[Manifest] Apply kustomize best practices to standalone manifest

manifests/kustomize/base/argo/workflow-controller-configmap.yaml

@@ -5,14 +5,14 @@ metadata:
 data:
   config: |
     {
-    namespace: $(NAMESPACE),
+    namespace: $(kfp-namespace),
     executorImage: gcr.io/ml-pipeline/argoexec:v2.7.5-license-compliance,
     artifactRepository:
     {
         s3: {
             bucket: $(BUCKET_NAME),
             keyPrefix: artifacts,
-            endpoint: minio-service.$(NAMESPACE):9000,
+            endpoint: minio-service.$(kfp-namespace):9000,
             insecure: true,
             accessKeySecret: {
                 name: mlpipeline-minio-artifact,

manifests/kustomize/base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml

@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: kubeflow-pipelines-cache-deployer-sa
-  namespace: $(NAMESPACE)
+# namespace will be added by kustomize automatically according to the namespace field in kustomization.yaml

manifests/kustomize/base/cache-deployer/cache-deployer-sa.yaml → manifests/kustomize/base/cache-deployer/cluster-scoped/cache-deployer-sa.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: kubeflow-pipelines-cache-deployer-sa
+  name: kubeflow-pipelines-cache-deployer-sa

manifests/kustomize/base/cache-deployer/cluster-scoped/kustomization.yaml

@@ -4,4 +4,8 @@ kind: Kustomization
 resources:
   - cache-deployer-clusterrole.yaml
   - cache-deployer-clusterrolebinding.yaml
+  # HACK: although a service account(SA) is not a cluster-scoped resource.
+  # Presence of a SA referred by a clusterrolebinding allows kustomize to auto-add
+  # namespace for the clusterrolebinding's SA ref.
+  - cache-deployer-sa.yaml
 

manifests/kustomize/base/cache-deployer/kustomization.yaml

@@ -4,6 +4,4 @@ kind: Kustomization
 resources:
   - cache-deployer-role.yaml
   - cache-deployer-rolebinding.yaml
-  - cache-deployer-sa.yaml
   - cache-deployer-deployment.yaml
-

manifests/kustomize/base/kustomization.yaml

@@ -37,7 +37,7 @@ secretGenerator:
 - name: mysql-secret
   env: params-db-secret.env
 vars:
-- name: NAMESPACE
+- name: kfp-namespace
   objref:
     kind: Deployment
     apiVersion: apps/v1

manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml

@@ -22,7 +22,10 @@ spec:
         - name: OBJECTSTORECONFIG_SECURE
           value: "false"
         - name: OBJECTSTORECONFIG_BUCKETNAME
-          value: $(BUCKET_NAME)
+          valueFrom:
+            configMapKeyRef:
+              name: pipeline-install-config
+              key: bucketName
         - name: DBCONFIG_USER
           valueFrom:
             secretKeyRef:

manifests/kustomize/cluster-scoped-resources/kustomization.yaml

@@ -1,28 +1,27 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+namespace: kubeflow
+
+resources:
+- namespace.yaml
 bases:
 - ../base/application/cluster-scoped
 - ../base/argo/cluster-scoped
 - ../base/pipeline/cluster-scoped
 - ../base/cache-deployer/cluster-scoped
-
-resources:
-  - namespace.yaml
-
-# Used by Kustomize
-configMapGenerator:
-  - name: pipeline-cluster-scoped-install-config
-    env: params.env
-
 vars:
-  - name: NAMESPACE
-    objref:
-      kind: ConfigMap
-      name: pipeline-cluster-scoped-install-config
-      apiVersion: v1
-    fieldref:
-      fieldpath: data.namespace
-
+# NOTE: var name must be unique globally to allow composition of multiple kustomize
+# packages. Therefore, we added prefix `kfp-cluster-scoped-` to distinguish it from
+# others.
+- name: kfp-cluster-scoped-namespace
+  objref:
+    # cache deployer sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml
+    # so that we only need to change kustomization.yaml's namespace field for namespace customization.
+    kind: ServiceAccount
+    name: kubeflow-pipelines-cache-deployer-sa
+    apiVersion: v1
+  fieldref:
+    fieldpath: metadata.namespace
 configurations:
-  - params.yaml
+- params.yaml

manifests/kustomize/cluster-scoped-resources/namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: $(NAMESPACE)
+  name: '$(kfp-cluster-scoped-namespace)'

manifests/kustomize/cluster-scoped-resources/params.yaml

@@ -2,5 +2,3 @@
 varReference:
 - path: metadata/name
   kind: Namespace
-- path: subjects/namespace
-  kind: ClusterRoleBinding

manifests/kustomize/sample/cluster-scoped-resources/kustomization.yaml

@@ -1,12 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+# !!! If you want to customize the namespace,
+# please also update sample/kustomization.yaml's namespace field to the same value
+namespace: kubeflow
+
 bases:
   # Or github.com/kubeflow/pipelines/manifests/kustomize/cluster-scoped-resources?ref=1.0.0
   - ../../cluster-scoped-resources
-
-# Change the value in params.env to yours.
-configMapGenerator:
-  - name: pipeline-cluster-scoped-install-config
-    env: params.env
-    behavior: merge

manifests/kustomize/sample/kustomization.yaml

@@ -23,7 +23,7 @@ secretGenerator:
     behavior: merge
 
 # !!! If you want to customize the namespace,
-# please also update sample/params.env and sample/cluster-scoped-resources/params.env
+# please also update sample/cluster-scoped-resources/kustomization.yaml's namespace field to the same value
 namespace: kubeflow
 
 #### Customization ###