From 58e99b277176044d4a4958c67ab42819ed6eb7e7 Mon Sep 17 00:00:00 2001 From: "Yuan (Bob) Gong" Date: Sat, 11 Jul 2020 00:09:48 +0800 Subject: [PATCH] feat: Use KFP multi user mode for GCP (#1373) * refactor: pipelines profile controller should get minio access keys from the secret * do not print secrets in log * use kfp multi user mode for gcp stacks * update snapshot --- stacks/gcp/kustomization.yaml | 2 +- .../apps_v1_deployment_cache-server.yaml | 4 +- .../apps_v1_deployment_metadata-writer.yaml | 4 +- ...ployment_ml-pipeline-persistenceagent.yaml | 4 +- ...loyment_ml-pipeline-scheduledworkflow.yaml | 4 +- .../apps_v1_deployment_ml-pipeline-ui.yaml | 30 ++ ..._v1_deployment_ml-pipeline-viewer-crd.yaml | 3 + .../apps_v1_deployment_ml-pipeline.yaml | 13 + ...kubeflow-pipelines-profile-controller.yaml | 48 +++ ...kubeflow-pipelines-profile-controller.yaml | 46 +++ ...ha3_destinationrule_ml-pipeline-mysql.yaml | 10 + ...alpha3_destinationrule_ml-pipeline-ui.yaml | 10 + ...nrule_ml-pipeline-visualizationserver.yaml | 10 + ..._v1alpha3_destinationrule_ml-pipeline.yaml | 10 + ...terrole_kubeflow-pipelines-cache-role.yaml | 31 ++ ...beflow-pipelines-metadata-writer-role.yaml | 31 ++ ...ole_ml-pipeline-persistenceagent-role.yaml | 21 ++ ...le_ml-pipeline-scheduledworkflow-role.yaml | 36 +++ ....k8s.io_v1_clusterrole_ml-pipeline-ui.yaml | 44 +++ ...le_ml-pipeline-viewer-controller-role.yaml | 30 ++ ...ding_kubeflow-pipelines-cache-binding.yaml | 12 + ...low-pipelines-metadata-writer-binding.yaml | 12 + ..._ml-pipeline-persistenceagent-binding.yaml | 12 + ...ml-pipeline-scheduledworkflow-binding.yaml | 12 + ..._v1_clusterrolebinding_ml-pipeline-ui.yaml | 14 + ...inding_ml-pipeline-viewer-crd-binding.yaml | 12 + ...8s.io_v1beta1_clusterrole_ml-pipeline.yaml | 34 +++ ...1beta1_clusterrolebinding_ml-pipeline.yaml | 12 + ....io_v1alpha1_servicerole_cache-server.yaml | 9 + ...pha1_servicerole_ml-pipeline-services.yaml | 12 + ...o_v1alpha1_servicerole_ml-pipeline-ui.yaml | 9 + ...g_bind-cache-server-admission-webhook.yaml | 11 + ...lebinding_bind-gateway-ml-pipeline-ui.yaml | 12 + ...rolebinding_bind-ml-pipeline-internal.yaml | 22 ++ ...es-profile-controller-code-m828g88mtm.yaml | 288 ++++++++++++++++++ ...nes-profile-controller-env-822cf46mft.yaml | 10 + ...v1_configmap_ml-pipeline-ui-configmap.yaml | 14 + ...pipeline-api-server-config-f4t72426kt.yaml | 10 + ...kubeflow-pipelines-profile-controller.yaml | 15 + .../apps_v1_deployment_cache-server.yaml | 4 +- .../apps_v1_deployment_metadata-writer.yaml | 4 +- ...ployment_ml-pipeline-persistenceagent.yaml | 4 +- ...loyment_ml-pipeline-scheduledworkflow.yaml | 4 +- .../apps_v1_deployment_ml-pipeline-ui.yaml | 30 ++ ..._v1_deployment_ml-pipeline-viewer-crd.yaml | 3 + .../apps_v1_deployment_ml-pipeline.yaml | 13 + ...kubeflow-pipelines-profile-controller.yaml | 48 +++ ...kubeflow-pipelines-profile-controller.yaml | 46 +++ ...ha3_destinationrule_ml-pipeline-mysql.yaml | 10 + ...alpha3_destinationrule_ml-pipeline-ui.yaml | 10 + ...nrule_ml-pipeline-visualizationserver.yaml | 10 + ..._v1alpha3_destinationrule_ml-pipeline.yaml | 10 + ...terrole_kubeflow-pipelines-cache-role.yaml | 31 ++ ...beflow-pipelines-metadata-writer-role.yaml | 31 ++ ...ole_ml-pipeline-persistenceagent-role.yaml | 21 ++ ...le_ml-pipeline-scheduledworkflow-role.yaml | 36 +++ ....k8s.io_v1_clusterrole_ml-pipeline-ui.yaml | 44 +++ ...le_ml-pipeline-viewer-controller-role.yaml | 30 ++ ...ding_kubeflow-pipelines-cache-binding.yaml | 12 + ...low-pipelines-metadata-writer-binding.yaml | 12 + ..._ml-pipeline-persistenceagent-binding.yaml | 12 + ...ml-pipeline-scheduledworkflow-binding.yaml | 12 + ..._v1_clusterrolebinding_ml-pipeline-ui.yaml | 14 + ...inding_ml-pipeline-viewer-crd-binding.yaml | 12 + ...8s.io_v1beta1_clusterrole_ml-pipeline.yaml | 34 +++ ...1beta1_clusterrolebinding_ml-pipeline.yaml | 12 + ....io_v1alpha1_servicerole_cache-server.yaml | 9 + ...pha1_servicerole_ml-pipeline-services.yaml | 12 + ...o_v1alpha1_servicerole_ml-pipeline-ui.yaml | 9 + ...g_bind-cache-server-admission-webhook.yaml | 11 + ...lebinding_bind-gateway-ml-pipeline-ui.yaml | 12 + ...rolebinding_bind-ml-pipeline-internal.yaml | 22 ++ ...es-profile-controller-code-m828g88mtm.yaml | 288 ++++++++++++++++++ ...nes-profile-controller-env-822cf46mft.yaml | 10 + ...v1_configmap_ml-pipeline-ui-configmap.yaml | 14 + ...pipeline-api-server-config-f4t72426kt.yaml | 10 + ...kubeflow-pipelines-profile-controller.yaml | 15 + 77 files changed, 1819 insertions(+), 25 deletions(-) create mode 100644 tests/stacks/examples/alice/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-m828g88mtm.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-env-822cf46mft.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_ml-pipeline-ui-configmap.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_pipeline-api-server-config-f4t72426kt.yaml create mode 100644 tests/stacks/examples/alice/test_data/expected/~g_v1_service_kubeflow-pipelines-profile-controller.yaml create mode 100644 tests/stacks/gcp/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml create mode 100644 tests/stacks/gcp/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml create mode 100644 tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml create mode 100644 tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml create mode 100644 tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml create mode 100644 tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml create mode 100644 tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml create mode 100644 tests/stacks/gcp/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-m828g88mtm.yaml create mode 100644 tests/stacks/gcp/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-env-822cf46mft.yaml create mode 100644 tests/stacks/gcp/test_data/expected/~g_v1_configmap_ml-pipeline-ui-configmap.yaml create mode 100644 tests/stacks/gcp/test_data/expected/~g_v1_configmap_pipeline-api-server-config-f4t72426kt.yaml create mode 100644 tests/stacks/gcp/test_data/expected/~g_v1_service_kubeflow-pipelines-profile-controller.yaml diff --git a/stacks/gcp/kustomization.yaml b/stacks/gcp/kustomization.yaml index 1bd9b429d8..95fbb8e94d 100644 --- a/stacks/gcp/kustomization.yaml +++ b/stacks/gcp/kustomization.yaml @@ -18,7 +18,7 @@ resources: - ../../argo/base_v3 - ../../pipeline/minio/installs/gcp-pd - ../../pipeline/mysql/installs/gcp-pd - - ../../pipeline/installs/generic + - ../../pipeline/installs/multi-user - ../../metadata/v3 # This package will create a profile resource so it needs to be installed after the profiles CR - ../../default-install/base diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_cache-server.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_cache-server.yaml index 6c588c6913..06c8cfbed6 100644 --- a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_cache-server.yaml +++ b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_cache-server.yaml @@ -53,9 +53,7 @@ spec: key: password name: mysql-secret-fd5gktm75t - name: NAMESPACE_TO_WATCH - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" image: gcr.io/ml-pipeline/cache-server:1.0.0-rc.3 imagePullPolicy: Always name: server diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_metadata-writer.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_metadata-writer.yaml index 4b0a0d0c91..83adf18f72 100644 --- a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_metadata-writer.yaml +++ b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_metadata-writer.yaml @@ -18,9 +18,7 @@ spec: containers: - env: - name: NAMESPACE_TO_WATCH - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" image: gcr.io/ml-pipeline/metadata-writer:1.0.0-rc.3 name: main serviceAccountName: kubeflow-pipelines-metadata-writer diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml index a4f9177a0b..adf776c9d6 100644 --- a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml +++ b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml @@ -17,9 +17,7 @@ spec: containers: - env: - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" image: gcr.io/ml-pipeline/persistenceagent:1.0.0-rc.3 imagePullPolicy: IfNotPresent name: ml-pipeline-persistenceagent diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml index f38eb6fabe..79db22ad5f 100644 --- a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml +++ b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml @@ -17,9 +17,7 @@ spec: containers: - env: - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" image: gcr.io/ml-pipeline/scheduledworkflow:1.0.0-rc.3 imagePullPolicy: IfNotPresent name: ml-pipeline-scheduledworkflow diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml index 0430d4b7bd..434f1b62e7 100644 --- a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml +++ b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml @@ -16,6 +16,28 @@ spec: spec: containers: - env: + - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH + value: /etc/config/viewer-pod-template.json + - name: DEPLOYMENT + value: KUBEFLOW + - name: ARTIFACTS_SERVICE_PROXY_NAME + value: ml-pipeline-ui-artifact + - name: ARTIFACTS_SERVICE_PROXY_PORT + value: "80" + - name: ARTIFACTS_SERVICE_PROXY_ENABLED + value: "true" + - name: ENABLE_AUTHZ + value: "true" + - name: KUBEFLOW_USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-4bkkg42k5m + - name: KUBEFLOW_USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-4bkkg42k5m - name: MINIO_NAMESPACE valueFrom: fieldRef: @@ -61,4 +83,12 @@ spec: initialDelaySeconds: 3 periodSeconds: 5 timeoutSeconds: 2 + volumeMounts: + - mountPath: /etc/config + name: config-volume + readOnly: true serviceAccountName: ml-pipeline-ui + volumes: + - configMap: + name: ml-pipeline-ui-configmap + name: config-volume diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml index f6e9b9c7dc..976165b9e7 100644 --- a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml +++ b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml @@ -16,6 +16,9 @@ spec: spec: containers: - env: + - name: NAMESPACE + value: "" + valueFrom: null - name: MAX_NUM_VIEWERS value: "50" - name: MINIO_NAMESPACE diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline.yaml index 79adf2aab0..3dd55c9d06 100644 --- a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline.yaml +++ b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_ml-pipeline.yaml @@ -16,6 +16,16 @@ spec: spec: containers: - env: + - name: KUBEFLOW_USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-4bkkg42k5m + - name: KUBEFLOW_USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-4bkkg42k5m - name: POD_NAMESPACE valueFrom: fieldRef: @@ -62,6 +72,9 @@ spec: secretKeyRef: key: secretkey name: mlpipeline-minio-artifact + envFrom: + - configMapRef: + name: pipeline-api-server-config-f4t72426kt image: gcr.io/ml-pipeline/api-server:1.0.0-rc.3 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 0000000000..d964f394f5 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: kubeflow-pipelines-profile-controller + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: kubeflow-pipelines-profile-controller + spec: + containers: + - command: + - python + - /hooks/sync.py + env: + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + key: accesskey + name: mlpipeline-minio-artifact + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + key: secretkey + name: mlpipeline-minio-artifact + envFrom: + - configMapRef: + name: kubeflow-pipelines-profile-controller-env-822cf46mft + image: python:3.7 + name: profile-controller + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /hooks + name: hooks + volumes: + - configMap: + name: kubeflow-pipelines-profile-controller-code-m828g88mtm + name: hooks diff --git a/tests/stacks/examples/alice/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml b/tests/stacks/examples/alice/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 0000000000..96fe00bf44 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,46 @@ +apiVersion: metacontroller.k8s.io/v1alpha1 +kind: CompositeController +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller + namespace: kubeflow +spec: + childResources: + - apiVersion: v1 + resource: secrets + updateStrategy: + method: OnDelete + - apiVersion: v1 + resource: configmaps + updateStrategy: + method: OnDelete + - apiVersion: apps/v1 + resource: deployments + updateStrategy: + method: InPlace + - apiVersion: v1 + resource: services + updateStrategy: + method: InPlace + - apiVersion: networking.istio.io/v1alpha3 + resource: destinationrules + updateStrategy: + method: InPlace + - apiVersion: rbac.istio.io/v1alpha1 + resource: serviceroles + updateStrategy: + method: InPlace + - apiVersion: rbac.istio.io/v1alpha1 + resource: servicerolebindings + updateStrategy: + method: InPlace + generateSelector: true + hooks: + sync: + webhook: + url: http://kubeflow-pipelines-profile-controller/sync + parentResource: + apiVersion: v1 + resource: namespaces + resyncPeriodSeconds: 10 diff --git a/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml b/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml new file mode 100644 index 0000000000..17ed7226d1 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ml-pipeline-mysql + namespace: kubeflow +spec: + host: mysql.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml b/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml new file mode 100644 index 0000000000..4086270d05 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ml-pipeline-ui + namespace: kubeflow +spec: + host: ml-pipeline-ui.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml b/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml new file mode 100644 index 0000000000..73b149901b --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ml-pipeline-visualizationserver + namespace: kubeflow +spec: + host: ml-pipeline-visualizationserver.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml b/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml new file mode 100644 index 0000000000..340adba385 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ml-pipeline + namespace: kubeflow +spec: + host: ml-pipeline.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml new file mode 100644 index 0000000000..e604367357 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipelines-cache-role +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - update + - patch diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml new file mode 100644 index 0000000000..a6ec986725 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipelines-metadata-writer-role +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - update + - patch diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml new file mode 100644 index 0000000000..b3053317b5 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ml-pipeline-persistenceagent-role +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml new file mode 100644 index 0000000000..2b96dd482c --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ml-pipeline-scheduledworkflow-role +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml new file mode 100644 index 0000000000..cfc19ad40f --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml @@ -0,0 +1,44 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - list + - watch + - delete +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml new file mode 100644 index 0000000000..e2bca79710 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ml-pipeline-viewer-controller-role +rules: +- apiGroups: + - '*' + resources: + - deployments + - services + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - list + - watch + - update + - patch + - delete diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml new file mode 100644 index 0000000000..984316e3b5 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeflow-pipelines-cache-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeflow-pipelines-cache-role +subjects: +- kind: ServiceAccount + name: kubeflow-pipelines-cache + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml new file mode 100644 index 0000000000..7a3f9bc2d1 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeflow-pipelines-metadata-writer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeflow-pipelines-metadata-writer-role +subjects: +- kind: ServiceAccount + name: kubeflow-pipelines-metadata-writer + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml new file mode 100644 index 0000000000..ed59670f6c --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline-persistenceagent-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline-persistenceagent-role +subjects: +- kind: ServiceAccount + name: ml-pipeline-persistenceagent + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml new file mode 100644 index 0000000000..2ca201eb95 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline-scheduledworkflow-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline-scheduledworkflow-role +subjects: +- kind: ServiceAccount + name: ml-pipeline-scheduledworkflow + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml new file mode 100644 index 0000000000..2d8fb03ae3 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline-ui +subjects: +- kind: ServiceAccount + name: ml-pipeline-ui + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml new file mode 100644 index 0000000000..dd5e2411b3 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline-viewer-crd-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline-viewer-controller-role +subjects: +- kind: ServiceAccount + name: ml-pipeline-viewer-crd-service-account + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml new file mode 100644 index 0000000000..a88f27ff9e --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: ml-pipeline +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - delete diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml new file mode 100644 index 0000000000..9ce11cb2f9 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline +subjects: +- kind: ServiceAccount + name: ml-pipeline + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml new file mode 100644 index 0000000000..94e549394a --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRole +metadata: + name: cache-server + namespace: kubeflow +spec: + rules: + - services: + - cache-server.kubeflow.svc.cluster.local diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml new file mode 100644 index 0000000000..709d39d4bb --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRole +metadata: + name: ml-pipeline-services + namespace: kubeflow +spec: + rules: + - services: + - ml-pipeline.kubeflow.svc.cluster.local + - ml-pipeline-ui.kubeflow.svc.cluster.local + - ml-pipeline-visualizationserver.kubeflow.svc.cluster.local + - mysql.kubeflow.svc.cluster.local diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml new file mode 100644 index 0000000000..d73e328cd6 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRole +metadata: + name: ml-pipeline-ui + namespace: kubeflow +spec: + rules: + - services: + - ml-pipeline-ui.kubeflow.svc.cluster.local diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml new file mode 100644 index 0000000000..742c3cdab8 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRoleBinding +metadata: + name: bind-cache-server-admission-webhook + namespace: kubeflow +spec: + roleRef: + kind: ServiceRole + name: cache-server + subjects: + - user: '*' diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml new file mode 100644 index 0000000000..d571b10ae8 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRoleBinding +metadata: + name: bind-gateway-ml-pipeline-ui + namespace: kubeflow +spec: + roleRef: + kind: ServiceRole + name: ml-pipeline-ui + subjects: + - properties: + source.namespace: istio-system diff --git a/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml new file mode 100644 index 0000000000..a714322328 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRoleBinding +metadata: + name: bind-ml-pipeline-internal + namespace: kubeflow +spec: + roleRef: + kind: ServiceRole + name: ml-pipeline-services + subjects: + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-ui + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account + - properties: + source.principal: cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache diff --git a/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-m828g88mtm.yaml b/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-m828g88mtm.yaml new file mode 100644 index 0000000000..55b5222d66 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-m828g88mtm.yaml @@ -0,0 +1,288 @@ +apiVersion: v1 +data: + sync.py: | + # Copyright 2020 Google LLC + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + from http.server import BaseHTTPRequestHandler, HTTPServer + import json + import os + import base64 + + kfp_version = os.environ["KFP_VERSION"] + disable_istio_sidecar = os.environ.get("DISABLE_ISTIO_SIDECAR") == "true" + mlpipeline_minio_access_key = os.environ.get("MINIO_ACCESS_KEY") + mlpipeline_minio_secret_key = os.environ.get("MINIO_SECRET_KEY") + + + class Controller(BaseHTTPRequestHandler): + def sync(self, parent, children): + # HACK: Currently using serving.kubeflow.org/inferenceservice to identify + # kubeflow user namespaces. + # TODO: let Kubeflow profile controller add a pipeline specific label to + # user namespaces and use that label instead. + pipeline_enabled = parent.get("metadata", {}).get( + "labels", {}).get("serving.kubeflow.org/inferenceservice") + + if not pipeline_enabled: + return {"status": {}, "children": []} + + # Compute status based on observed state. + desired_status = { + "kubeflow-pipelines-ready": \ + len(children["Secret.v1"]) == 1 and \ + len(children["ConfigMap.v1"]) == 1 and \ + len(children["Deployment.apps/v1"]) == 2 and \ + len(children["Service.v1"]) == 2 and \ + len(children["DestinationRule.networking.istio.io/v1alpha3"]) == 1 and \ + len(children["ServiceRole.rbac.istio.io/v1alpha1"]) == 1 and \ + len(children["ServiceRoleBinding.rbac.istio.io/v1alpha1"]) == 1 and \ + "True" or "False" + } + + # Generate the desired child object(s). + # parent is a namespace + namespace = parent.get("metadata", {}).get("name") + desired_resources = [ + { + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "name": "metadata-grpc-configmap", + "namespace": namespace, + }, + "data": { + "METADATA_GRPC_SERVICE_HOST": + "metadata-grpc-service.kubeflow", + "METADATA_GRPC_SERVICE_PORT": "8080", + }, + }, + # Visualization server related manifests below + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "ml-pipeline-visualizationserver" + }, + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "selector": { + "matchLabels": { + "app": "ml-pipeline-visualizationserver" + }, + }, + "template": { + "metadata": { + "labels": { + "app": "ml-pipeline-visualizationserver" + }, + "annotations": disable_istio_sidecar and { + "sidecar.istio.io/inject": "false" + } or {}, + }, + "spec": { + "containers": [{ + "image": + "gcr.io/ml-pipeline/visualization-server:" + + kfp_version, + "imagePullPolicy": + "IfNotPresent", + "name": + "ml-pipeline-visualizationserver", + "ports": [{ + "containerPort": 8888 + }], + }], + "serviceAccountName": + "default-editor", + }, + }, + }, + }, + { + "apiVersion": "networking.istio.io/v1alpha3", + "kind": "DestinationRule", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "host": "ml-pipeline-visualizationserver", + "trafficPolicy": { + "tls": { + "mode": "ISTIO_MUTUAL" + } + } + } + }, + { + "apiVersion": "rbac.istio.io/v1alpha1", + "kind": "ServiceRole", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "rules": [{ + "services": ["ml-pipeline-visualizationserver.*"] + }] + } + }, + { + "apiVersion": "rbac.istio.io/v1alpha1", + "kind": "ServiceRoleBinding", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "subjects": [{ + "properties": { + "source.principal": + "cluster.local/ns/kubeflow/sa/ml-pipeline" + } + }], + "roleRef": { + "kind": "ServiceRole", + "name": "ml-pipeline-visualizationserver" + } + } + }, + { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "ports": [{ + "name": "http", + "port": 8888, + "protocol": "TCP", + "targetPort": 8888, + }], + "selector": { + "app": "ml-pipeline-visualizationserver", + }, + }, + }, + # Artifact fetcher related resources below. + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "ml-pipeline-ui-artifact" + }, + "name": "ml-pipeline-ui-artifact", + "namespace": namespace, + }, + "spec": { + "selector": { + "matchLabels": { + "app": "ml-pipeline-ui-artifact" + } + }, + "template": { + "metadata": { + "labels": { + "app": "ml-pipeline-ui-artifact" + }, + "annotations": disable_istio_sidecar and { + "sidecar.istio.io/inject": "false" + } or {}, + }, + "spec": { + "containers": [{ + "name": + "ml-pipeline-ui-artifact", + "image": + "gcr.io/ml-pipeline/frontend:" + kfp_version, + "imagePullPolicy": + "IfNotPresent", + "ports": [{ + "containerPort": 3000 + }] + }], + "serviceAccountName": + "default-editor" + } + } + } + }, + { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "ml-pipeline-ui-artifact", + "namespace": namespace, + "labels": { + "app": "ml-pipeline-ui-artifact" + } + }, + "spec": { + "ports": [{ + "name": + "http", # name is required to let istio understand request protocol + "port": 80, + "protocol": "TCP", + "targetPort": 3000 + }], + "selector": { + "app": "ml-pipeline-ui-artifact" + } + } + }, + ] + print('Received request:', parent) + print('Desired resources except secrets:', desired_resources) + # Moved after the print argument because this is sensitive data. + desired_resources.append({ + "apiVersion": "v1", + "kind": "Secret", + "metadata": { + "name": "mlpipeline-minio-artifact", + "namespace": namespace, + }, + "data": { + "accesskey": base64.b64encode(mlpipeline_minio_access_key), + "secretkey": base64.b64encode(mlpipeline_minio_secret_key), + }, + }) + + return {"status": desired_status, "children": desired_resources} + + def do_POST(self): + # Serve the sync() function as a JSON webhook. + observed = json.loads( + self.rfile.read(int(self.headers.get("content-length")))) + desired = self.sync(observed["parent"], observed["children"]) + + self.send_response(200) + self.send_header("Content-type", "application/json") + self.end_headers() + self.wfile.write(bytes(json.dumps(desired), 'utf-8')) + + + HTTPServer(("", 80), Controller).serve_forever() +kind: ConfigMap +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller-code-m828g88mtm + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-env-822cf46mft.yaml b/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-env-822cf46mft.yaml new file mode 100644 index 0000000000..c5b62ff795 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-env-822cf46mft.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + DISABLE_ISTIO_SIDECAR: "false" + KFP_VERSION: 1.0.0-rc.3 +kind: ConfigMap +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller-env-822cf46mft + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_ml-pipeline-ui-configmap.yaml b/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_ml-pipeline-ui-configmap.yaml new file mode 100644 index 0000000000..3bc667cc9b --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_ml-pipeline-ui-configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +data: + viewer-pod-template.json: |- + { + "spec": { + "serviceAccountName": "default-editor" + } + } +kind: ConfigMap +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui-configmap + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_pipeline-api-server-config-f4t72426kt.yaml b/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_pipeline-api-server-config-f4t72426kt.yaml new file mode 100644 index 0000000000..5ffb95a2f1 --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/~g_v1_configmap_pipeline-api-server-config-f4t72426kt.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + DEFAULTPIPELINERUNNERSERVICEACCOUNT: default-editor + MULTIUSER: "true" + VISUALIZATIONSERVICE_NAME: ml-pipeline-visualizationserver + VISUALIZATIONSERVICE_PORT: "8888" +kind: ConfigMap +metadata: + name: pipeline-api-server-config-f4t72426kt + namespace: kubeflow diff --git a/tests/stacks/examples/alice/test_data/expected/~g_v1_service_kubeflow-pipelines-profile-controller.yaml b/tests/stacks/examples/alice/test_data/expected/~g_v1_service_kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 0000000000..76400e279f --- /dev/null +++ b/tests/stacks/examples/alice/test_data/expected/~g_v1_service_kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller + namespace: kubeflow +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: kubeflow-pipelines-profile-controller diff --git a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_cache-server.yaml b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_cache-server.yaml index 6c588c6913..06c8cfbed6 100644 --- a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_cache-server.yaml +++ b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_cache-server.yaml @@ -53,9 +53,7 @@ spec: key: password name: mysql-secret-fd5gktm75t - name: NAMESPACE_TO_WATCH - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" image: gcr.io/ml-pipeline/cache-server:1.0.0-rc.3 imagePullPolicy: Always name: server diff --git a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_metadata-writer.yaml b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_metadata-writer.yaml index 4b0a0d0c91..83adf18f72 100644 --- a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_metadata-writer.yaml +++ b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_metadata-writer.yaml @@ -18,9 +18,7 @@ spec: containers: - env: - name: NAMESPACE_TO_WATCH - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" image: gcr.io/ml-pipeline/metadata-writer:1.0.0-rc.3 name: main serviceAccountName: kubeflow-pipelines-metadata-writer diff --git a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml index a4f9177a0b..adf776c9d6 100644 --- a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml +++ b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml @@ -17,9 +17,7 @@ spec: containers: - env: - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" image: gcr.io/ml-pipeline/persistenceagent:1.0.0-rc.3 imagePullPolicy: IfNotPresent name: ml-pipeline-persistenceagent diff --git a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml index f38eb6fabe..79db22ad5f 100644 --- a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml +++ b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml @@ -17,9 +17,7 @@ spec: containers: - env: - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" image: gcr.io/ml-pipeline/scheduledworkflow:1.0.0-rc.3 imagePullPolicy: IfNotPresent name: ml-pipeline-scheduledworkflow diff --git a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml index 0430d4b7bd..3aef188137 100644 --- a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml +++ b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml @@ -16,6 +16,28 @@ spec: spec: containers: - env: + - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH + value: /etc/config/viewer-pod-template.json + - name: DEPLOYMENT + value: KUBEFLOW + - name: ARTIFACTS_SERVICE_PROXY_NAME + value: ml-pipeline-ui-artifact + - name: ARTIFACTS_SERVICE_PROXY_PORT + value: "80" + - name: ARTIFACTS_SERVICE_PROXY_ENABLED + value: "true" + - name: ENABLE_AUTHZ + value: "true" + - name: KUBEFLOW_USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: KUBEFLOW_USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 - name: MINIO_NAMESPACE valueFrom: fieldRef: @@ -61,4 +83,12 @@ spec: initialDelaySeconds: 3 periodSeconds: 5 timeoutSeconds: 2 + volumeMounts: + - mountPath: /etc/config + name: config-volume + readOnly: true serviceAccountName: ml-pipeline-ui + volumes: + - configMap: + name: ml-pipeline-ui-configmap + name: config-volume diff --git a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml index f6e9b9c7dc..976165b9e7 100644 --- a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml +++ b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml @@ -16,6 +16,9 @@ spec: spec: containers: - env: + - name: NAMESPACE + value: "" + valueFrom: null - name: MAX_NUM_VIEWERS value: "50" - name: MINIO_NAMESPACE diff --git a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline.yaml b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline.yaml index 79adf2aab0..fd39549d68 100644 --- a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline.yaml +++ b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_ml-pipeline.yaml @@ -16,6 +16,16 @@ spec: spec: containers: - env: + - name: KUBEFLOW_USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: KUBEFLOW_USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 - name: POD_NAMESPACE valueFrom: fieldRef: @@ -62,6 +72,9 @@ spec: secretKeyRef: key: secretkey name: mlpipeline-minio-artifact + envFrom: + - configMapRef: + name: pipeline-api-server-config-f4t72426kt image: gcr.io/ml-pipeline/api-server:1.0.0-rc.3 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/tests/stacks/gcp/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml b/tests/stacks/gcp/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 0000000000..d964f394f5 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/apps_v1beta1_deployment_kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: kubeflow-pipelines-profile-controller + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: kubeflow-pipelines-profile-controller + spec: + containers: + - command: + - python + - /hooks/sync.py + env: + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + key: accesskey + name: mlpipeline-minio-artifact + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + key: secretkey + name: mlpipeline-minio-artifact + envFrom: + - configMapRef: + name: kubeflow-pipelines-profile-controller-env-822cf46mft + image: python:3.7 + name: profile-controller + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /hooks + name: hooks + volumes: + - configMap: + name: kubeflow-pipelines-profile-controller-code-m828g88mtm + name: hooks diff --git a/tests/stacks/gcp/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml b/tests/stacks/gcp/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 0000000000..96fe00bf44 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,46 @@ +apiVersion: metacontroller.k8s.io/v1alpha1 +kind: CompositeController +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller + namespace: kubeflow +spec: + childResources: + - apiVersion: v1 + resource: secrets + updateStrategy: + method: OnDelete + - apiVersion: v1 + resource: configmaps + updateStrategy: + method: OnDelete + - apiVersion: apps/v1 + resource: deployments + updateStrategy: + method: InPlace + - apiVersion: v1 + resource: services + updateStrategy: + method: InPlace + - apiVersion: networking.istio.io/v1alpha3 + resource: destinationrules + updateStrategy: + method: InPlace + - apiVersion: rbac.istio.io/v1alpha1 + resource: serviceroles + updateStrategy: + method: InPlace + - apiVersion: rbac.istio.io/v1alpha1 + resource: servicerolebindings + updateStrategy: + method: InPlace + generateSelector: true + hooks: + sync: + webhook: + url: http://kubeflow-pipelines-profile-controller/sync + parentResource: + apiVersion: v1 + resource: namespaces + resyncPeriodSeconds: 10 diff --git a/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml b/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml new file mode 100644 index 0000000000..17ed7226d1 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ml-pipeline-mysql + namespace: kubeflow +spec: + host: mysql.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml b/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml new file mode 100644 index 0000000000..4086270d05 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ml-pipeline-ui + namespace: kubeflow +spec: + host: ml-pipeline-ui.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml b/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml new file mode 100644 index 0000000000..73b149901b --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ml-pipeline-visualizationserver + namespace: kubeflow +spec: + host: ml-pipeline-visualizationserver.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml b/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml new file mode 100644 index 0000000000..340adba385 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ml-pipeline + namespace: kubeflow +spec: + host: ml-pipeline.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml new file mode 100644 index 0000000000..e604367357 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipelines-cache-role +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - update + - patch diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml new file mode 100644 index 0000000000..a6ec986725 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipelines-metadata-writer-role +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - update + - patch diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml new file mode 100644 index 0000000000..b3053317b5 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ml-pipeline-persistenceagent-role +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml new file mode 100644 index 0000000000..2b96dd482c --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ml-pipeline-scheduledworkflow-role +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml new file mode 100644 index 0000000000..cfc19ad40f --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml @@ -0,0 +1,44 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - list + - watch + - delete +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml new file mode 100644 index 0000000000..e2bca79710 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ml-pipeline-viewer-controller-role +rules: +- apiGroups: + - '*' + resources: + - deployments + - services + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - list + - watch + - update + - patch + - delete diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml new file mode 100644 index 0000000000..984316e3b5 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeflow-pipelines-cache-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeflow-pipelines-cache-role +subjects: +- kind: ServiceAccount + name: kubeflow-pipelines-cache + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml new file mode 100644 index 0000000000..7a3f9bc2d1 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeflow-pipelines-metadata-writer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeflow-pipelines-metadata-writer-role +subjects: +- kind: ServiceAccount + name: kubeflow-pipelines-metadata-writer + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml new file mode 100644 index 0000000000..ed59670f6c --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline-persistenceagent-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline-persistenceagent-role +subjects: +- kind: ServiceAccount + name: ml-pipeline-persistenceagent + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml new file mode 100644 index 0000000000..2ca201eb95 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline-scheduledworkflow-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline-scheduledworkflow-role +subjects: +- kind: ServiceAccount + name: ml-pipeline-scheduledworkflow + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml new file mode 100644 index 0000000000..2d8fb03ae3 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline-ui +subjects: +- kind: ServiceAccount + name: ml-pipeline-ui + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml new file mode 100644 index 0000000000..dd5e2411b3 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline-viewer-crd-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline-viewer-controller-role +subjects: +- kind: ServiceAccount + name: ml-pipeline-viewer-crd-service-account + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml new file mode 100644 index 0000000000..a88f27ff9e --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: ml-pipeline +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - delete diff --git a/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml new file mode 100644 index 0000000000..9ce11cb2f9 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ml-pipeline +subjects: +- kind: ServiceAccount + name: ml-pipeline + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml new file mode 100644 index 0000000000..94e549394a --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRole +metadata: + name: cache-server + namespace: kubeflow +spec: + rules: + - services: + - cache-server.kubeflow.svc.cluster.local diff --git a/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml new file mode 100644 index 0000000000..709d39d4bb --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRole +metadata: + name: ml-pipeline-services + namespace: kubeflow +spec: + rules: + - services: + - ml-pipeline.kubeflow.svc.cluster.local + - ml-pipeline-ui.kubeflow.svc.cluster.local + - ml-pipeline-visualizationserver.kubeflow.svc.cluster.local + - mysql.kubeflow.svc.cluster.local diff --git a/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml new file mode 100644 index 0000000000..d73e328cd6 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRole +metadata: + name: ml-pipeline-ui + namespace: kubeflow +spec: + rules: + - services: + - ml-pipeline-ui.kubeflow.svc.cluster.local diff --git a/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml new file mode 100644 index 0000000000..742c3cdab8 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRoleBinding +metadata: + name: bind-cache-server-admission-webhook + namespace: kubeflow +spec: + roleRef: + kind: ServiceRole + name: cache-server + subjects: + - user: '*' diff --git a/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml new file mode 100644 index 0000000000..d571b10ae8 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRoleBinding +metadata: + name: bind-gateway-ml-pipeline-ui + namespace: kubeflow +spec: + roleRef: + kind: ServiceRole + name: ml-pipeline-ui + subjects: + - properties: + source.namespace: istio-system diff --git a/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml new file mode 100644 index 0000000000..a714322328 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRoleBinding +metadata: + name: bind-ml-pipeline-internal + namespace: kubeflow +spec: + roleRef: + kind: ServiceRole + name: ml-pipeline-services + subjects: + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-ui + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow + - properties: + source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account + - properties: + source.principal: cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache diff --git a/tests/stacks/gcp/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-m828g88mtm.yaml b/tests/stacks/gcp/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-m828g88mtm.yaml new file mode 100644 index 0000000000..55b5222d66 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-m828g88mtm.yaml @@ -0,0 +1,288 @@ +apiVersion: v1 +data: + sync.py: | + # Copyright 2020 Google LLC + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + from http.server import BaseHTTPRequestHandler, HTTPServer + import json + import os + import base64 + + kfp_version = os.environ["KFP_VERSION"] + disable_istio_sidecar = os.environ.get("DISABLE_ISTIO_SIDECAR") == "true" + mlpipeline_minio_access_key = os.environ.get("MINIO_ACCESS_KEY") + mlpipeline_minio_secret_key = os.environ.get("MINIO_SECRET_KEY") + + + class Controller(BaseHTTPRequestHandler): + def sync(self, parent, children): + # HACK: Currently using serving.kubeflow.org/inferenceservice to identify + # kubeflow user namespaces. + # TODO: let Kubeflow profile controller add a pipeline specific label to + # user namespaces and use that label instead. + pipeline_enabled = parent.get("metadata", {}).get( + "labels", {}).get("serving.kubeflow.org/inferenceservice") + + if not pipeline_enabled: + return {"status": {}, "children": []} + + # Compute status based on observed state. + desired_status = { + "kubeflow-pipelines-ready": \ + len(children["Secret.v1"]) == 1 and \ + len(children["ConfigMap.v1"]) == 1 and \ + len(children["Deployment.apps/v1"]) == 2 and \ + len(children["Service.v1"]) == 2 and \ + len(children["DestinationRule.networking.istio.io/v1alpha3"]) == 1 and \ + len(children["ServiceRole.rbac.istio.io/v1alpha1"]) == 1 and \ + len(children["ServiceRoleBinding.rbac.istio.io/v1alpha1"]) == 1 and \ + "True" or "False" + } + + # Generate the desired child object(s). + # parent is a namespace + namespace = parent.get("metadata", {}).get("name") + desired_resources = [ + { + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "name": "metadata-grpc-configmap", + "namespace": namespace, + }, + "data": { + "METADATA_GRPC_SERVICE_HOST": + "metadata-grpc-service.kubeflow", + "METADATA_GRPC_SERVICE_PORT": "8080", + }, + }, + # Visualization server related manifests below + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "ml-pipeline-visualizationserver" + }, + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "selector": { + "matchLabels": { + "app": "ml-pipeline-visualizationserver" + }, + }, + "template": { + "metadata": { + "labels": { + "app": "ml-pipeline-visualizationserver" + }, + "annotations": disable_istio_sidecar and { + "sidecar.istio.io/inject": "false" + } or {}, + }, + "spec": { + "containers": [{ + "image": + "gcr.io/ml-pipeline/visualization-server:" + + kfp_version, + "imagePullPolicy": + "IfNotPresent", + "name": + "ml-pipeline-visualizationserver", + "ports": [{ + "containerPort": 8888 + }], + }], + "serviceAccountName": + "default-editor", + }, + }, + }, + }, + { + "apiVersion": "networking.istio.io/v1alpha3", + "kind": "DestinationRule", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "host": "ml-pipeline-visualizationserver", + "trafficPolicy": { + "tls": { + "mode": "ISTIO_MUTUAL" + } + } + } + }, + { + "apiVersion": "rbac.istio.io/v1alpha1", + "kind": "ServiceRole", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "rules": [{ + "services": ["ml-pipeline-visualizationserver.*"] + }] + } + }, + { + "apiVersion": "rbac.istio.io/v1alpha1", + "kind": "ServiceRoleBinding", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "subjects": [{ + "properties": { + "source.principal": + "cluster.local/ns/kubeflow/sa/ml-pipeline" + } + }], + "roleRef": { + "kind": "ServiceRole", + "name": "ml-pipeline-visualizationserver" + } + } + }, + { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "ml-pipeline-visualizationserver", + "namespace": namespace, + }, + "spec": { + "ports": [{ + "name": "http", + "port": 8888, + "protocol": "TCP", + "targetPort": 8888, + }], + "selector": { + "app": "ml-pipeline-visualizationserver", + }, + }, + }, + # Artifact fetcher related resources below. + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "ml-pipeline-ui-artifact" + }, + "name": "ml-pipeline-ui-artifact", + "namespace": namespace, + }, + "spec": { + "selector": { + "matchLabels": { + "app": "ml-pipeline-ui-artifact" + } + }, + "template": { + "metadata": { + "labels": { + "app": "ml-pipeline-ui-artifact" + }, + "annotations": disable_istio_sidecar and { + "sidecar.istio.io/inject": "false" + } or {}, + }, + "spec": { + "containers": [{ + "name": + "ml-pipeline-ui-artifact", + "image": + "gcr.io/ml-pipeline/frontend:" + kfp_version, + "imagePullPolicy": + "IfNotPresent", + "ports": [{ + "containerPort": 3000 + }] + }], + "serviceAccountName": + "default-editor" + } + } + } + }, + { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "ml-pipeline-ui-artifact", + "namespace": namespace, + "labels": { + "app": "ml-pipeline-ui-artifact" + } + }, + "spec": { + "ports": [{ + "name": + "http", # name is required to let istio understand request protocol + "port": 80, + "protocol": "TCP", + "targetPort": 3000 + }], + "selector": { + "app": "ml-pipeline-ui-artifact" + } + } + }, + ] + print('Received request:', parent) + print('Desired resources except secrets:', desired_resources) + # Moved after the print argument because this is sensitive data. + desired_resources.append({ + "apiVersion": "v1", + "kind": "Secret", + "metadata": { + "name": "mlpipeline-minio-artifact", + "namespace": namespace, + }, + "data": { + "accesskey": base64.b64encode(mlpipeline_minio_access_key), + "secretkey": base64.b64encode(mlpipeline_minio_secret_key), + }, + }) + + return {"status": desired_status, "children": desired_resources} + + def do_POST(self): + # Serve the sync() function as a JSON webhook. + observed = json.loads( + self.rfile.read(int(self.headers.get("content-length")))) + desired = self.sync(observed["parent"], observed["children"]) + + self.send_response(200) + self.send_header("Content-type", "application/json") + self.end_headers() + self.wfile.write(bytes(json.dumps(desired), 'utf-8')) + + + HTTPServer(("", 80), Controller).serve_forever() +kind: ConfigMap +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller-code-m828g88mtm + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-env-822cf46mft.yaml b/tests/stacks/gcp/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-env-822cf46mft.yaml new file mode 100644 index 0000000000..c5b62ff795 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-env-822cf46mft.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + DISABLE_ISTIO_SIDECAR: "false" + KFP_VERSION: 1.0.0-rc.3 +kind: ConfigMap +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller-env-822cf46mft + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/~g_v1_configmap_ml-pipeline-ui-configmap.yaml b/tests/stacks/gcp/test_data/expected/~g_v1_configmap_ml-pipeline-ui-configmap.yaml new file mode 100644 index 0000000000..3bc667cc9b --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/~g_v1_configmap_ml-pipeline-ui-configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +data: + viewer-pod-template.json: |- + { + "spec": { + "serviceAccountName": "default-editor" + } + } +kind: ConfigMap +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui-configmap + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/~g_v1_configmap_pipeline-api-server-config-f4t72426kt.yaml b/tests/stacks/gcp/test_data/expected/~g_v1_configmap_pipeline-api-server-config-f4t72426kt.yaml new file mode 100644 index 0000000000..5ffb95a2f1 --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/~g_v1_configmap_pipeline-api-server-config-f4t72426kt.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + DEFAULTPIPELINERUNNERSERVICEACCOUNT: default-editor + MULTIUSER: "true" + VISUALIZATIONSERVICE_NAME: ml-pipeline-visualizationserver + VISUALIZATIONSERVICE_PORT: "8888" +kind: ConfigMap +metadata: + name: pipeline-api-server-config-f4t72426kt + namespace: kubeflow diff --git a/tests/stacks/gcp/test_data/expected/~g_v1_service_kubeflow-pipelines-profile-controller.yaml b/tests/stacks/gcp/test_data/expected/~g_v1_service_kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 0000000000..76400e279f --- /dev/null +++ b/tests/stacks/gcp/test_data/expected/~g_v1_service_kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: kubeflow-pipelines-profile-controller + name: kubeflow-pipelines-profile-controller + namespace: kubeflow +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: kubeflow-pipelines-profile-controller