feat: Use KFP multi user mode for GCP (#1373)

* refactor: pipelines profile controller should get minio access keys from the secret

* do not print secrets in log

* use kfp multi user mode for gcp stacks

* update snapshot

stacks/gcp/kustomization.yaml

@@ -18,7 +18,7 @@ resources:
   - ../../argo/base_v3
   - ../../pipeline/minio/installs/gcp-pd
   - ../../pipeline/mysql/installs/gcp-pd
-  - ../../pipeline/installs/generic
+  - ../../pipeline/installs/multi-user
   - ../../metadata/v3
   # This package will create a profile resource so it needs to be installed after the profiles CR
   - ../../default-install/base

tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_cache-server.yaml

@@ -53,9 +53,7 @@ spec:
               key: password
               name: mysql-secret-fd5gktm75t
         - name: NAMESPACE_TO_WATCH
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
+          value: ""
         image: gcr.io/ml-pipeline/cache-server:1.0.0-rc.3
         imagePullPolicy: Always
         name: server

tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_metadata-writer.yaml

@@ -18,9 +18,7 @@ spec:
       containers:
       - env:
         - name: NAMESPACE_TO_WATCH
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
+          value: ""
         image: gcr.io/ml-pipeline/metadata-writer:1.0.0-rc.3
         name: main
       serviceAccountName: kubeflow-pipelines-metadata-writer

tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml

@@ -17,9 +17,7 @@ spec:
       containers:
       - env:
         - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
+          value: ""
         image: gcr.io/ml-pipeline/persistenceagent:1.0.0-rc.3
         imagePullPolicy: IfNotPresent
         name: ml-pipeline-persistenceagent

tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml

@@ -17,9 +17,7 @@ spec:
       containers:
       - env:
         - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
+          value: ""
         image: gcr.io/ml-pipeline/scheduledworkflow:1.0.0-rc.3
         imagePullPolicy: IfNotPresent
         name: ml-pipeline-scheduledworkflow

tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml

@@ -16,6 +16,28 @@ spec:
     spec:
       containers:
       - env:
+        - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH
+          value: /etc/config/viewer-pod-template.json
+        - name: DEPLOYMENT
+          value: KUBEFLOW
+        - name: ARTIFACTS_SERVICE_PROXY_NAME
+          value: ml-pipeline-ui-artifact
+        - name: ARTIFACTS_SERVICE_PROXY_PORT
+          value: "80"
+        - name: ARTIFACTS_SERVICE_PROXY_ENABLED
+          value: "true"
+        - name: ENABLE_AUTHZ
+          value: "true"
+        - name: KUBEFLOW_USERID_HEADER
+          valueFrom:
+            configMapKeyRef:
+              key: userid-header
+              name: kubeflow-config-4bkkg42k5m
+        - name: KUBEFLOW_USERID_PREFIX
+          valueFrom:
+            configMapKeyRef:
+              key: userid-prefix
+              name: kubeflow-config-4bkkg42k5m
         - name: MINIO_NAMESPACE
           valueFrom:
             fieldRef:
@@ -61,4 +83,12 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 5
           timeoutSeconds: 2
+        volumeMounts:
+        - mountPath: /etc/config
+          name: config-volume
+          readOnly: true
       serviceAccountName: ml-pipeline-ui
+      volumes:
+      - configMap:
+          name: ml-pipeline-ui-configmap
+        name: config-volume

tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml

@@ -16,6 +16,9 @@ spec:
     spec:
       containers:
       - env:
+        - name: NAMESPACE
+          value: ""
+          valueFrom: null
         - name: MAX_NUM_VIEWERS
           value: "50"
         - name: MINIO_NAMESPACE

tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline.yaml

@@ -16,6 +16,16 @@ spec:
     spec:
       containers:
       - env:
+        - name: KUBEFLOW_USERID_HEADER
+          valueFrom:
+            configMapKeyRef:
+              key: userid-header
+              name: kubeflow-config-4bkkg42k5m
+        - name: KUBEFLOW_USERID_PREFIX
+          valueFrom:
+            configMapKeyRef:
+              key: userid-prefix
+              name: kubeflow-config-4bkkg42k5m
         - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
@@ -62,6 +72,9 @@ spec:
             secretKeyRef:
               key: secretkey
               name: mlpipeline-minio-artifact
+        envFrom:
+        - configMapRef:
+            name: pipeline-api-server-config-f4t72426kt
         image: gcr.io/ml-pipeline/api-server:1.0.0-rc.3
         imagePullPolicy: IfNotPresent
         livenessProbe:

tests/stacks/examples/alice/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: kubeflow-pipelines-profile-controller
+  name: kubeflow-pipelines-profile-controller
+  namespace: kubeflow
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kubeflow-pipelines-profile-controller
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+      labels:
+        app: kubeflow-pipelines-profile-controller
+    spec:
+      containers:
+      - command:
+        - python
+        - /hooks/sync.py
+        env:
+        - name: MINIO_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              key: accesskey
+              name: mlpipeline-minio-artifact
+        - name: MINIO_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: secretkey
+              name: mlpipeline-minio-artifact
+        envFrom:
+        - configMapRef:
+            name: kubeflow-pipelines-profile-controller-env-822cf46mft
+        image: python:3.7
+        name: profile-controller
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - mountPath: /hooks
+          name: hooks
+      volumes:
+      - configMap:
+          name: kubeflow-pipelines-profile-controller-code-m828g88mtm
+        name: hooks

tests/stacks/examples/alice/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml

@@ -0,0 +1,46 @@
+apiVersion: metacontroller.k8s.io/v1alpha1
+kind: CompositeController
+metadata:
+  labels:
+    app: kubeflow-pipelines-profile-controller
+  name: kubeflow-pipelines-profile-controller
+  namespace: kubeflow
+spec:
+  childResources:
+  - apiVersion: v1
+    resource: secrets
+    updateStrategy:
+      method: OnDelete
+  - apiVersion: v1
+    resource: configmaps
+    updateStrategy:
+      method: OnDelete
+  - apiVersion: apps/v1
+    resource: deployments
+    updateStrategy:
+      method: InPlace
+  - apiVersion: v1
+    resource: services
+    updateStrategy:
+      method: InPlace
+  - apiVersion: networking.istio.io/v1alpha3
+    resource: destinationrules
+    updateStrategy:
+      method: InPlace
+  - apiVersion: rbac.istio.io/v1alpha1
+    resource: serviceroles
+    updateStrategy:
+      method: InPlace
+  - apiVersion: rbac.istio.io/v1alpha1
+    resource: servicerolebindings
+    updateStrategy:
+      method: InPlace
+  generateSelector: true
+  hooks:
+    sync:
+      webhook:
+        url: http://kubeflow-pipelines-profile-controller/sync
+  parentResource:
+    apiVersion: v1
+    resource: namespaces
+  resyncPeriodSeconds: 10

tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: ml-pipeline-mysql
+  namespace: kubeflow
+spec:
+  host: mysql.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL

tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: ml-pipeline-ui
+  namespace: kubeflow
+spec:
+  host: ml-pipeline-ui.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL

tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: ml-pipeline-visualizationserver
+  namespace: kubeflow
+spec:
+  host: ml-pipeline-visualizationserver.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL

tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: ml-pipeline
+  namespace: kubeflow
+spec:
+  host: ml-pipeline.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL

tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml

@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-pipelines-cache-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch

tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml

@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-pipelines-metadata-writer-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch

tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ml-pipeline-persistenceagent-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - get
+  - list
+  - watch

tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml

@@ -0,0 +1,36 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ml-pipeline-scheduledworkflow-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch