + + print_banner("Create OIDC IAM role for Pipelines") + try: + create_pipeline_oidc_role(cluster_name, cluster_region) + except Exception as e: + print(e) + print("Try running cleanup_pipeline_irsa.py") + + pipeline_oidc_role_name = f"{common.PIPELINE_OIDC_ROLE_NAME_PREFIX}-{cluster_name}" + oidc_role_arn = get_role_arn(pipeline_oidc_role_name, cluster_region) + + print_banner("Writing params.env for Pipelines") + output_params_file_path = common.OUTPUT_FILE_PATH + write_params( + oidc_role_arn, cluster_region, output_params_file_path, config_file_path + ) + + print_banner("SUCCESS") From 6636004a72ab881264bcfd17afbea2b8be25518f Mon Sep 17 00:00:00 2001 From: Steakley Date: Sat, 11 Mar 2023 22:21:37 -0800 Subject: [PATCH 08/13] revert python makefile --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 902bd2ef3f..aaecc757f3 100644 --- a/Makefile +++ b/Makefile @@ -96,12 +96,12 @@ bootstrap-ack: verify-cluster-variables connect-to-eks-cluster bootstrap-pipelines: verify-cluster-variables connect-to-eks-cluster yq e '.cluster.name=env(CLUSTER_NAME)' -i tests/e2e/utils/pipelines/config.yaml yq e '.cluster.region=env(CLUSTER_REGION)' -i tests/e2e/utils/pipelines/config.yaml - cd tests/e2e && PYTHONPATH=.. python3 utils/pipelines/setup_pipelines_irsa.py + cd tests/e2e && PYTHONPATH=.. python3.8 utils/pipelines/setup_pipelines_irsa.py cleanup-ack-req: verify-cluster-variables yq e '.cluster.name=env(CLUSTER_NAME)' -i tests/e2e/utils/ack_sm_controller_bootstrap/config.yaml yq e '.cluster.region=env(CLUSTER_REGION)' -i tests/e2e/utils/ack_sm_controller_bootstrap/config.yaml - cd tests/e2e && PYTHONPATH=.. python3 utils/ack_sm_controller_bootstrap/cleanup_sm_controller_req.py + cd tests/e2e && PYTHONPATH=.. python3.8 utils/ack_sm_controller_bootstrap/cleanup_sm_controller_req.py deploy-kubeflow: bootstrap-ack $(eval DEPLOYMENT_OPTION:=vanilla) @@ -110,7 +110,7 @@ deploy-kubeflow: bootstrap-ack if [ "$(CREDENTIAL_OPTION)" = "irsa" ]; then \ make bootstrap-pipelines; \ fi - cd tests/e2e && PYTHONPATH=.. python3 utils/kubeflow_installation.py --deployment_option $(DEPLOYMENT_OPTION) --installation_option $(INSTALLATION_OPTION) --credential_option $(CREDENTIAL_OPTION) --cluster_name $(CLUSTER_NAME) + cd tests/e2e && PYTHONPATH=.. python3.8 utils/kubeflow_installation.py --deployment_option $(DEPLOYMENT_OPTION) --installation_option $(INSTALLATION_OPTION) --credential_option $(CREDENTIAL_OPTION) --cluster_name $(CLUSTER_NAME) delete-kubeflow: $(eval DEPLOYMENT_OPTION:=vanilla) From 1fae3e952715bbd1ccf82f5c155586991d35619e Mon Sep 17 00:00:00 2001 From: Steakley Date: Sat, 11 Mar 2023 22:25:31 -0800 Subject: [PATCH 09/13] add newline back --- awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml b/awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml index e7c28129a3..5563083614 100644 --- a/awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml +++ b/awsconfigs/apps/pipeline/s3/disable-minio-server-resources.yaml @@ -17,4 +17,4 @@ apiVersion: v1 kind: Service metadata: name: minio-service - namespace: kubeflow \ No newline at end of file + namespace: kubeflow From 51f3093d412792298a34beeb9260e3b980944a75 Mon Sep 17 00:00:00 2001 From: Steakley Date: Mon, 13 Mar 2023 09:26:24 -0700 Subject: [PATCH 10/13] add cleanup --- awsconfigs/apps/pipeline/kustomization.yaml | 1 + .../pipeline/s3/disable-default-secret.yaml | 1 - .../utils/pipelines/cleanup_pipelines_irsa.py | 54 +++++++++++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 tests/e2e/utils/pipelines/cleanup_pipelines_irsa.py diff --git a/awsconfigs/apps/pipeline/kustomization.yaml b/awsconfigs/apps/pipeline/kustomization.yaml index f780be055f..a1e5aacfe5 100644 --- a/awsconfigs/apps/pipeline/kustomization.yaml +++ b/awsconfigs/apps/pipeline/kustomization.yaml @@ -31,6 +31,7 @@ patchesStrategicMerge: - ./s3/deployment_patch.yaml - ./s3/disable-default-secret.yaml - ./s3/aws-configuration-patch.yaml +- ./s3/service-account.yaml # Identifier for application manager to apply ownerReference. # The ownerReference ensures the resources get garbage collected # when application is deleted. diff --git a/awsconfigs/apps/pipeline/s3/disable-default-secret.yaml b/awsconfigs/apps/pipeline/s3/disable-default-secret.yaml index 3ec1143b5a..6eda5fb8f1 100644 --- a/awsconfigs/apps/pipeline/s3/disable-default-secret.yaml +++ b/awsconfigs/apps/pipeline/s3/disable-default-secret.yaml @@ -8,4 +8,3 @@ metadata: stringData: accesskey: "" secretkey: "" -$patch: replace diff --git a/tests/e2e/utils/pipelines/cleanup_pipelines_irsa.py b/tests/e2e/utils/pipelines/cleanup_pipelines_irsa.py new file mode 100644 index 0000000000..5be2d1e60e --- /dev/null +++ b/tests/e2e/utils/pipelines/cleanup_pipelines_irsa.py @@ -0,0 +1,54 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +import logging +import json +import boto3 + +from e2e.utils.utils import ( + load_json_file, + get_iam_client, + get_eks_client, +) +from e2e.fixtures.cluster import ( + associate_iam_oidc_provider, +) +from e2e.utils.aws.iam import IAMPolicy +from e2e.utils.pipelines import common +from e2e.utils.config import configure_env_file +from e2e.utils.utils import print_banner, load_yaml_file + + +logging.basicConfig(level=logging.INFO) +logger = logging.getLogger(__name__) + + +def get_account_id(): + return boto3.client("sts").get_caller_identity().get("Account") + +def delete_iam_role(role_name, region): + iam_client = get_iam_client(region=region) + try: + iam_client.detach_role_policy( + RoleName=role_name, PolicyArn="arn:aws:iam::aws:policy/AmazonS3FullAccess" + ) + except: + logger.log("Failed to detach role policy, it may not exist anymore.") + + iam_client.delete_role(RoleName=role_name) + print(f"Deleted IAM Role : {role_name}") + + +if __name__ == "__main__": + print_banner("Reading Config") + config_file_path = common.CONFIG_FILE_PATH + cfg = load_yaml_file(file_path=config_file_path) + cluster_region = cfg["cluster"]["region"] + cluster_name = cfg["cluster"]["name"] + + print_banner("Deleting all resources created for Pipeline IRSA") + role_name = f"{common.PIPELINE_OIDC_ROLE_NAME_PREFIX}-{cluster_name}" + delete_iam_role(role_name, cluster_region) + + print_banner("CLEANUP SUCCESSFUL") + From 4b2fc4ad003fb8553c2e9a17ecf4493a65d5c9b5 Mon Sep 17 00:00:00 2001 From: Steakley Date: Mon, 13 Mar 2023 09:27:33 -0700 Subject: [PATCH 11/13] update Makefile --- Makefile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Makefile b/Makefile index aaecc757f3..da87fb7d57 100644 --- a/Makefile +++ b/Makefile @@ -103,6 +103,11 @@ cleanup-ack-req: verify-cluster-variables yq e '.cluster.region=env(CLUSTER_REGION)' -i tests/e2e/utils/ack_sm_controller_bootstrap/config.yaml cd tests/e2e && PYTHONPATH=.. python3.8 utils/ack_sm_controller_bootstrap/cleanup_sm_controller_req.py +cleanup-pipelines-req: verify-cluster-variables + yq e '.cluster.name=env(CLUSTER_NAME)' -i tests/e2e/utils/pipelines/config.yaml + yq e '.cluster.region=env(CLUSTER_REGION)' -i tests/e2e/utils/pipelines/config.yaml + cd tests/e2e && PYTHONPATH=.. python3.8 utils/pipelines/cleanup_pipelines_irsa.py + deploy-kubeflow: bootstrap-ack $(eval DEPLOYMENT_OPTION:=vanilla) $(eval INSTALLATION_OPTION:=kustomize) From fb23ca952349bc23a9fce5545c5804429a05ed2c Mon Sep 17 00:00:00 2001 From: Steakley Date: Mon, 13 Mar 2023 09:31:25 -0700 Subject: [PATCH 12/13] print which creds options we use --- tests/e2e/utils/kubeflow_installation.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/e2e/utils/kubeflow_installation.py b/tests/e2e/utils/kubeflow_installation.py index de0e65ddd4..c7ce7b5cc4 100644 --- a/tests/e2e/utils/kubeflow_installation.py +++ b/tests/e2e/utils/kubeflow_installation.py @@ -75,6 +75,12 @@ def install_kubeflow( installation_config = load_yaml_file(INSTALLATION_CONFIG_VANILLA) elif deployment_option == "cognito": installation_config = load_yaml_file(INSTALLATION_CONFIG_COGNITO) + elif deployment_option == "rds-s3" and credentials_option == "static": + installation_config = load_yaml_file(INSTALLATION_CONFIG_RDS_S3_STATIC) + elif deployment_option == "s3" and credentials_option == "static": + installation_config = load_yaml_file(INSTALLATION_CONFIG_S3_ONLY_STATIC) + elif deployment_option == "cognito-rds-s3" and credentials_option == "static": + installation_config = load_yaml_file(INSTALLATION_CONFIG_COGNITO_RDS_S3_STATIC) elif deployment_option == "rds-s3": installation_config = load_yaml_file(INSTALLATION_CONFIG_RDS_S3) elif deployment_option == "rds-only": @@ -83,15 +89,10 @@ def install_kubeflow( installation_config = load_yaml_file(INSTALLATION_CONFIG_S3_ONLY) elif deployment_option == "cognito-rds-s3": installation_config = load_yaml_file(INSTALLATION_CONFIG_COGNITO_RDS_S3) - elif deployment_option == "rds-s3" and credentials_option == "static": - installation_config = load_yaml_file(INSTALLATION_CONFIG_RDS_S3_STATIC) - elif deployment_option == "s3" and credentials_option == "static": - installation_config = load_yaml_file(INSTALLATION_CONFIG_S3_ONLY_STATIC) - elif deployment_option == "cognito-rds-s3" and credentials_option == "static": - installation_config = load_yaml_file(INSTALLATION_CONFIG_COGNITO_RDS_S3_STATIC) + print_banner( - f"Installing kubeflow {deployment_option} deployment with {installation_option}" + f"Installing kubeflow {deployment_option} deployment with {installation_option} with {credentials_option}" ) for component in Install_Sequence: From 916d85c12f7df1c5cf7b6b752a984c5da3b89543 Mon Sep 17 00:00:00 2001 From: Steakley Date: Mon, 13 Mar 2023 09:33:49 -0700 Subject: [PATCH 13/13] add return --- tests/e2e/utils/kubeflow_installation.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/e2e/utils/kubeflow_installation.py b/tests/e2e/utils/kubeflow_installation.py index c7ce7b5cc4..f9fd18d691 100644 --- a/tests/e2e/utils/kubeflow_installation.py +++ b/tests/e2e/utils/kubeflow_installation.py @@ -282,6 +282,8 @@ def install_ack_controller(): def configure_kubeflow_pipelines( component_name, installation_paths, installation_option, credentials_option ): + if credentials_option == "static": + return cfg = load_yaml_file(file_path="./utils/pipelines/config.yaml") IAM_ROLE_ARN_FOR_IRSA = cfg["pipeline_oidc_role"] if installation_option == "kustomize":