diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 000000000..8f161d5c0 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +*.yaml linguist-detectable=true +*.json linguist-detectable=true diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 69135c7a6..15bc4b600 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -37,6 +37,26 @@ "groupName": "rook-ceph", "additionalBranchPrefix": "" }, + { + "description": "Group Kubeflow Pipelines update", + "matchPackagePatterns": ["^(kubeflow|gcr.io)\/(ml-|tfx-oss-public\/ml_metadata_store_server).?(pipeline)?.*"], + "groupName": "kubeflow-pipelines", + "additionalBranchPrefix": "" + }, + { + "description": "Group KNative", + "matchPackagePatterns": ["^gcr.io\/knative.*$"], + "groupName": "knative", + "additionalBranchPrefix": "" + }, + { + "description": "Notebook Updates", + "matchPackagePatterns": ["^ghcr.io\/pluralsh\/kubeflow-notebooks.*"], + "groupName": "notebooks", + "automerge": true, + "requiredStatusChecks": null, + "additionalBranchPrefix": "" + }, //{ // "matchDatasources": [ // "docker" @@ -64,9 +84,13 @@ "kustomize": { "enabled": true, }, + // Enable scanning of Kubernetes YAML + "kubernetes": { + "fileMatch": ["\\.yaml$"] + }, // Update Argo CD application specs "argocd": { - "fileMatch": ["argocd-applications/.+\\.yaml$"] + "fileMatch": ["(argocd-applications|oidc-auth)/.+\\.yaml$"] }, "regexManagers": [ { @@ -105,6 +129,14 @@ "(tag:|value:) (?.*) # (?.*)" ], "datasourceTemplate": "docker" + }, + // Update Jupyter Spawner Images + { + "fileMatch": ["(^|/)spawner_ui_config.yaml$"], + "matchStrings": [ + "(value:|-) (?kubeflownotebooks\/[^\/]*?)\:(?.*)" + ], + "datasourceTemplate": "docker" } ] } diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 000000000..e389db051 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,26 @@ +name: Release +on: + push: + branches: [ master ] + +jobs: + release: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Semantic Release + uses: cycjimmy/semantic-release-action@v2 + id: semantic + with: + semantic_version: 16 + extra_plugins: | + @semantic-release/changelog + @semantic-release/git + conventional-changelog-eslint + branches: | + ['master'] + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.releaserc b/.releaserc new file mode 100644 index 000000000..689ab2bee --- /dev/null +++ b/.releaserc @@ -0,0 +1,32 @@ + +branch: master +plugins: +- - "@semantic-release/commit-analyzer" + - preset: eslint + releaseRules: + - tag: MAJOR + release: major + - tag: MINOR + release: minor + - tag: PATCH + release: patch +- - "@semantic-release/release-notes-generator" + - preset: eslint + releaseRules: + - tag: MAJOR + release: major + - tag: MINOR + release: minor + - tag: PATCH + release: patch +- - "@semantic-release/changelog" + - changelogFile: CHANGELOG.md +- "@semantic-release/github" +- - "@semantic-release/git" + - assets: + - package.json + - CHANGELOG.md + message: |- + chore(release): ${nextRelease.version} [skip ci] + + ${nextRelease.notes} \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000..0ad25db4b --- /dev/null +++ b/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/README.md b/README.md index 4e910b8b9..a06012a3b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,19 @@ -# Deploying Kubeflow with ArgoCD +# Argoflow + +
+ +> ## ⚠️ Argoflow has been superseded by [deployKF](https://github.com/deployKF/deployKF) ⚠️ +> +> deployKF makes it easy to build reliable ML Platforms on Kubernetes and supports more than just Kubeflow! +> +> - [deploykf.org](https://www.deploykf.org/) +> - [github.com/deployKF/deployKF](https://github.com/deployKF/deployKF) + +
+ +--- + +## Original README This repository contains Kustomize manifests that point to the upstream manifest of each Kubeflow component and provides an easy way for people @@ -25,7 +40,7 @@ Overview of the steps: - [argocd](./argocd): Kustomize files for ArgoCD - [argocd-applications](./argocd-applications): ArgoCD application for each Kubeflow component -- [cert-manager](./cert-manager): Kustomize files for installing cert-manager v1.2 +- [cert-manager](./cert-manager): Kustomize files for installing cert-manager v1.4.0 - [kubeflow](./kubeflow): Kustomize files for installing Kubeflow componenets - [common/dex-istio](./kubeflow/common/dex-istio): Kustomize files for Dex auth installation - [common/oidc-authservice](./kubeflow/common/oidc-authservice): Kustomize files for OIDC authservice @@ -163,7 +178,7 @@ from the URI. kustomize build argocd/ | kubectl apply -f - ``` -2. Install the ArgoCD CLI tool from [here](https://github.com/argoproj/argo-cd/releases/latest) +2. Install the ArgoCD CLI tool from [here](https://argoproj.github.io/argo-cd/cli_installation/) 3. Access the ArgoCD UI by exposing it through a LoadBalander, Ingress or by port-fowarding using `kubectl port-forward svc/argocd-server -n argocd 8080:443` 4. Login to the ArgoCD CLI. First get the default password for the `admin` user: @@ -327,7 +342,7 @@ to an active Notebook Server. Here is an example of the PVC Viewer in action: -![PVCViewer in action](./images/vwa-pvcviewer-demo.gif) +![PVCViewer in action](./docs/images/vwa-pvcviewer-demo.gif) To use the PVCViewer Controller, it must be deployed along with an updated version of the Volumes Web App. To do so, deploy diff --git a/argocd-applications/kube-prometheus-stack.yaml b/argocd-applications/kube-prometheus-stack.yaml deleted file mode 100644 index ff722e84e..000000000 --- a/argocd-applications/kube-prometheus-stack.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kube-prometheus-stack - namespace: argocd -spec: - project: default - source: - repoURL: https://prometheus-community.github.io/helm-charts - targetRevision: 15.4.6 - chart: kube-prometheus-stack - helm: - parameters: - - name : grafana.ingress.enabled - value : "true" - - name: grafana.ingress.hosts[0] - value: grafana.example.com - - name: grafana.ingress.tls[0].secretName - value: grafana-example-com - - name: grafana.ingress.tls[0].hosts[0] - value: grafana.example.com - - name: grafana.persistence.type - value: pvc - - name: grafana.persistence.enabled - value: "true" - - name: grafana.persistence.storageClassName - value: rook-ceph-block - - name: grafana.persistence.accessModes[0] - value: ReadWriteOnce - - name: grafana.persistence.size - value: 20Gi - - name: grafana.grafana\.ini.server.root_url - value: https://grafana.example.com - - name: grafana.plugins[0] - value: vonage-status-panel - - name: grafana.sidecar.dashboards.provider.foldersFromFilesStructure - value: "true" - - name: grafana.sidecar.dashboards.folderAnnotation - value: k8s-sidecar-target-directory - - name: grafana.sidecar.dashboards.annotations.k8s-sidecar-target-directory - value: /tmp/dashboards/kubernetes - - name: grafana.grafana\.ini.auth\.anonymous.enabled - value: "true" - - name: grafana.grafana\.ini.auth\.anonymous.org_name - value: "Main Org." - - name: grafana.grafana\.ini.auth\.anonymous.org_role - value: Viewer - - name: grafana.grafana\.ini.security.allow_embedding - value: "true" - - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName - value: rook-ceph-block - - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] - value: ReadWriteOnce - - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage - value: 50Gi - - name: prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues - value: "false" - - name: prometheus.prometheusSpec.serviceMonitorSelector - value: "" - destination: - server: https://kubernetes.default.svc - namespace: monitoring - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd-applications/kubeflow-roles-namespaces.yaml b/argocd-applications/kubeflow-roles-namespaces.yaml deleted file mode 100644 index b298162b5..000000000 --- a/argocd-applications/kubeflow-roles-namespaces.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kubeflow-roles-namespaces - namespace: argocd -spec: - project: default - source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/common/roles-namespaces - kustomize: - version: v4.0.5 - destination: - server: https://kubernetes.default.svc - syncPolicy: - automated: - prune: true - selfHeal: true diff --git a/argocd-applications/oidc-authservice.yaml b/argocd-applications/oidc-authservice.yaml deleted file mode 100644 index acc6d050f..000000000 --- a/argocd-applications/oidc-authservice.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: oidc-authservice - namespace: argocd -spec: - project: default - source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/common/oidc-authservice - kustomize: - version: v4.0.5 - destination: - server: https://kubernetes.default.svc - syncPolicy: - automated: - prune: true - selfHeal: true diff --git a/argocd-applications/user-namespace.yaml b/argocd-applications/user-namespace.yaml deleted file mode 100644 index 4e8d5821c..000000000 --- a/argocd-applications/user-namespace.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: user-namespace - namespace: argocd -spec: - project: default - source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/common/user-namespace - kustomize: - version: v4.0.5 - destination: - server: https://kubernetes.default.svc - syncPolicy: - automated: - prune: true - selfHeal: true diff --git a/cert-manager/kubeflow-self-signed-issuer.yaml b/cert-manager/kubeflow-self-signed-issuer.yaml deleted file mode 100644 index ccbc1ad65..000000000 --- a/cert-manager/kubeflow-self-signed-issuer.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: kubeflow-self-signing-issuer -spec: - selfSigned: {} diff --git a/cert-manager/letsencrypt-cluster-issuer.yaml b/cert-manager/letsencrypt-cluster-issuer.yaml deleted file mode 100644 index 570f5c8ad..000000000 --- a/cert-manager/letsencrypt-cluster-issuer.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - # You must replace this email address with your own. - # Let's Encrypt will use this to contact you about expiring - # certificates, and issues related to your account. - email: user@example.com - server: https://acme-staging-v02.api.letsencrypt.org/directory - privateKeySecretRef: - # Secret resource that will be used to store the account's private key. - name: example-issuer-account-key - # Add a single challenge solver, HTTP01 using nginx - solvers: - - dns01: {} ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-prod -spec: - acme: - # You must replace this email address with your own. - # Let's Encrypt will use this to contact you about expiring - # certificates, and issues related to your account. - email: user@example.com - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - # Secret resource that will be used to store the account's private key. - name: example-issuer-account-key - # Add a single challenge solver, HTTP01 using nginx - solvers: - - dns01: {} diff --git a/distribution/argocd-applications/argocd-private-repo.yaml b/distribution/argocd-applications/argocd-private-repo.yaml new file mode 100644 index 000000000..584a2207c --- /dev/null +++ b/distribution/argocd-applications/argocd-private-repo.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/argocd/overlays/private-repo + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/argocd-applications/argocd.yaml b/distribution/argocd-applications/argocd.yaml similarity index 70% rename from argocd-applications/argocd.yaml rename to distribution/argocd-applications/argocd.yaml index 0f3fcfdc8..85789ffde 100644 --- a/argocd-applications/argocd.yaml +++ b/distribution/argocd-applications/argocd.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: argocd + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/argocd/base kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/central-dashboard.yaml b/distribution/argocd-applications/central-dashboard.yaml similarity index 67% rename from argocd-applications/central-dashboard.yaml rename to distribution/argocd-applications/central-dashboard.yaml index 099fbf3f5..b4f38bf70 100644 --- a/argocd-applications/central-dashboard.yaml +++ b/distribution/argocd-applications/central-dashboard.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/central-dashboard + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/central-dashboard kustomize: version: v4.0.5 destination: diff --git a/distribution/argocd-applications/cert-manager-dns-01.yaml b/distribution/argocd-applications/cert-manager-dns-01.yaml new file mode 100644 index 000000000..73a03f3ab --- /dev/null +++ b/distribution/argocd-applications/cert-manager-dns-01.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/cert-manager/lets-encrypt-dns-01 + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/argocd-applications/cert-manager.yaml b/distribution/argocd-applications/cert-manager-self-signing.yaml similarity index 70% rename from argocd-applications/cert-manager.yaml rename to distribution/argocd-applications/cert-manager-self-signing.yaml index fe91701e3..f4845bd00 100644 --- a/argocd-applications/cert-manager.yaml +++ b/distribution/argocd-applications/cert-manager-self-signing.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: cert-manager + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/cert-manager/base kustomize: version: v4.0.5 destination: diff --git a/distribution/argocd-applications/certificates-imported.yaml b/distribution/argocd-applications/certificates-imported.yaml new file mode 100644 index 000000000..1f4c015e3 --- /dev/null +++ b/distribution/argocd-applications/certificates-imported.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: certificates + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/certificates/overlays/imported + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/distribution/argocd-applications/certificates.yaml b/distribution/argocd-applications/certificates.yaml new file mode 100644 index 000000000..6e5396dee --- /dev/null +++ b/distribution/argocd-applications/certificates.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: certificates + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/certificates/base + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/distribution/argocd-applications/cloudflare-secrets.yaml b/distribution/argocd-applications/cloudflare-secrets.yaml new file mode 100644 index 000000000..ea59628a1 --- /dev/null +++ b/distribution/argocd-applications/cloudflare-secrets.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloudflare-secrets + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/cloudflare-secrets + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/argocd-applications/experimental-pvcviewer-controller.yaml b/distribution/argocd-applications/experimental-pvcviewer-controller.yaml similarity index 65% rename from argocd-applications/experimental-pvcviewer-controller.yaml rename to distribution/argocd-applications/experimental-pvcviewer-controller.yaml index 541f818f2..803402075 100644 --- a/argocd-applications/experimental-pvcviewer-controller.yaml +++ b/distribution/argocd-applications/experimental-pvcviewer-controller.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/experimental-pvcviewer-controller + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/experimental-pvcviewer-controller kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/experimental-volumes-web-app.yaml b/distribution/argocd-applications/experimental-volumes-web-app.yaml similarity index 65% rename from argocd-applications/experimental-volumes-web-app.yaml rename to distribution/argocd-applications/experimental-volumes-web-app.yaml index 1e6d1ddc0..0aafbf424 100644 --- a/argocd-applications/experimental-volumes-web-app.yaml +++ b/distribution/argocd-applications/experimental-volumes-web-app.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/experimental-volumes-web-app + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/experimental-volumes-web-app kustomize: version: v4.0.5 destination: diff --git a/distribution/argocd-applications/external-dns.yaml b/distribution/argocd-applications/external-dns.yaml new file mode 100644 index 000000000..36bb771a8 --- /dev/null +++ b/distribution/argocd-applications/external-dns.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-dns + namespace: argocd +spec: + destination: + namespace: kube-system + server: https://kubernetes.default.svc + project: default + source: + repoURL: https://charts.bitnami.com/bitnami + targetRevision: 5.1.1 + chart: external-dns + helm: + parameters: + - name: serviceAccount.create + value: "true" + - name: rbac.create + value: "true" + - name: resources.limits.cpu + value: 100m + - name: resources.limits.memory + value: 300Mi + - name: resources.requests.cpu + value: 100m + - name: resources.requests.memory + value: 300Mi + - name: provider + value: cloudflare + - name: cloudflare.secretName + value: cloudflare-api-token-secret + - name: sources[0] + value: service + - name: sources[1] + value: ingress + - name: sources[2] + value: istio-gateway + - name: sources[3] + value: istio-virtualservice + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/argocd-applications/istio-operator.yaml b/distribution/argocd-applications/istio-operator.yaml similarity index 93% rename from argocd-applications/istio-operator.yaml rename to distribution/argocd-applications/istio-operator.yaml index bd6a6e1fd..a851ee18f 100644 --- a/argocd-applications/istio-operator.yaml +++ b/distribution/argocd-applications/istio-operator.yaml @@ -14,7 +14,7 @@ spec: - name: hub value: docker.io/istio - name: tag - value: 1.9.5 # istio/operator + value: 1.10.1 # istio/operator destination: server: 'https://kubernetes.default.svc' namespace: istio-operator diff --git a/distribution/argocd-applications/istio-resources.yaml b/distribution/argocd-applications/istio-resources.yaml new file mode 100644 index 000000000..f498e7a0a --- /dev/null +++ b/distribution/argocd-applications/istio-resources.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-resources + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/istio-resources + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd-applications/istio-upstream.yaml b/distribution/argocd-applications/istio.yaml similarity index 75% rename from argocd-applications/istio-upstream.yaml rename to distribution/argocd-applications/istio.yaml index f97a0464d..f26c22924 100644 --- a/argocd-applications/istio-upstream.yaml +++ b/distribution/argocd-applications/istio.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: istio + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/istio kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/jupyter-web-app.yaml b/distribution/argocd-applications/jupyter-web-app.yaml similarity index 67% rename from argocd-applications/jupyter-web-app.yaml rename to distribution/argocd-applications/jupyter-web-app.yaml index 0d28cc612..167574534 100644 --- a/argocd-applications/jupyter-web-app.yaml +++ b/distribution/argocd-applications/jupyter-web-app.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/jupyter-web-app + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/jupyter-web-app kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/katib.yaml b/distribution/argocd-applications/katib.yaml similarity index 70% rename from argocd-applications/katib.yaml rename to distribution/argocd-applications/katib.yaml index 2fef8c6ef..a498bd38d 100644 --- a/argocd-applications/katib.yaml +++ b/distribution/argocd-applications/katib.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/katib + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/katib kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/kfserving.yaml b/distribution/argocd-applications/kfserving.yaml similarity index 69% rename from argocd-applications/kfserving.yaml rename to distribution/argocd-applications/kfserving.yaml index 55957aaf2..3493bc8f0 100644 --- a/argocd-applications/kfserving.yaml +++ b/distribution/argocd-applications/kfserving.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/kfserving + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/kfserving kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/kiali.yaml b/distribution/argocd-applications/kiali.yaml similarity index 99% rename from argocd-applications/kiali.yaml rename to distribution/argocd-applications/kiali.yaml index 35f75ee38..be46a98ab 100644 --- a/argocd-applications/kiali.yaml +++ b/distribution/argocd-applications/kiali.yaml @@ -7,7 +7,7 @@ spec: project: default source: repoURL: https://kiali.org/helm-charts - targetRevision: 1.34.0 + targetRevision: 1.35.0 chart: kiali-operator helm: parameters: diff --git a/argocd-applications/knative.yaml b/distribution/argocd-applications/knative.yaml similarity index 71% rename from argocd-applications/knative.yaml rename to distribution/argocd-applications/knative.yaml index 53262e869..4ced5be8c 100644 --- a/argocd-applications/knative.yaml +++ b/distribution/argocd-applications/knative.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: knative + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/knative kustomize: version: v4.0.5 destination: diff --git a/distribution/argocd-applications/kube-prometheus-stack.yaml b/distribution/argocd-applications/kube-prometheus-stack.yaml new file mode 100644 index 000000000..27a04b49d --- /dev/null +++ b/distribution/argocd-applications/kube-prometheus-stack.yaml @@ -0,0 +1,108 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kube-prometheus-stack + namespace: argocd +spec: + project: default + source: + repoURL: https://prometheus-community.github.io/helm-charts + targetRevision: 16.10.0 + chart: kube-prometheus-stack + helm: + parameters: + - name: grafana.admin.existingSecret + value: grafana-admin-secret + - name: grafana.adminUser + value: "" + - name: grafana.adminPassword + value: "" + # - name : grafana.ingress.enabled + # value : "true" + # - name: grafana.ingress.hosts[0] + # value: grafana.example.com + # - name: grafana.ingress.tls[0].secretName + # value: grafana-example-com + # - name: grafana.ingress.tls[0].hosts[0] + # value: grafana-example-com + - name: grafana.persistence.type + value: pvc + - name: grafana.persistence.enabled + value: "true" + - name: grafana.persistence.storageClassName + value: rook-ceph-block + - name: grafana.persistence.accessModes[0] + value: ReadWriteOnce + - name: grafana.persistence.size + value: 20Gi + - name: grafana.grafana\.ini.server.root_url + value: https://<<__subdomain_grafana__>>.<<__domain__>>/grafana/ + - name: grafana.grafana\.ini.server.serve_from_sub_path + value: "true" + - name: grafana.plugins[0] + value: vonage-status-panel + - name: grafana.sidecar.dashboards.provider.foldersFromFilesStructure + value: "true" + - name: grafana.sidecar.dashboards.folderAnnotation + value: k8s-sidecar-target-directory + - name: grafana.sidecar.dashboards.annotations.k8s-sidecar-target-directory + value: /tmp/dashboards/kubernetes + # - name: grafana.grafana\.ini.auth\.anonymous.enabled + # value: "true" + # - name: grafana.grafana\.ini.auth\.anonymous.org_name + # value: "Main Org." + # - name: grafana.grafana\.ini.auth\.anonymous.org_role + # value: Viewer + - name: grafana.grafana\.ini.security.allow_embedding + value: "true" + # The commented section below is to allow looged in Kubeflow user to log in to Grafana + # This will be used for namespace isolated dashboards in the future + # - name: grafana.grafana\.ini.auth\.proxy.enabled + # value: "true" + # - name: grafana.grafana\.ini.auth\.proxy.header_name + # value: kubeflow-userid + # - name: grafana.grafana\.ini.auth\.proxy.header_property + # value: email + - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName + value: rook-ceph-block + - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] + value: ReadWriteOnce + - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage + value: 50Gi + - name: prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues + value: "false" + - name: prometheus.prometheusSpec.serviceMonitorSelector + value: "" + - name: prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues + value: "false" + - name: prometheus.prometheusSpec.podMonitorSelector + value: "" + - name: prometheus.prometheusSpec.ruleSelectorNilUsesHelmValues + value: "false" + - name: prometheus.prometheusSpec.ruleSelector + value: "" + - name: kubelet.serviceMonitor.cAdvisorMetricRelabelings[0].sourceLabels[0] + value: container + - name: kubelet.serviceMonitor.cAdvisorMetricRelabelings[0].regex + value: "(.+)" + - name: kubelet.serviceMonitor.cAdvisorMetricRelabelings[0].targetLabel + value: container_name + - name: kubelet.serviceMonitor.cAdvisorMetricRelabelings[0].action + value: replace + - name: kubelet.serviceMonitor.cAdvisorMetricRelabelings[1].sourceLabels[0] + value: pod + - name: kubelet.serviceMonitor.cAdvisorMetricRelabelings[1].regex + value: "(.+)" + - name: kubelet.serviceMonitor.cAdvisorMetricRelabelings[1].targetLabel + value: pod_name + - name: kubelet.serviceMonitor.cAdvisorMetricRelabelings[1].action + value: replace + destination: + server: https://kubernetes.default.svc + namespace: monitoring + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/distribution/argocd-applications/kubecost-resources.yaml b/distribution/argocd-applications/kubecost-resources.yaml new file mode 100644 index 000000000..da97b9904 --- /dev/null +++ b/distribution/argocd-applications/kubecost-resources.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubecost-resources + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubecost-resources + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + namespace: monitoring + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/distribution/argocd-applications/kubecost.yaml b/distribution/argocd-applications/kubecost.yaml new file mode 100644 index 000000000..7c5db388e --- /dev/null +++ b/distribution/argocd-applications/kubecost.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubecost + namespace: argocd +spec: + project: default + source: + repoURL: https://kubecost.github.io/cost-analyzer/ + targetRevision: 1.81.0 + chart: cost-analyzer + helm: + parameters: + - name: global.podAnnotations.sidecar\.istio\.io\/inject + value: \"false\" + - name: global.prometheus.enabled + value: "false" + - name: global.prometheus.kubeStateMetrics.enabled + value: "false" + - name: global.prometheus.fqdn + value: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 + - name: serviceMonitor.enabled + value: "true" + - name: prometheusRule.enabled + value: "true" + - name: global.grafana.enabled + value: "false" + - name: global.grafana.domainName + value: kube-prometheus-stack-grafana.monitoring.svc.cluster.local + - name: kubecostProductConfigs.grafanaURL + value: https://<<__subdomain_grafana__>>.<<__domain__>>/grafana + # Placing the dashboards into a folder is not working yet. + # Dashboards are also slighlty broken so might be better to use versions we fixed + # - name: grafana.sidecar.dashboards.annotations.k8s-sidecar-target-directory + # value: /tmp/dashboards/kubecost + destination: + server: https://kubernetes.default.svc + namespace: monitoring + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/distribution/argocd-applications/kubeflow-namespace.yaml b/distribution/argocd-applications/kubeflow-namespace.yaml new file mode 100644 index 000000000..d342bd2d3 --- /dev/null +++ b/distribution/argocd-applications/kubeflow-namespace.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: namespace + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/namespace + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/argocd-applications/dex-istio.yaml b/distribution/argocd-applications/kubeflow-profiles.yaml similarity index 65% rename from argocd-applications/dex-istio.yaml rename to distribution/argocd-applications/kubeflow-profiles.yaml index 2173c7792..bf71d6e6f 100644 --- a/argocd-applications/dex-istio.yaml +++ b/distribution/argocd-applications/kubeflow-profiles.yaml @@ -1,14 +1,14 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: dex-istio + name: profiles namespace: argocd spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/common/dex-istio + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/profiles kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/istio.yaml b/distribution/argocd-applications/kubeflow-roles.yaml similarity index 66% rename from argocd-applications/istio.yaml rename to distribution/argocd-applications/kubeflow-roles.yaml index 6df9aad70..822b6529c 100644 --- a/argocd-applications/istio.yaml +++ b/distribution/argocd-applications/kubeflow-roles.yaml @@ -1,14 +1,14 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: istio + name: roles namespace: argocd spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/common/istio + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/roles kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/loki-stack.yaml b/distribution/argocd-applications/loki-stack.yaml similarity index 96% rename from argocd-applications/loki-stack.yaml rename to distribution/argocd-applications/loki-stack.yaml index 33b7a18ae..7f3d0a1d6 100644 --- a/argocd-applications/loki-stack.yaml +++ b/distribution/argocd-applications/loki-stack.yaml @@ -7,7 +7,7 @@ spec: project: default source: repoURL: https://grafana.github.io/helm-charts - targetRevision: 2.4.0 + targetRevision: 2.4.1 chart: loki-stack helm: parameters: diff --git a/argocd-applications/metallb.yaml b/distribution/argocd-applications/metallb.yaml similarity index 100% rename from argocd-applications/metallb.yaml rename to distribution/argocd-applications/metallb.yaml diff --git a/distribution/argocd-applications/mlflow.yaml b/distribution/argocd-applications/mlflow.yaml new file mode 100644 index 000000000..6be3f5f04 --- /dev/null +++ b/distribution/argocd-applications/mlflow.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mlflow + namespace: argocd +spec: + destination: + namespace: mlflow + server: https://kubernetes.default.svc + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/mlflow + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false diff --git a/argocd-applications/monitoring-resources.yaml b/distribution/argocd-applications/monitoring-resources.yaml similarity index 60% rename from argocd-applications/monitoring-resources.yaml rename to distribution/argocd-applications/monitoring-resources.yaml index 11a735f81..e61e29f4b 100644 --- a/argocd-applications/monitoring-resources.yaml +++ b/distribution/argocd-applications/monitoring-resources.yaml @@ -6,14 +6,17 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: monitoring-resources + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/monitoring-resources kustomize: version: v4.0.5 destination: server: https://kubernetes.default.svc + namespace: monitoring syncPolicy: automated: prune: true selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd-applications/mpi-operator.yaml b/distribution/argocd-applications/mpi-operator.yaml similarity index 69% rename from argocd-applications/mpi-operator.yaml rename to distribution/argocd-applications/mpi-operator.yaml index e31ee6343..263620a0b 100644 --- a/argocd-applications/mpi-operator.yaml +++ b/distribution/argocd-applications/mpi-operator.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/operators/mpi + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/operators/mpi kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/mxnet-operator.yaml b/distribution/argocd-applications/mxnet-operator.yaml similarity index 69% rename from argocd-applications/mxnet-operator.yaml rename to distribution/argocd-applications/mxnet-operator.yaml index 03d35c461..75e145f4f 100644 --- a/argocd-applications/mxnet-operator.yaml +++ b/distribution/argocd-applications/mxnet-operator.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/operators/mxnet + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/operators/mxnet kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/nginx.yaml b/distribution/argocd-applications/nginx.yaml similarity index 78% rename from argocd-applications/nginx.yaml rename to distribution/argocd-applications/nginx.yaml index c22a4461b..dbf348af0 100644 --- a/argocd-applications/nginx.yaml +++ b/distribution/argocd-applications/nginx.yaml @@ -6,8 +6,8 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> path: nginx kustomize: version: v4.0.5 diff --git a/argocd-applications/notebook-controller.yaml b/distribution/argocd-applications/notebook-controller.yaml similarity index 67% rename from argocd-applications/notebook-controller.yaml rename to distribution/argocd-applications/notebook-controller.yaml index dbe93c305..a1773d06a 100644 --- a/argocd-applications/notebook-controller.yaml +++ b/distribution/argocd-applications/notebook-controller.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/notebook-controller + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/notebook-controller kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/nvidia-gpu-operator.yaml b/distribution/argocd-applications/nvidia-gpu-operator.yaml similarity index 94% rename from argocd-applications/nvidia-gpu-operator.yaml rename to distribution/argocd-applications/nvidia-gpu-operator.yaml index dc832f63b..d88b6a9b7 100644 --- a/argocd-applications/nvidia-gpu-operator.yaml +++ b/distribution/argocd-applications/nvidia-gpu-operator.yaml @@ -7,7 +7,7 @@ spec: project: default source: repoURL: https://nvidia.github.io/gpu-operator - targetRevision: 1.6.2 + targetRevision: v1.8.1 chart: gpu-operator helm: parameters: diff --git a/distribution/argocd-applications/oidc-auth-external.yaml b/distribution/argocd-applications/oidc-auth-external.yaml new file mode 100644 index 000000000..04416ae77 --- /dev/null +++ b/distribution/argocd-applications/oidc-auth-external.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: oidc-auth + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/oidc-auth/base + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/distribution/argocd-applications/oidc-auth-on-cluster-dex.yaml b/distribution/argocd-applications/oidc-auth-on-cluster-dex.yaml new file mode 100644 index 000000000..db8db737e --- /dev/null +++ b/distribution/argocd-applications/oidc-auth-on-cluster-dex.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: oidc-auth + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/oidc-auth/overlays/dex + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + namespace: auth + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/distribution/argocd-applications/oidc-auth-on-cluster-keycloak.yaml b/distribution/argocd-applications/oidc-auth-on-cluster-keycloak.yaml new file mode 100644 index 000000000..1c576ae57 --- /dev/null +++ b/distribution/argocd-applications/oidc-auth-on-cluster-keycloak.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: oidc-auth + namespace: argocd +spec: + project: default + source: + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/oidc-auth/overlays/keycloak + kustomize: + version: v4.0.5 + destination: + server: https://kubernetes.default.svc + namespace: auth + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd-applications/pipelines.yaml b/distribution/argocd-applications/pipelines.yaml similarity index 69% rename from argocd-applications/pipelines.yaml rename to distribution/argocd-applications/pipelines.yaml index 6eaf192f0..cb5db4179 100644 --- a/argocd-applications/pipelines.yaml +++ b/distribution/argocd-applications/pipelines.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/pipelines + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/pipelines kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/pod-defaults.yaml b/distribution/argocd-applications/pod-defaults.yaml similarity index 67% rename from argocd-applications/pod-defaults.yaml rename to distribution/argocd-applications/pod-defaults.yaml index c7daed3d7..a616e08ec 100644 --- a/argocd-applications/pod-defaults.yaml +++ b/distribution/argocd-applications/pod-defaults.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/pod-defaults + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/pod-defaults kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/profile-controller_access-management.yaml b/distribution/argocd-applications/profile-controller_access-management.yaml similarity index 64% rename from argocd-applications/profile-controller_access-management.yaml rename to distribution/argocd-applications/profile-controller_access-management.yaml index ab5bd39f7..13fde6f04 100644 --- a/argocd-applications/profile-controller_access-management.yaml +++ b/distribution/argocd-applications/profile-controller_access-management.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/profile-controller_access-management + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/profile-controller_access-management kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/pytorch-operator.yaml b/distribution/argocd-applications/pytorch-operator.yaml similarity index 68% rename from argocd-applications/pytorch-operator.yaml rename to distribution/argocd-applications/pytorch-operator.yaml index e5da0a6a1..c4ae5ea55 100644 --- a/argocd-applications/pytorch-operator.yaml +++ b/distribution/argocd-applications/pytorch-operator.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/operators/pytorch + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/operators/pytorch kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/rook-ceph.yaml b/distribution/argocd-applications/rook-ceph.yaml similarity index 78% rename from argocd-applications/rook-ceph.yaml rename to distribution/argocd-applications/rook-ceph.yaml index 48cd7cd82..10c1cc591 100644 --- a/argocd-applications/rook-ceph.yaml +++ b/distribution/argocd-applications/rook-ceph.yaml @@ -6,8 +6,8 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> path: rook-ceph kustomize: version: v4.0.5 diff --git a/distribution/argocd-applications/sealed-secrets.yaml b/distribution/argocd-applications/sealed-secrets.yaml new file mode 100644 index 000000000..f19343bf9 --- /dev/null +++ b/distribution/argocd-applications/sealed-secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sealed-secrets-controller + namespace: argocd +spec: + project: default + source: + repoURL: https://bitnami-labs.github.io/sealed-secrets + targetRevision: 1.16.1 + chart: sealed-secrets + helm: + parameters: + - name : cr.create + value : "true" + - name: commandArgs[0] + value: --update-status + destination: + server: https://kubernetes.default.svc + namespace: kube-system + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/argocd-applications/tensorboard-controller.yaml b/distribution/argocd-applications/tensorboard-controller.yaml similarity index 67% rename from argocd-applications/tensorboard-controller.yaml rename to distribution/argocd-applications/tensorboard-controller.yaml index 615c66bcc..de0609b01 100644 --- a/argocd-applications/tensorboard-controller.yaml +++ b/distribution/argocd-applications/tensorboard-controller.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/tensorboard-controller + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/tensorboard-controller kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/tensorboards-web-app.yaml b/distribution/argocd-applications/tensorboards-web-app.yaml similarity index 67% rename from argocd-applications/tensorboards-web-app.yaml rename to distribution/argocd-applications/tensorboards-web-app.yaml index 7666f9771..4c92f5a84 100644 --- a/argocd-applications/tensorboards-web-app.yaml +++ b/distribution/argocd-applications/tensorboards-web-app.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/tensorboards-web-app + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/tensorboards-web-app kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/tensorflow-operator.yaml b/distribution/argocd-applications/tensorflow-operator.yaml similarity index 68% rename from argocd-applications/tensorflow-operator.yaml rename to distribution/argocd-applications/tensorflow-operator.yaml index 3363e927c..698a1bb30 100644 --- a/argocd-applications/tensorflow-operator.yaml +++ b/distribution/argocd-applications/tensorflow-operator.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/operators/tensorflow + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/operators/tensorflow kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/volumes-web-app.yaml b/distribution/argocd-applications/volumes-web-app.yaml similarity index 67% rename from argocd-applications/volumes-web-app.yaml rename to distribution/argocd-applications/volumes-web-app.yaml index 82b303376..e3de92dbf 100644 --- a/argocd-applications/volumes-web-app.yaml +++ b/distribution/argocd-applications/volumes-web-app.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/notebooks/volumes-web-app + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/notebooks/volumes-web-app kustomize: version: v4.0.5 destination: diff --git a/argocd-applications/xgboost-operator.yaml b/distribution/argocd-applications/xgboost-operator.yaml similarity index 68% rename from argocd-applications/xgboost-operator.yaml rename to distribution/argocd-applications/xgboost-operator.yaml index 01acdba03..49976e047 100644 --- a/argocd-applications/xgboost-operator.yaml +++ b/distribution/argocd-applications/xgboost-operator.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: kubeflow/operators/xgboost + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: distribution/kubeflow/operators/xgboost kustomize: version: v4.0.5 destination: diff --git a/argocd/kustomization.yaml b/distribution/argocd/base/kustomization.yaml similarity index 78% rename from argocd/kustomization.yaml rename to distribution/argocd/base/kustomization.yaml index 529972d03..c7719feae 100644 --- a/argocd/kustomization.yaml +++ b/distribution/argocd/base/kustomization.yaml @@ -4,11 +4,11 @@ namespace: argocd resources: - namespace.yaml -- github.com/argoproj/argo-cd/manifests/ha/cluster-install?ref=33eaf11e3abd8c761c726e815cbb4b6af7dcb030 # tag=v2.0.1 +- github.com/argoproj/argo-cd/manifests/cluster-install?ref=8d2b13d733e1dff7d1ad2c110ed31be4804406e2 # tag=v2.0.3 patchesStrategicMerge: -- configmap-patch.yaml -- add-custom-kustomize.yaml +- patches/configmap-patch.yaml +- patches/add-custom-kustomize.yaml images: - name: ghcr.io/dexidp/dex @@ -17,7 +17,7 @@ images: # digest: sha256:ff94efdd1ec68f43e01b39a2d11a73961b1cf73860515893118af731551f1939 - name: quay.io/argoproj/argocd newName: quay.io/argoproj/argocd - newTag: v2.0.1 + newTag: v2.0.3 # digest: sha256:8d1d58ef963f615da97e0b2c54dbe243801d5e7198b98393ab36b7a5768f72a4 - name: haproxy newName: haproxy diff --git a/argocd/namespace.yaml b/distribution/argocd/base/namespace.yaml similarity index 73% rename from argocd/namespace.yaml rename to distribution/argocd/base/namespace.yaml index 96e84ab26..a040f2ba5 100644 --- a/argocd/namespace.yaml +++ b/distribution/argocd/base/namespace.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: argocd \ No newline at end of file + name: argocd diff --git a/argocd/add-custom-kustomize.yaml b/distribution/argocd/base/patches/add-custom-kustomize.yaml similarity index 100% rename from argocd/add-custom-kustomize.yaml rename to distribution/argocd/base/patches/add-custom-kustomize.yaml diff --git a/argocd/configmap-patch.yaml b/distribution/argocd/base/patches/configmap-patch.yaml similarity index 69% rename from argocd/configmap-patch.yaml rename to distribution/argocd/base/patches/configmap-patch.yaml index 7683189ee..f91253230 100644 --- a/argocd/configmap-patch.yaml +++ b/distribution/argocd/base/patches/configmap-patch.yaml @@ -18,6 +18,14 @@ data: jsonPointers: - /webhooks/0/clientConfig/caBundle - /webhooks/1/clientConfig/caBundle + - /webhooks/2/clientConfig/caBundle + - /webhooks/3/clientConfig/caBundle + - /webhooks/4/clientConfig/caBundle + - /webhooks/5/clientConfig/caBundle + - /webhooks/6/clientConfig/caBundle + - /webhooks/7/clientConfig/caBundle + - /webhooks/8/clientConfig/caBundle + - /webhooks/9/clientConfig/caBundle - /webhooks/0/failurePolicy apiextensions.k8s.io/CustomResourceDefinition: ignoreDifferences: | diff --git a/distribution/argocd/overlays/private-repo/kustomization.yaml b/distribution/argocd/overlays/private-repo/kustomization.yaml new file mode 100644 index 000000000..a59246d71 --- /dev/null +++ b/distribution/argocd/overlays/private-repo/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: argocd + +resources: +- ../../base +- secret.yaml + +patchesStrategicMerge: +- patches/configmap-patch.yaml + +images: +- name: ghcr.io/dexidp/dex + newName: ghcr.io/dexidp/dex + newTag: v2.27.0 + # digest: sha256:ff94efdd1ec68f43e01b39a2d11a73961b1cf73860515893118af731551f1939 +- name: quay.io/argoproj/argocd + newName: quay.io/argoproj/argocd + newTag: v2.0.3 + # digest: sha256:8d1d58ef963f615da97e0b2c54dbe243801d5e7198b98393ab36b7a5768f72a4 +- name: haproxy + newName: haproxy + newTag: 2.0.20-alpine + # digest: sha256:61ddebc917f98e16a8c479f0fe90d01ed54c5f53ab7937449906f0a89b69e61e +- name: redis + newName: redis + newTag: 6.2.1-alpine + # digest: sha256:85f11bc7bc6f247b8bc475ab48110076af9a251fcffd61c6b5d7b79a40c4604a diff --git a/distribution/argocd/overlays/private-repo/patches/configmap-patch.yaml b/distribution/argocd/overlays/private-repo/patches/configmap-patch.yaml new file mode 100644 index 000000000..3adf3001b --- /dev/null +++ b/distribution/argocd/overlays/private-repo/patches/configmap-patch.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + repositories: | + - url: <<__git_repo.url__>> + passwordSecret: + name: git-repo-secret + key: HTTPS_PASSWORD + usernameSecret: + name: git-repo-secret + key: HTTPS_USERNAME diff --git a/distribution/cert-manager/base/cluster-issuers.yaml b/distribution/cert-manager/base/cluster-issuers.yaml new file mode 100644 index 000000000..d36d2ccf4 --- /dev/null +++ b/distribution/cert-manager/base/cluster-issuers.yaml @@ -0,0 +1,15 @@ +# This issuer is used by certain Kubeflow applications for cluster-internal certificates +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: kubeflow-self-signing-issuer +spec: + selfSigned: {} +--- +# This issuer is used by the "kubeflow" and "auth" Gateways. By default (as defined here) it is a self-signing issuer. In the overlays this can be changed to DNS or HTTPS challenge resolving +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: gateways-issuer +spec: + selfSigned: {} diff --git a/cert-manager/kustomization.yaml b/distribution/cert-manager/base/kustomization.yaml similarity index 65% rename from cert-manager/kustomization.yaml rename to distribution/cert-manager/base/kustomization.yaml index 4355225b1..635e76237 100644 --- a/cert-manager/kustomization.yaml +++ b/distribution/cert-manager/base/kustomization.yaml @@ -2,24 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml -- kubeflow-self-signed-issuer.yaml -# If you would like to setup a letsencrypt cluster issuer, -# edit the `letsencrypt-cluster-issuer.yaml` with your details -# see: https://cert-manager.io/docs/configuration/acme/#configuration -# and uncomment the following line -# - letsencrypt-cluster-issuer.yaml +- https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml +- cluster-issuers.yaml images: - name: quay.io/jetstack/cert-manager-controller newName: quay.io/jetstack/cert-manager-controller - newTag: v1.3.1 + newTag: v1.4.0 # digest: sha256:c5e61db0facc5fa63b310384f968e294414b976677b550ef5306cc410add2abc - name: quay.io/jetstack/cert-manager-cainjector newName: quay.io/jetstack/cert-manager-cainjector - newTag: v1.3.1 + newTag: v1.4.0 # digest: sha256:cda85f01dc9beec5b44087065ae6e71bfedddeaf0b0a6a3e67951284debfe342 - name: quay.io/jetstack/cert-manager-webhook newName: quay.io/jetstack/cert-manager-webhook - newTag: v1.3.1 + newTag: v1.4.0 # digest: sha256:414aba29f1428d0e6ab061dc0fac78f7db86ebedda5f45e2b28155f3d6a322fd diff --git a/distribution/cert-manager/lets-encrypt-dns-01/kustomization.yaml b/distribution/cert-manager/lets-encrypt-dns-01/kustomization.yaml new file mode 100644 index 000000000..f472159e5 --- /dev/null +++ b/distribution/cert-manager/lets-encrypt-dns-01/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../base + +patchesStrategicMerge: +- patches/cluster-issuer.yaml +- patches/service-account.yaml +- patches/deployment.yaml diff --git a/distribution/cert-manager/lets-encrypt-dns-01/patches/cluster-issuer.yaml b/distribution/cert-manager/lets-encrypt-dns-01/patches/cluster-issuer.yaml new file mode 100644 index 000000000..a314521ef --- /dev/null +++ b/distribution/cert-manager/lets-encrypt-dns-01/patches/cluster-issuer.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: gateways-issuer +spec: + selfSigned: + $patch: delete + acme: + email: <<__cert_manager.email_user__>>@<<__cert_manager.email_domain__>> + server: <<__cert_manager.server__>> + privateKeySecretRef: + name: gateways-issuer-account-key + solvers: + - dns01: + cloudflare: + email: <<__cloudflare.email__>> + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: api-token diff --git a/distribution/certificates/base/auth-certificate.yaml b/distribution/certificates/base/auth-certificate.yaml new file mode 100644 index 000000000..f891800ff --- /dev/null +++ b/distribution/certificates/base/auth-certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: auth-ingressgateway-certs + namespace: istio-system +spec: + secretName: auth-ingressgateway-certs + issuerRef: + name: gateways-issuer + kind: ClusterIssuer + commonName: <<__subdomain_auth__>>.<<__domain__>> + dnsNames: + - <<__subdomain_auth__>>.<<__domain__>> diff --git a/distribution/certificates/base/kubeflow-gateway-cert.yaml b/distribution/certificates/base/kubeflow-gateway-cert.yaml new file mode 100644 index 000000000..fb43a23b5 --- /dev/null +++ b/distribution/certificates/base/kubeflow-gateway-cert.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kubeflow-ingressgateway-certs + namespace: istio-system +spec: + secretName: kubeflow-ingressgateway-certs + issuerRef: + name: gateways-issuer + kind: ClusterIssuer + commonName: <<__subdomain_dashboard__>>.<<__domain__>> + dnsNames: + - <<__subdomain_dashboard__>>.<<__domain__>> diff --git a/distribution/certificates/base/kustomization.yaml b/distribution/certificates/base/kustomization.yaml new file mode 100644 index 000000000..cfa106b7b --- /dev/null +++ b/distribution/certificates/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- kubeflow-gateway-cert.yaml +- auth-certificate.yaml +- monitoring-certificate.yaml diff --git a/distribution/certificates/base/monitoring-certificate.yaml b/distribution/certificates/base/monitoring-certificate.yaml new file mode 100644 index 000000000..964e840d0 --- /dev/null +++ b/distribution/certificates/base/monitoring-certificate.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: monitoring-ingressgateway-certs + namespace: istio-system +spec: + secretName: monitoring-ingressgateway-certs + issuerRef: + name: gateways-issuer + kind: ClusterIssuer + dnsNames: + - <<__subdomain_grafana__>>.<<__domain__>> + - <<__subdomain_kiali__>>.<<__domain__>> + - <<__subdomain_kubecost__>>.<<__domain__>> diff --git a/distribution/certificates/overlays/imported/auth-certificate-secret.yaml b/distribution/certificates/overlays/imported/auth-certificate-secret.yaml new file mode 100644 index 000000000..03353a9be --- /dev/null +++ b/distribution/certificates/overlays/imported/auth-certificate-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: "kubernetes-client.io/v1" +kind: ExternalSecret +metadata: + name: auth-ingressgateway-certs + namespace: istio-system +spec: + backendType: secretsManager + template: + type: kubernetes.io/tls + roleArn: <<__role_arn.external_secrets.istio_system__>> + data: + - key: <<__external_secret_name.istio_system.auth_ca_cert__>> + name: ca.crt + - key: <<__external_secret_name.istio_system.auth_cert__>> + name: tls.crt + - key: <<__external_secret_name.istio_system.auth_cert_pk__>> + name: tls.key diff --git a/distribution/certificates/overlays/imported/kubeflow-gateway-cert-secret.yaml b/distribution/certificates/overlays/imported/kubeflow-gateway-cert-secret.yaml new file mode 100644 index 000000000..4e383e8be --- /dev/null +++ b/distribution/certificates/overlays/imported/kubeflow-gateway-cert-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: "kubernetes-client.io/v1" +kind: ExternalSecret +metadata: + name: kubeflow-ingressgateway-certs + namespace: istio-system +spec: + backendType: secretsManager + template: + type: kubernetes.io/tls + roleArn: <<__role_arn.external_secrets.istio_system__>> + data: + - key: <<__external_secret_name.istio_system.gateway_ca_cert__>> + name: ca.crt + - key: <<__external_secret_name.istio_system.gateway_cert__>> + name: tls.crt + - key: <<__external_secret_name.istio_system.gateway_cert_pk__>> + name: tls.key diff --git a/distribution/certificates/overlays/imported/kustomization.yaml b/distribution/certificates/overlays/imported/kustomization.yaml new file mode 100644 index 000000000..3d014511b --- /dev/null +++ b/distribution/certificates/overlays/imported/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../base +- auth-certificate-secret.yaml +- kubeflow-gateway-cert-secret.yaml +- monitoring-certificate-secret.yaml + +patchesStrategicMerge: +- removals/auth-certificate.yaml +- removals/kubeflow-gateway-cert.yaml +- removals/monitoring-certificate.yaml diff --git a/distribution/certificates/overlays/imported/monitoring-certificate-secret.yaml b/distribution/certificates/overlays/imported/monitoring-certificate-secret.yaml new file mode 100644 index 000000000..774efee8a --- /dev/null +++ b/distribution/certificates/overlays/imported/monitoring-certificate-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: "kubernetes-client.io/v1" +kind: ExternalSecret +metadata: + name: monitoring-ingressgateway-certs + namespace: istio-system +spec: + backendType: secretsManager + template: + type: kubernetes.io/tls + roleArn: <<__role_arn.external_secrets.istio_system__>> + data: + - key: <<__external_secret_name.istio_system.monitoring_ca_cert__>> + name: ca.crt + - key: <<__external_secret_name.istio_system.monitoring_cert__>> + name: tls.crt + - key: <<__external_secret_name.istio_system.monitoring_cert_pk__>> + name: tls.key diff --git a/distribution/certificates/overlays/imported/removals/auth-certificate.yaml b/distribution/certificates/overlays/imported/removals/auth-certificate.yaml new file mode 100644 index 000000000..63c7b0e33 --- /dev/null +++ b/distribution/certificates/overlays/imported/removals/auth-certificate.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: auth-ingressgateway-certs + namespace: istio-system diff --git a/distribution/certificates/overlays/imported/removals/kubeflow-gateway-cert.yaml b/distribution/certificates/overlays/imported/removals/kubeflow-gateway-cert.yaml new file mode 100644 index 000000000..4c82cb5ab --- /dev/null +++ b/distribution/certificates/overlays/imported/removals/kubeflow-gateway-cert.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kubeflow-ingressgateway-certs + namespace: istio-system diff --git a/distribution/certificates/overlays/imported/removals/monitoring-certificate.yaml b/distribution/certificates/overlays/imported/removals/monitoring-certificate.yaml new file mode 100644 index 000000000..7580eed62 --- /dev/null +++ b/distribution/certificates/overlays/imported/removals/monitoring-certificate.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: monitoring-ingressgateway-certs + namespace: istio-system diff --git a/distribution/cloudflare-secrets/kustomization.yaml b/distribution/cloudflare-secrets/kustomization.yaml new file mode 100644 index 000000000..fa5d5e660 --- /dev/null +++ b/distribution/cloudflare-secrets/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- cloudflare-api-token-secret-cert-manager.yaml +- cloudflare-api-token-secret-external-dns.yaml diff --git a/istio/deny_all_authorizationpolicy.yaml b/distribution/istio-resources/deny-all-authorizationpolicy.yaml similarity index 100% rename from istio/deny_all_authorizationpolicy.yaml rename to distribution/istio-resources/deny-all-authorizationpolicy.yaml diff --git a/distribution/istio-resources/envoy-filter-kubeflow-userid.yaml b/distribution/istio-resources/envoy-filter-kubeflow-userid.yaml new file mode 100644 index 000000000..8c4611c25 --- /dev/null +++ b/distribution/istio-resources/envoy-filter-kubeflow-userid.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: kubeflow-userid + namespace: istio-system +spec: + workloadSelector: + labels: + app: istio-ingressgateway + configPatches: + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.lua + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + inline_code: | + function envoy_on_request(request_handle) + headers = request_handle:headers() + if headers:get("x-auth-request-email") then + request_handle:headers():add("kubeflow-userid", headers:get("x-auth-request-email")) + end + end diff --git a/istio/gateway_authorizationpolicy.yaml b/distribution/istio-resources/gateway-authorizationpolicy.yaml similarity index 62% rename from istio/gateway_authorizationpolicy.yaml rename to distribution/istio-resources/gateway-authorizationpolicy.yaml index e315e3724..778b84d1c 100644 --- a/istio/gateway_authorizationpolicy.yaml +++ b/distribution/istio-resources/gateway-authorizationpolicy.yaml @@ -5,11 +5,17 @@ metadata: name: istio-ingressgateway namespace: istio-system spec: - action: ALLOW + action: CUSTOM selector: # Same as the istio-ingressgateway Service selector matchLabels: app: istio-ingressgateway istio: ingressgateway + provider: + name: "oauth2-proxy" rules: - - {} + - to: + - operation: + hosts: + - <<__subdomain_dashboard__>>.<<__domain__>> + - <<__subdomain_serving__>>.<<__domain__>> diff --git a/istio/kubeflow-cluster-roles.yaml b/distribution/istio-resources/kubeflow-cluster-roles.yaml similarity index 100% rename from istio/kubeflow-cluster-roles.yaml rename to distribution/istio-resources/kubeflow-cluster-roles.yaml diff --git a/istio/kubeflow-gateway.yaml b/distribution/istio-resources/kubeflow-gateway.yaml similarity index 73% rename from istio/kubeflow-gateway.yaml rename to distribution/istio-resources/kubeflow-gateway.yaml index c8221805b..7ba6b5d5e 100644 --- a/istio/kubeflow-gateway.yaml +++ b/distribution/istio-resources/kubeflow-gateway.yaml @@ -8,7 +8,7 @@ spec: istio: ingressgateway servers: - hosts: - - '*' + - <<__subdomain_dashboard__>>.<<__domain__>> port: name: http number: 80 @@ -17,12 +17,11 @@ spec: tls: httpsRedirect: true - hosts: - - '*' + - <<__subdomain_dashboard__>>.<<__domain__>> port: name: https number: 443 protocol: HTTPS tls: mode: SIMPLE - privateKey: /etc/istio/ingressgateway-certs/tls.key - serverCertificate: /etc/istio/ingressgateway-certs/tls.crt + credentialName: kubeflow-ingressgateway-certs diff --git a/istio/kustomization.yaml b/distribution/istio-resources/kustomization.yaml similarity index 52% rename from istio/kustomization.yaml rename to distribution/istio-resources/kustomization.yaml index c6d5ee88c..4b7cc35a8 100644 --- a/istio/kustomization.yaml +++ b/distribution/istio-resources/kustomization.yaml @@ -2,11 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- istio-spec.yaml -- namespace.yaml -- ingress-certificate.yaml -- kubeflow-gateway.yaml -- deny_all_authorizationpolicy.yaml -- gateway_authorizationpolicy.yaml +- deny-all-authorizationpolicy.yaml +- envoy-filter-kubeflow-userid.yaml +- gateway-authorizationpolicy.yaml - kubeflow-cluster-roles.yaml +- kubeflow-gateway.yaml # - monitoring/ diff --git a/istio/monitoring/aggregation-rule.yaml b/distribution/istio-resources/monitoring/aggregation-rule.yaml similarity index 100% rename from istio/monitoring/aggregation-rule.yaml rename to distribution/istio-resources/monitoring/aggregation-rule.yaml diff --git a/istio/monitoring/dashboards/control-plane-dashboard.yaml b/distribution/istio-resources/monitoring/dashboards/control-plane-dashboard.yaml similarity index 100% rename from istio/monitoring/dashboards/control-plane-dashboard.yaml rename to distribution/istio-resources/monitoring/dashboards/control-plane-dashboard.yaml diff --git a/istio/monitoring/dashboards/mesh-dashboard.yaml b/distribution/istio-resources/monitoring/dashboards/mesh-dashboard.yaml similarity index 100% rename from istio/monitoring/dashboards/mesh-dashboard.yaml rename to distribution/istio-resources/monitoring/dashboards/mesh-dashboard.yaml diff --git a/istio/monitoring/dashboards/performance-dashboard.yaml b/distribution/istio-resources/monitoring/dashboards/performance-dashboard.yaml similarity index 100% rename from istio/monitoring/dashboards/performance-dashboard.yaml rename to distribution/istio-resources/monitoring/dashboards/performance-dashboard.yaml diff --git a/istio/monitoring/dashboards/service-dashboard.yaml b/distribution/istio-resources/monitoring/dashboards/service-dashboard.yaml similarity index 100% rename from istio/monitoring/dashboards/service-dashboard.yaml rename to distribution/istio-resources/monitoring/dashboards/service-dashboard.yaml diff --git a/istio/monitoring/dashboards/workload-dashboard.yaml b/distribution/istio-resources/monitoring/dashboards/workload-dashboard.yaml similarity index 100% rename from istio/monitoring/dashboards/workload-dashboard.yaml rename to distribution/istio-resources/monitoring/dashboards/workload-dashboard.yaml diff --git a/istio/monitoring/federation-service-monitor.yaml b/distribution/istio-resources/monitoring/federation-service-monitor.yaml similarity index 100% rename from istio/monitoring/federation-service-monitor.yaml rename to distribution/istio-resources/monitoring/federation-service-monitor.yaml diff --git a/istio/monitoring/istio-proxies-service-monitor.yaml b/distribution/istio-resources/monitoring/istio-proxies-service-monitor.yaml similarity index 100% rename from istio/monitoring/istio-proxies-service-monitor.yaml rename to distribution/istio-resources/monitoring/istio-proxies-service-monitor.yaml diff --git a/istio/monitoring/kustomization.yaml b/distribution/istio-resources/monitoring/kustomization.yaml similarity index 100% rename from istio/monitoring/kustomization.yaml rename to distribution/istio-resources/monitoring/kustomization.yaml diff --git a/istio/monitoring/pod-monitor.yaml b/distribution/istio-resources/monitoring/pod-monitor.yaml similarity index 100% rename from istio/monitoring/pod-monitor.yaml rename to distribution/istio-resources/monitoring/pod-monitor.yaml diff --git a/istio/monitoring/service-monitor.yaml b/distribution/istio-resources/monitoring/service-monitor.yaml similarity index 100% rename from istio/monitoring/service-monitor.yaml rename to distribution/istio-resources/monitoring/service-monitor.yaml diff --git a/distribution/istio/istio-spec.yaml b/distribution/istio/istio-spec.yaml new file mode 100644 index 000000000..7060760e0 --- /dev/null +++ b/distribution/istio/istio-spec.yaml @@ -0,0 +1,41 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system + name: istio +spec: + profile: default + tag: 1.10.1 # istio/operator + hub: docker.io/istio + meshConfig: + accessLogFile: /dev/stdout + enablePrometheusMerge: true + extensionProviders: + - name: "oauth2-proxy" + envoyExtAuthzHttp: + service: "oauth2-proxy.auth.svc.cluster.local" + port: "4180" # The default port used by oauth2-proxy. + #includeHeadersInCheck: ["authorization", "cookie"] # headers sent to the oauth2-proxy in the check request. + includeHeadersInCheck: # headers sent to the oauth2-proxy in the check request. + # https://github.com/oauth2-proxy/oauth2-proxy/issues/350#issuecomment-576949334 + - "cookie" + - "x-forwarded-access-token" + - "x-forwarded-user" + - "x-forwarded-email" + - "authorization" + - "x-forwarded-proto" + - "proxy-authorization" + - "user-agent" + - "x-forwarded-host" + - "from" + - "x-forwarded-for" + - "accept" + headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token", "x-auth-request-user-groups"] # headers sent to backend application when request is allowed. + headersToDownstreamOnDeny: ["content-type", "set-cookie"] # headers sent back to the client when request is denied. + values: + sidecarInjectorWebhook: + neverInjectSelector: + # kube-prometheus-stack + ## Admission Webhook jobs do not terminate as expected with istio-proxy + - matchExpressions: + - {key: app, operator: In, values: [kube-prometheus-stack-admission-create,kube-prometheus-stack-admission-patch]} diff --git a/distribution/istio/kustomization.yaml b/distribution/istio/kustomization.yaml new file mode 100644 index 000000000..495b044e0 --- /dev/null +++ b/distribution/istio/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- istio-spec.yaml +- namespace.yaml diff --git a/istio/namespace.yaml b/distribution/istio/namespace.yaml similarity index 100% rename from istio/namespace.yaml rename to distribution/istio/namespace.yaml diff --git a/knative/eventing-core-v0_22_0.yaml b/distribution/knative/eventing-core-v0_22_0.yaml similarity index 100% rename from knative/eventing-core-v0_22_0.yaml rename to distribution/knative/eventing-core-v0_22_0.yaml diff --git a/knative/kustomization.yaml b/distribution/knative/kustomization.yaml similarity index 100% rename from knative/kustomization.yaml rename to distribution/knative/kustomization.yaml diff --git a/knative/net-istio-v0_22_0.yaml b/distribution/knative/net-istio-v0_22_0.yaml similarity index 100% rename from knative/net-istio-v0_22_0.yaml rename to distribution/knative/net-istio-v0_22_0.yaml diff --git a/knative/serving-core-v0_22_0.yaml b/distribution/knative/serving-core-v0_22_0.yaml similarity index 100% rename from knative/serving-core-v0_22_0.yaml rename to distribution/knative/serving-core-v0_22_0.yaml diff --git a/distribution/kubecost-resources/kubecost-virtual-service.yaml b/distribution/kubecost-resources/kubecost-virtual-service.yaml new file mode 100644 index 000000000..9b2ab94a0 --- /dev/null +++ b/distribution/kubecost-resources/kubecost-virtual-service.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: kubecost + namespace: monitoring +spec: + gateways: + - monitoring-gateway + hosts: + - kubecost.abs-cloud.nl + http: + - route: + - destination: + host: kubecost-cost-analyzer.monitoring.svc.cluster.local + port: + number: 9090 diff --git a/distribution/kubecost-resources/kustomization.yaml b/distribution/kubecost-resources/kustomization.yaml new file mode 100644 index 000000000..3ccd1743a --- /dev/null +++ b/distribution/kubecost-resources/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- kubecost-virtual-service.yaml diff --git a/kubeflow.yaml b/distribution/kubeflow.yaml similarity index 72% rename from kubeflow.yaml rename to distribution/kubeflow.yaml index a1e932be5..7b8f63dd1 100644 --- a/kubeflow.yaml +++ b/distribution/kubeflow.yaml @@ -6,9 +6,9 @@ metadata: spec: project: default source: - repoURL: https://github.com/argoflow/argoflow - targetRevision: HEAD - path: . + repoURL: <<__git_repo.url__>> + targetRevision: <<__git_repo.target_revision__>> + path: ./distribution kustomize: version: v4.0.5 destination: diff --git a/kubeflow/katib/kustomization.yaml b/distribution/kubeflow/katib/kustomization.yaml similarity index 86% rename from kubeflow/katib/kustomization.yaml rename to distribution/kubeflow/katib/kustomization.yaml index d37dd2fcb..8f9d86b43 100644 --- a/kubeflow/katib/kustomization.yaml +++ b/distribution/kubeflow/katib/kustomization.yaml @@ -2,20 +2,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/katib/manifests/v1beta1/installs/katib-with-kubeflow?ref=release-0.11 +- github.com/kubeflow/katib/manifests/v1beta1/installs/katib-with-kubeflow?ref=036296a2e8e36e44077396fedd687953baf5dbc4 # tag=0.11.1 images: - name: docker.io/kubeflowkatib/katib-controller newName: docker.io/kubeflowkatib/katib-controller - newTag: v0.11.0 + newTag: v0.11.1 # digest: sha256:c5e74b2309cef034db4fdcc4d2789004b687d6aa862e1b6d9ab3921ffacd707a - name: docker.io/kubeflowkatib/katib-db-manager newName: docker.io/kubeflowkatib/katib-db-manager - newTag: v0.11.0 + newTag: v0.11.1 # digest: sha256:aca286cfc6f357d4ef6d3ed69c17a471fd1a320a0f09f8b0fe770c9d5607f847 - name: docker.io/kubeflowkatib/katib-ui newName: docker.io/kubeflowkatib/katib-new-ui - newTag: v0.11.0 + newTag: v0.11.1 # digest: sha256:d8d738394379f794bf49e687a6cb8478ec08ec3a553e312d2df1ffdef08d6b97 - name: mysql newName: mysql diff --git a/kubeflow/kfserving/kustomization.yaml b/distribution/kubeflow/kfserving/kustomization.yaml similarity index 100% rename from kubeflow/kfserving/kustomization.yaml rename to distribution/kubeflow/kfserving/kustomization.yaml diff --git a/kubeflow/common/roles-namespaces/kustomization.yaml b/distribution/kubeflow/namespace/kustomization.yaml similarity index 70% rename from kubeflow/common/roles-namespaces/kustomization.yaml rename to distribution/kubeflow/namespace/kustomization.yaml index e9909964e..4dc4f54fc 100644 --- a/kubeflow/common/roles-namespaces/kustomization.yaml +++ b/distribution/kubeflow/namespace/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/manifests/common/kubeflow-roles/base - github.com/kubeflow/manifests/common/kubeflow-namespace/base diff --git a/kubeflow/notebooks/central-dashboard/enable-registration-flow.yaml b/distribution/kubeflow/notebooks/central-dashboard/enable-registration-flow.yaml similarity index 100% rename from kubeflow/notebooks/central-dashboard/enable-registration-flow.yaml rename to distribution/kubeflow/notebooks/central-dashboard/enable-registration-flow.yaml diff --git a/kubeflow/notebooks/central-dashboard/kustomization.yaml b/distribution/kubeflow/notebooks/central-dashboard/kustomization.yaml similarity index 75% rename from kubeflow/notebooks/central-dashboard/kustomization.yaml rename to distribution/kubeflow/notebooks/central-dashboard/kustomization.yaml index dfaa3b326..2e984c684 100644 --- a/kubeflow/notebooks/central-dashboard/kustomization.yaml +++ b/distribution/kubeflow/notebooks/central-dashboard/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/kubeflow/components/centraldashboard/manifests/overlays/istio?ref=8901e3af3b83f599b89562162cdb2854f57082d3 # tag=v1.3.0-rc.1 +- github.com/kubeflow/kubeflow/components/centraldashboard/manifests/overlays/istio?ref=0e91a2b9cd0c3b6687692b1f1f09ac6070cc6c3e # tag=v1.3.0 patchesStrategicMerge: - enable-registration-flow.yaml @@ -10,4 +10,4 @@ patchesStrategicMerge: images: - name: public.ecr.aws/j1r0q0g6/notebooks/central-dashboard newName: public.ecr.aws/j1r0q0g6/notebooks/central-dashboard - newTag: v1.3.0-rc.1 + newTag: v1.3.0 diff --git a/kubeflow/notebooks/experimental-pvcviewer-controller/kustomization.yaml b/distribution/kubeflow/notebooks/experimental-pvcviewer-controller/kustomization.yaml similarity index 100% rename from kubeflow/notebooks/experimental-pvcviewer-controller/kustomization.yaml rename to distribution/kubeflow/notebooks/experimental-pvcviewer-controller/kustomization.yaml diff --git a/kubeflow/notebooks/experimental-volumes-web-app/kustomization.yaml b/distribution/kubeflow/notebooks/experimental-volumes-web-app/kustomization.yaml similarity index 95% rename from kubeflow/notebooks/experimental-volumes-web-app/kustomization.yaml rename to distribution/kubeflow/notebooks/experimental-volumes-web-app/kustomization.yaml index c22ea03ca..dd6ec4f0b 100644 --- a/kubeflow/notebooks/experimental-volumes-web-app/kustomization.yaml +++ b/distribution/kubeflow/notebooks/experimental-volumes-web-app/kustomization.yaml @@ -7,5 +7,5 @@ resources: images: - name: davidspek/volumes-web-app newName: davidspek/volumes-web-app - newTag: "0.5.2" + newTag: "0.5.4" # digest: sha256:0b80a09e878f9dcdd530da7948155d532c61f7ad9ce854e7fa26440ade720d8c diff --git a/kubeflow/notebooks/jupyter-web-app/kustomization.yaml b/distribution/kubeflow/notebooks/jupyter-web-app/kustomization.yaml similarity index 75% rename from kubeflow/notebooks/jupyter-web-app/kustomization.yaml rename to distribution/kubeflow/notebooks/jupyter-web-app/kustomization.yaml index 33cbe5f86..f07f84d13 100644 --- a/kubeflow/notebooks/jupyter-web-app/kustomization.yaml +++ b/distribution/kubeflow/notebooks/jupyter-web-app/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/kubeflow/components/crud-web-apps/jupyter/manifests/overlays/istio?ref=8901e3af3b83f599b89562162cdb2854f57082d3 # tag=v1.3.0-rc.1 +- github.com/kubeflow/kubeflow/components/crud-web-apps/jupyter/manifests/overlays/istio?ref=0e91a2b9cd0c3b6687692b1f1f09ac6070cc6c3e # tag=v1.3.0 patchesStrategicMerge: - spawner_ui_config.yaml @@ -11,4 +11,4 @@ patchesStrategicMerge: images: - name: public.ecr.aws/j1r0q0g6/notebooks/jupyter-web-app newName: public.ecr.aws/j1r0q0g6/notebooks/jupyter-web-app - newTag: v1.3.0-rc.1 + newTag: v1.3.0 diff --git a/kubeflow/notebooks/jupyter-web-app/logos-configmap.yaml b/distribution/kubeflow/notebooks/jupyter-web-app/logos-configmap.yaml similarity index 100% rename from kubeflow/notebooks/jupyter-web-app/logos-configmap.yaml rename to distribution/kubeflow/notebooks/jupyter-web-app/logos-configmap.yaml diff --git a/kubeflow/notebooks/jupyter-web-app/spawner_ui_config.yaml b/distribution/kubeflow/notebooks/jupyter-web-app/spawner_ui_config.yaml similarity index 88% rename from kubeflow/notebooks/jupyter-web-app/spawner_ui_config.yaml rename to distribution/kubeflow/notebooks/jupyter-web-app/spawner_ui_config.yaml index 09c187487..676d935b7 100644 --- a/kubeflow/notebooks/jupyter-web-app/spawner_ui_config.yaml +++ b/distribution/kubeflow/notebooks/jupyter-web-app/spawner_ui_config.yaml @@ -21,25 +21,28 @@ data: # Note that some values can be templated. Such values are the names of the # Volumes as well as their StorageClass spawnerFormDefaults: + # container image source available at https://github.com/pluralsh/kubeflow-notebooks image: # The container Image for the user's Jupyter Notebook - value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy:master-1831e436 + value: ghcr.io/pluralsh/kubeflow-notebooks-jupyter-scipy:v1.0.0 # The list of available standard container Images options: - - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy:master-1831e436 - - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-full:master-1831e436 - - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-cuda-full:master-1831e436 - - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-full:master-1831e436 - - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-cuda-full:master-1831e436 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-scipy:v1.0.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full:v1.0.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full-cuda:v1.0.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full:v1.0.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full-cuda:v1.0.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-go:v1.0.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-elixir:v1.0.0 imageGroupOne: # The container Image for the user's Group One Server # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /` # is applied to notebook in this group, configuring # the Istio rewrite for containers that host their web UI at `/` - value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/codeserver-python:master-1831e436 + value: ghcr.io/pluralsh/kubeflow-notebooks-codeserver-python:v1.0.0 # The list of available standard container Images options: - - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/codeserver-python:master-1831e436 + - ghcr.io/pluralsh/kubeflow-notebooks-codeserver-python:v1.0.0 imageGroupTwo: # The container Image for the user's Group Two Server # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /` @@ -48,10 +51,10 @@ data: # The annotation `notebooks.kubeflow.org/http-headers-request-set` # is applied to notebook in this group, configuring Istio # to add the `X-RStudio-Root-Path` header to requests - value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/rstudio-tidyverse:master-164fa2ea + value: ghcr.io/pluralsh/kubeflow-notebooks-rstudio-tidyverse:v1.0.0 # The list of available standard container Images options: - - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/rstudio-tidyverse:master-164fa2ea + - ghcr.io/pluralsh/kubeflow-notebooks-rstudio-tidyverse:v1.0.0 allowCustomImage: true # If true, users can input custom images # If false, users can only select from the images in this config diff --git a/kubeflow/notebooks/notebook-controller/kustomization.yaml b/distribution/kubeflow/notebooks/notebook-controller/kustomization.yaml similarity index 71% rename from kubeflow/notebooks/notebook-controller/kustomization.yaml rename to distribution/kubeflow/notebooks/notebook-controller/kustomization.yaml index fcbe1c879..6830a6a1e 100644 --- a/kubeflow/notebooks/notebook-controller/kustomization.yaml +++ b/distribution/kubeflow/notebooks/notebook-controller/kustomization.yaml @@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/kubeflow/components/notebook-controller/config/overlays/kubeflow?ref=8901e3af3b83f599b89562162cdb2854f57082d3 # tag=v1.3.0-rc.1 +- github.com/kubeflow/kubeflow/components/notebook-controller/config/overlays/kubeflow?ref=0e91a2b9cd0c3b6687692b1f1f09ac6070cc6c3e # tag=v1.3.0 images: - name: public.ecr.aws/j1r0q0g6/notebooks/notebook-controller newName: public.ecr.aws/j1r0q0g6/notebooks/notebook-controller - newTag: v1.3.0-rc.1 + newTag: v1.3.0 diff --git a/kubeflow/notebooks/pod-defaults/kustomization.yaml b/distribution/kubeflow/notebooks/pod-defaults/kustomization.yaml similarity index 70% rename from kubeflow/notebooks/pod-defaults/kustomization.yaml rename to distribution/kubeflow/notebooks/pod-defaults/kustomization.yaml index 22cf606d5..6a1b002a7 100644 --- a/kubeflow/notebooks/pod-defaults/kustomization.yaml +++ b/distribution/kubeflow/notebooks/pod-defaults/kustomization.yaml @@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/kubeflow/components/admission-webhook/manifests/overlays/cert-manager?ref=8901e3af3b83f599b89562162cdb2854f57082d3 # tag=v1.3.0-rc.1 +- github.com/kubeflow/kubeflow/components/admission-webhook/manifests/overlays/cert-manager?ref=0e91a2b9cd0c3b6687692b1f1f09ac6070cc6c3e # tag=v1.3.0 images: - name: public.ecr.aws/j1r0q0g6/notebooks/admission-webhook newName: public.ecr.aws/j1r0q0g6/notebooks/admission-webhook - newTag: v1.3.0-rc.1 + newTag: v1.3.0 diff --git a/kubeflow/notebooks/profile-controller_access-management/kustomization.yaml b/distribution/kubeflow/notebooks/profile-controller_access-management/kustomization.yaml similarity index 71% rename from kubeflow/notebooks/profile-controller_access-management/kustomization.yaml rename to distribution/kubeflow/notebooks/profile-controller_access-management/kustomization.yaml index c881a139a..7a6248503 100644 --- a/kubeflow/notebooks/profile-controller_access-management/kustomization.yaml +++ b/distribution/kubeflow/notebooks/profile-controller_access-management/kustomization.yaml @@ -2,12 +2,15 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/kubeflow/components/profile-controller/config/overlays/kubeflow?ref=8901e3af3b83f599b89562162cdb2854f57082d3 # tag=v1.3.0-rc.1 +- github.com/kubeflow/kubeflow/components/profile-controller/config/overlays/kubeflow?ref=0e91a2b9cd0c3b6687692b1f1f09ac6070cc6c3e # tag=v1.3.0 + +patchesStrategicMerge: + - patch-admin.yaml images: - name: public.ecr.aws/j1r0q0g6/notebooks/access-management newName: public.ecr.aws/j1r0q0g6/notebooks/access-management - newTag: v1.3.0-rc.1 + newTag: v1.3.0 - name: public.ecr.aws/j1r0q0g6/notebooks/profile-controller newName: public.ecr.aws/j1r0q0g6/notebooks/profile-controller - newTag: v1.3.0-rc.1 + newTag: v1.3.0 diff --git a/distribution/kubeflow/notebooks/profile-controller_access-management/patch-admin.yaml b/distribution/kubeflow/notebooks/profile-controller_access-management/patch-admin.yaml new file mode 100644 index 000000000..e8e02bb60 --- /dev/null +++ b/distribution/kubeflow/notebooks/profile-controller_access-management/patch-admin.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: profiles-config + namespace: kubeflow +data: + ADMIN: "admin@argoflow.org" diff --git a/kubeflow/notebooks/tensorboard-controller/kustomization.yaml b/distribution/kubeflow/notebooks/tensorboard-controller/kustomization.yaml similarity index 71% rename from kubeflow/notebooks/tensorboard-controller/kustomization.yaml rename to distribution/kubeflow/notebooks/tensorboard-controller/kustomization.yaml index 96fb10afa..308ea2992 100644 --- a/kubeflow/notebooks/tensorboard-controller/kustomization.yaml +++ b/distribution/kubeflow/notebooks/tensorboard-controller/kustomization.yaml @@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/kubeflow/components/tensorboard-controller/config/overlays/kubeflow?ref=8901e3af3b83f599b89562162cdb2854f57082d3 # tag=v1.3.0-rc.1 +- github.com/kubeflow/kubeflow/components/tensorboard-controller/config/overlays/kubeflow?ref=0e91a2b9cd0c3b6687692b1f1f09ac6070cc6c3e # tag=v1.3.0 images: - name: public.ecr.aws/j1r0q0g6/notebooks/tensorboard-controller newName: public.ecr.aws/j1r0q0g6/notebooks/tensorboard-controller - newTag: v1.3.0-rc.1 + newTag: master-18264c8f diff --git a/kubeflow/notebooks/tensorboards-web-app/kustomization.yaml b/distribution/kubeflow/notebooks/tensorboards-web-app/kustomization.yaml similarity index 70% rename from kubeflow/notebooks/tensorboards-web-app/kustomization.yaml rename to distribution/kubeflow/notebooks/tensorboards-web-app/kustomization.yaml index 75666f5aa..fb31d5afb 100644 --- a/kubeflow/notebooks/tensorboards-web-app/kustomization.yaml +++ b/distribution/kubeflow/notebooks/tensorboards-web-app/kustomization.yaml @@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/kubeflow/components/crud-web-apps/tensorboards/manifests/overlays/istio?ref=8901e3af3b83f599b89562162cdb2854f57082d3 # tag=v1.3.0-rc.1 +- github.com/kubeflow/kubeflow/components/crud-web-apps/tensorboards/manifests/overlays/istio?ref=0e91a2b9cd0c3b6687692b1f1f09ac6070cc6c3e # tag=v1.3.0 images: - name: public.ecr.aws/j1r0q0g6/notebooks/tensorboards-web-app newName: public.ecr.aws/j1r0q0g6/notebooks/tensorboards-web-app - newTag: v1.3.0-rc.1 + newTag: v1.3.0 diff --git a/kubeflow/notebooks/volumes-web-app/kustomization.yaml b/distribution/kubeflow/notebooks/volumes-web-app/kustomization.yaml similarity index 70% rename from kubeflow/notebooks/volumes-web-app/kustomization.yaml rename to distribution/kubeflow/notebooks/volumes-web-app/kustomization.yaml index 31b750a84..636059c24 100644 --- a/kubeflow/notebooks/volumes-web-app/kustomization.yaml +++ b/distribution/kubeflow/notebooks/volumes-web-app/kustomization.yaml @@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/kubeflow/components/crud-web-apps/volumes/manifests/overlays/istio?ref=8901e3af3b83f599b89562162cdb2854f57082d3 # tag=v1.3.0-rc.1 +- github.com/kubeflow/kubeflow/components/crud-web-apps/volumes/manifests/overlays/istio?ref=0e91a2b9cd0c3b6687692b1f1f09ac6070cc6c3e # tag=v1.3.0 images: - name: public.ecr.aws/j1r0q0g6/notebooks/volumes-web-app newName: public.ecr.aws/j1r0q0g6/notebooks/volumes-web-app - newTag: v1.3.0-rc.1 + newTag: v1.3.0 diff --git a/kubeflow/operators/mpi/kustomization.yaml b/distribution/kubeflow/operators/mpi/kustomization.yaml similarity index 100% rename from kubeflow/operators/mpi/kustomization.yaml rename to distribution/kubeflow/operators/mpi/kustomization.yaml diff --git a/kubeflow/operators/mxnet/kustomization.yaml b/distribution/kubeflow/operators/mxnet/kustomization.yaml similarity index 100% rename from kubeflow/operators/mxnet/kustomization.yaml rename to distribution/kubeflow/operators/mxnet/kustomization.yaml diff --git a/kubeflow/operators/pytorch/kustomization.yaml b/distribution/kubeflow/operators/pytorch/kustomization.yaml similarity index 100% rename from kubeflow/operators/pytorch/kustomization.yaml rename to distribution/kubeflow/operators/pytorch/kustomization.yaml diff --git a/kubeflow/operators/tensorflow/kustomization.yaml b/distribution/kubeflow/operators/tensorflow/kustomization.yaml similarity index 100% rename from kubeflow/operators/tensorflow/kustomization.yaml rename to distribution/kubeflow/operators/tensorflow/kustomization.yaml diff --git a/kubeflow/operators/xgboost/kustomization.yaml b/distribution/kubeflow/operators/xgboost/kustomization.yaml similarity index 100% rename from kubeflow/operators/xgboost/kustomization.yaml rename to distribution/kubeflow/operators/xgboost/kustomization.yaml diff --git a/kubeflow/pipelines/kustomization.yaml b/distribution/kubeflow/pipelines/kustomization.yaml similarity index 91% rename from kubeflow/pipelines/kustomization.yaml rename to distribution/kubeflow/pipelines/kustomization.yaml index 0fb83fd8a..8114cc4fe 100644 --- a/kubeflow/pipelines/kustomization.yaml +++ b/distribution/kubeflow/pipelines/kustomization.yaml @@ -2,28 +2,28 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/kubeflow/pipelines/manifests/kustomize/env/platform-agnostic-multi-user-pns?ref=2b5a5dd2d0beea39dd2d961d31ebad2ad363742a # tag=1.5.0 +- github.com/kubeflow/pipelines/manifests/kustomize/env/platform-agnostic-multi-user-pns?ref=1c66f93f5149a8d5ed7f33895d3ebc01e662d837 # tag=1.6.0 images: - name: gcr.io/ml-pipeline/cache-deployer newName: gcr.io/ml-pipeline/cache-deployer - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:d2c0bb5141d8f16cc39cc900e1af2fabe024c0149dd26f512be474bff83b1101 - name: gcr.io/ml-pipeline/cache-server newName: gcr.io/ml-pipeline/cache-server - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:b0beebd00ff5cfb387967094458c3f404c06126ffd91924dd884c08fe19ddea6 - name: gcr.io/ml-pipeline/metadata-envoy newName: gcr.io/ml-pipeline/metadata-envoy - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:af0c0dc833da73486fe5f12d4c13181f9cfed2abc2ae0b2ab905815b4f5c9971 - name: gcr.io/tfx-oss-public/ml_metadata_store_server newName: gcr.io/tfx-oss-public/ml_metadata_store_server - newTag: 0.25.1 + newTag: 0.30.0 # digest: sha256:01691247116fe048e0761ae8033efaad3ddd82438d0198f2235afb37c1757d48 - name: gcr.io/ml-pipeline/metadata-writer newName: gcr.io/ml-pipeline/metadata-writer - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:9a7ae82816db8e8b5f8d44ce97b04f75e99edfefecaf5b3f078bd0fa65aa067e - name: gcr.io/ml-pipeline/minio newName: gcr.io/ml-pipeline/minio @@ -31,27 +31,27 @@ images: # digest: sha256:587abc14be9bbeed794473cf7290c40e377062f2f77f5e4e27742a77680f08e0 - name: gcr.io/ml-pipeline/api-server newName: gcr.io/ml-pipeline/api-server - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:b67fd001e01c0bfc955c431bdcd4f34fa779880aa384627e164cb5408674f46a - name: gcr.io/ml-pipeline/persistenceagent newName: gcr.io/ml-pipeline/persistenceagent - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:570011e6e37812d5303ad99096687b2a5f539871ec8fc7b92d2a85ddccd74fea - name: gcr.io/ml-pipeline/scheduledworkflow newName: gcr.io/ml-pipeline/scheduledworkflow - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:2946f8401c04f171c73aa3c74ac907590e00780af983e816d1504845f38282c9 - name: gcr.io/ml-pipeline/frontend newName: gcr.io/ml-pipeline/frontend - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:a5c10e4c732092029f564d4cc15ae8e1401f79b18100dc721f5fb7377e48bcd3 - name: gcr.io/ml-pipeline/viewer-crd-controller newName: gcr.io/ml-pipeline/viewer-crd-controller - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:c5bdcdf176725d3bee9662c6b742727ca2b183245b5ba9a63e5375b43fb8eeb6 - name: gcr.io/ml-pipeline/visualization-server newName: gcr.io/ml-pipeline/visualization-server - newTag: 1.5.0 + newTag: 1.6.0 # digest: sha256:6b11817b99538e890f3632f3b0e7c69d8c40126c162449ff7710b32e7cf99499 - name: gcr.io/ml-pipeline/mysql newName: gcr.io/ml-pipeline/mysql diff --git a/distribution/kubeflow/profiles/kustomization.yaml b/distribution/kubeflow/profiles/kustomization.yaml new file mode 100644 index 000000000..9dda65676 --- /dev/null +++ b/distribution/kubeflow/profiles/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow + +resources: +- github.com/kubeflow/manifests/common/user-namespace/base diff --git a/distribution/kubeflow/roles/kustomization.yaml b/distribution/kubeflow/roles/kustomization.yaml new file mode 100644 index 000000000..3c78fa030 --- /dev/null +++ b/distribution/kubeflow/roles/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- github.com/kubeflow/manifests/common/kubeflow-roles/base diff --git a/kustomization.yaml b/distribution/kustomization.yaml similarity index 53% rename from kustomization.yaml rename to distribution/kustomization.yaml index e18166176..e570a1036 100644 --- a/kustomization.yaml +++ b/distribution/kustomization.yaml @@ -2,31 +2,44 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -# non-kubeflow +## Common # - argocd-applications/metallb.yaml # - argocd-applications/rook-ceph.yaml # - argocd-applications/nginx.yaml # - argocd-applications/nvidia-gpu-operator.yaml +- argocd-applications/istio-operator.yaml +- argocd-applications/istio.yaml +- argocd-applications/istio-resources.yaml +# - argocd-applications/knative.yaml + +# Pick *one* of the following applications - argocd-applications/argocd.yaml -- argocd-applications/istio.yaml -# to use upstream istio comment out line above -# and uncomment the next two line -# - argocd-applications/istio-upstream.yaml -# - argocd-applications/istio-operator.yaml -# kubeflow -- argocd-applications/kubeflow-roles-namespaces.yaml -- argocd-applications/cert-manager.yaml -- argocd-applications/oidc-authservice.yaml -- argocd-applications/dex-istio.yaml -- argocd-applications/knative.yaml +# - argocd-applications/argocd-private-repo.yaml + +# Pick *one* of the following applications +- argocd-applications/cert-manager-self-signing.yaml +# - argocd-applications/cert-manager-dns-01.yaml + +# Pick *one* of the following +- argocd-applications/certificates.yaml +# - argocd-applications/certificates-imported.yaml + +# Pick *one* of the following applications: +# - argocd-applications/oidc-auth-on-cluster-dex.yaml +- argocd-applications/oidc-auth-on-cluster-keycloak.yaml +# - argocd-applications/oidc-auth-external.yaml + +## Kubeflow +- argocd-applications/central-dashboard.yaml +- argocd-applications/profile-controller_access-management.yaml +- argocd-applications/kubeflow-namespace.yaml +- argocd-applications/kubeflow-roles.yaml - argocd-applications/pipelines.yaml -- argocd-applications/kfserving.yaml - argocd-applications/katib.yaml -- argocd-applications/central-dashboard.yaml +- argocd-applications/kfserving.yaml - argocd-applications/pod-defaults.yaml - argocd-applications/jupyter-web-app.yaml - argocd-applications/notebook-controller.yaml -- argocd-applications/profile-controller_access-management.yaml - argocd-applications/tensorboard-controller.yaml - argocd-applications/tensorboards-web-app.yaml - argocd-applications/volumes-web-app.yaml @@ -35,11 +48,20 @@ resources: - argocd-applications/mpi-operator.yaml - argocd-applications/mxnet-operator.yaml - argocd-applications/xgboost-operator.yaml -- argocd-applications/user-namespace.yaml -# - argocd-applications/experimental-pvcviewer-controller.yaml -# - argocd-applications/experimental-volumes-web-app.yaml -# Monitoring and logging + +## System +# - argocd-applications/external-dns.yaml +# - argocd-applications/cloudflare-secrets.yaml +- argocd-applications/sealed-secrets.yaml + +## Monitoring and logging # - argocd-applications/monitoring-resources.yaml # - argocd-applications/kube-prometheus-stack.yaml # - argocd-applications/loki-stack.yaml # - argocd-applications/kiali.yaml +# - argocd-applications/kubecost.yaml + +## Contrib +# - argocd-applications/mlflow.yaml +# - argocd-applications/experimental-pvcviewer-controller.yaml +# - argocd-applications/experimental-volumes-web-app.yaml diff --git a/metallb/configmap.yaml b/distribution/metallb/configmap.yaml similarity index 100% rename from metallb/configmap.yaml rename to distribution/metallb/configmap.yaml diff --git a/metallb/kustomization.yaml b/distribution/metallb/kustomization.yaml similarity index 69% rename from metallb/kustomization.yaml rename to distribution/metallb/kustomization.yaml index dc3a398bb..d3aab8269 100644 --- a/metallb/kustomization.yaml +++ b/distribution/metallb/kustomization.yaml @@ -3,16 +3,15 @@ kind: Kustomization namespace: metallb-system resources: - - github.com/metallb/metallb/manifests?ref=2233271f768663a9a52e9ef629867f3aa3f30833 # tag=v0.9.6 - - configmap.yaml - - secret.yaml + - github.com/metallb/metallb/manifests?ref=99469a412510da616538825c7a5ecb1ff0dbc59d # tag=v0.10.2 + - configmap.yaml images: - name: metallb/controller newName: metallb/controller - newTag: v0.9.6 + newTag: v0.10.2 # digest: sha256:99b79462af3d8b7d3b18dd31b854148b9d05365843d2c69ce7c3dd8a1f0d015d - name: metallb/speaker newName: metallb/speaker - newTag: v0.9.6 + newTag: v0.10.2 # digest: sha256:dffdaee85e79393785f98f7fd7666fa7d9f53fd90d3319c59a622911ca2e0a09 diff --git a/distribution/mlflow/configmap.yaml b/distribution/mlflow/configmap.yaml new file mode 100644 index 000000000..ee93a16cc --- /dev/null +++ b/distribution/mlflow/configmap.yaml @@ -0,0 +1,10 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: mlflow-config +data: + DB_NAME: <<__rds.db_name.mlflow__>> + RDS_HOST: <<__rds.host__>> + RDS_PORT: "<<__rds.port__>>" + ARTIFACT_S3_BUCKET: <<__s3.bucket.mlflow__>> + ARTIFACT_S3_KEY_PREFIX: <<__s3.key_prefix.mlflow__>> diff --git a/distribution/mlflow/deployment.yaml b/distribution/mlflow/deployment.yaml new file mode 100644 index 000000000..cf2c380cd --- /dev/null +++ b/distribution/mlflow/deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlflow + labels: + app: mlflow + namespace: mlflow +spec: + replicas: 1 + selector: + matchLabels: + app: mlflow + template: + metadata: + labels: + app: mlflow + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: mlflow + securityContext: {} + image: "public.ecr.aws/atcommons/mlflow-server:latest" + imagePullPolicy: Always + args: + - --host=0.0.0.0 + - --port=5000 + - --backend-store-uri="mysql://$(RDS_USERNAME):$(RDS_PASSWORD)@$(RDS_HOST):3306/$(DB_NAME)" + - --default-artifact-root=s3://$(ARTIFACT_S3_BUCKET)/$(ARTIFACT_S3_KEY_PREFIX) + envFrom: + - secretRef: + name: mlflow-secret + - configMapRef: + name: mlflow-config + ports: + - name: http + containerPort: 5000 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: {} diff --git a/distribution/mlflow/namespace.yaml b/distribution/mlflow/namespace.yaml new file mode 100644 index 000000000..2b3c3f505 --- /dev/null +++ b/distribution/mlflow/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: kubeflow + istio-injection: enabled + name: mlflow diff --git a/distribution/mlflow/service.yaml b/distribution/mlflow/service.yaml new file mode 100644 index 000000000..5f0ebfb40 --- /dev/null +++ b/distribution/mlflow/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: mlflow + namespace: mlflow +spec: + selector: + app: mlflow + type: ClusterIP + ports: + - port: 80 + targetPort: 5000 diff --git a/distribution/monitoring-resources/alertmanager-sidecar.yaml b/distribution/monitoring-resources/alertmanager-sidecar.yaml new file mode 100644 index 000000000..65c515eb8 --- /dev/null +++ b/distribution/monitoring-resources/alertmanager-sidecar.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Sidecar +metadata: + namespace: monitoring + name: alertmanager +spec: + workloadSelector: + labels: + app: alertmanager + ingress: + - port: + number: 9094 + protocol: TCP + name: tcp-mesh + defaultEndpoint: 0.0.0.0:9094 diff --git a/distribution/monitoring-resources/allow-all-ns-mon-authorization-policy.yaml b/distribution/monitoring-resources/allow-all-ns-mon-authorization-policy.yaml new file mode 100644 index 000000000..784257150 --- /dev/null +++ b/distribution/monitoring-resources/allow-all-ns-mon-authorization-policy.yaml @@ -0,0 +1,13 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: kubeflow-allow-monitoring + namespace: monitoring +spec: + action: ALLOW + rules: + - {} + # - from: + # - source: + # namespaces: + # - monitoring diff --git a/distribution/monitoring-resources/grafana-autorization-policy.yaml b/distribution/monitoring-resources/grafana-autorization-policy.yaml new file mode 100644 index 000000000..959ee66b7 --- /dev/null +++ b/distribution/monitoring-resources/grafana-autorization-policy.yaml @@ -0,0 +1,16 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: grafana-allow-external-access + namespace: istio-system +spec: + action: ALLOW + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + rules: + - to: + - operation: + hosts: + - <<__subdomain_grafana__>>.<<__domain__>> diff --git a/distribution/monitoring-resources/grafana-virtual-service-kubeflow.yaml b/distribution/monitoring-resources/grafana-virtual-service-kubeflow.yaml new file mode 100644 index 000000000..fab1b7bcd --- /dev/null +++ b/distribution/monitoring-resources/grafana-virtual-service-kubeflow.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: grafana-kubeflow + namespace: monitoring +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - <<__subdomain_dashboard__>>.<<__domain__>> + http: + - headers: + request: + add: + x-forwarded-prefix: /grafana + match: + - uri: + prefix: /grafana/ + rewrite: + uri: / + route: + - destination: + host: kube-prometheus-stack-grafana.monitoring.svc.cluster.local + port: + number: 80 diff --git a/distribution/monitoring-resources/grafana-virtual-service.yaml b/distribution/monitoring-resources/grafana-virtual-service.yaml new file mode 100644 index 000000000..8372bd429 --- /dev/null +++ b/distribution/monitoring-resources/grafana-virtual-service.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: grafana + namespace: monitoring +spec: + gateways: + - monitoring-gateway + hosts: + - <<__subdomain_grafana__>>.<<__domain__>> + http: + - route: + - destination: + host: kube-prometheus-stack-grafana.monitoring.svc.cluster.local + port: + number: 80 diff --git a/distribution/monitoring-resources/kustomization.yaml b/distribution/monitoring-resources/kustomization.yaml new file mode 100644 index 000000000..c73eb7511 --- /dev/null +++ b/distribution/monitoring-resources/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- alertmanager-sidecar.yaml +- allow-all-ns-mon-authorization-policy.yaml +- grafana-admin-secret.yaml +- grafana-autorization-policy.yaml +- grafana-virtual-service-kubeflow.yaml +- grafana-virtual-service.yaml +- monitoring-gateway.yaml +- namespace.yaml +- nvidia-dcgm-service-monitor.yaml +- nvidia-dcgm-exporter-dashboard.yaml diff --git a/distribution/monitoring-resources/monitoring-gateway.yaml b/distribution/monitoring-resources/monitoring-gateway.yaml new file mode 100644 index 000000000..7e9b600ca --- /dev/null +++ b/distribution/monitoring-resources/monitoring-gateway.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: monitoring-gateway + namespace: monitoring +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - <<__subdomain_grafana__>>.<<__domain__>> + - <<__subdomain_kiali__>>.<<__domain__>> + - <<__subdomain_kubecost__>>.<<__domain__>> + port: + name: http + number: 80 + protocol: HTTP + # Upgrade HTTP to HTTPS + tls: + httpsRedirect: true + - hosts: + - <<__subdomain_grafana__>>.<<__domain__>> + - <<__subdomain_kiali__>>.<<__domain__>> + - <<__subdomain_kubecost__>>.<<__domain__>> + port: + name: https + number: 443 + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: monitoring-ingressgateway-certs diff --git a/distribution/monitoring-resources/namespace.yaml b/distribution/monitoring-resources/namespace.yaml new file mode 100644 index 000000000..8d91e52d8 --- /dev/null +++ b/distribution/monitoring-resources/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring + labels: + istio-injection: enabled diff --git a/monitoring-resources/nvidia-dcgm-exporter-dashboard.yaml b/distribution/monitoring-resources/nvidia-dcgm-exporter-dashboard.yaml similarity index 100% rename from monitoring-resources/nvidia-dcgm-exporter-dashboard.yaml rename to distribution/monitoring-resources/nvidia-dcgm-exporter-dashboard.yaml diff --git a/monitoring-resources/nvidia-dcgm-service-monitor.yaml b/distribution/monitoring-resources/nvidia-dcgm-service-monitor.yaml similarity index 100% rename from monitoring-resources/nvidia-dcgm-service-monitor.yaml rename to distribution/monitoring-resources/nvidia-dcgm-service-monitor.yaml diff --git a/nginx/deployment_patch.yaml b/distribution/nginx/deployment_patch.yaml similarity index 100% rename from nginx/deployment_patch.yaml rename to distribution/nginx/deployment_patch.yaml diff --git a/nginx/gitlab-service-patch.yaml b/distribution/nginx/gitlab-service-patch.yaml similarity index 100% rename from nginx/gitlab-service-patch.yaml rename to distribution/nginx/gitlab-service-patch.yaml diff --git a/nginx/gitlab-tcp-configmap.yaml b/distribution/nginx/gitlab-tcp-configmap.yaml similarity index 100% rename from nginx/gitlab-tcp-configmap.yaml rename to distribution/nginx/gitlab-tcp-configmap.yaml diff --git a/nginx/kustomization.yaml b/distribution/nginx/kustomization.yaml similarity index 100% rename from nginx/kustomization.yaml rename to distribution/nginx/kustomization.yaml diff --git a/distribution/oidc-auth/base/auth-authorizationpolicy.yaml b/distribution/oidc-auth/base/auth-authorizationpolicy.yaml new file mode 100644 index 000000000..ad71cf2a8 --- /dev/null +++ b/distribution/oidc-auth/base/auth-authorizationpolicy.yaml @@ -0,0 +1,34 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: auth-allow-in-cluster-redirect + namespace: istio-system +spec: + action: ALLOW + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + rules: + - to: + - operation: + hosts: + - "<<__subdomain_auth__>>.<<__domain__>>" + - "<<__subdomain_dashboard__>>.<<__domain__>>" # needed for redirect after authentication + - "<<__subdomain_serving__>>.<<__domain__>>" # needed for redirect after authentication + - "*.<<__subdomain_serving__>>.<<__domain__>>" # needed for redirect after authentication +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: auth-allow-access + namespace: auth +spec: + action: ALLOW + rules: + - {} + # - from: + # - source: + # namespaces: + # - auth + # - istio-system diff --git a/kubeflow/common/istio/https-gateway.yaml b/distribution/oidc-auth/base/auth-gateway.yaml similarity index 67% rename from kubeflow/common/istio/https-gateway.yaml rename to distribution/oidc-auth/base/auth-gateway.yaml index ae02f6af0..b945954b3 100644 --- a/kubeflow/common/istio/https-gateway.yaml +++ b/distribution/oidc-auth/base/auth-gateway.yaml @@ -1,13 +1,14 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: - name: kubeflow-gateway + name: auth-gateway + namespace: auth spec: selector: istio: ingressgateway servers: - hosts: - - '*' + - <<__subdomain_auth__>>.<<__domain__>> port: name: http number: 80 @@ -16,12 +17,11 @@ spec: tls: httpsRedirect: true - hosts: - - '*' + - <<__subdomain_auth__>>.<<__domain__>> port: name: https number: 443 protocol: HTTPS tls: mode: SIMPLE - privateKey: /etc/istio/ingressgateway-certs/tls.key - serverCertificate: /etc/istio/ingressgateway-certs/tls.crt + credentialName: auth-ingressgateway-certs diff --git a/distribution/oidc-auth/base/kustomization.yaml b/distribution/oidc-auth/base/kustomization.yaml new file mode 100644 index 000000000..b9ce49d1c --- /dev/null +++ b/distribution/oidc-auth/base/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- namespace.yaml +- auth-authorizationpolicy.yaml +- auth-gateway.yaml +- oauth2-proxy-secret.yaml +- oauth2-proxy-signout-virtual-service.yaml +- oauth2-proxy.yaml diff --git a/distribution/oidc-auth/base/namespace.yaml b/distribution/oidc-auth/base/namespace.yaml new file mode 100644 index 000000000..10874ae07 --- /dev/null +++ b/distribution/oidc-auth/base/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: auth + labels: + istio-injection: enabled diff --git a/distribution/oidc-auth/base/oauth2-proxy-secret.yaml b/distribution/oidc-auth/base/oauth2-proxy-secret.yaml new file mode 100644 index 000000000..98d8497f7 --- /dev/null +++ b/distribution/oidc-auth/base/oauth2-proxy-secret.yaml @@ -0,0 +1,17 @@ +kind: SealedSecret +apiVersion: bitnami.com/v1alpha1 +metadata: + name: oauth2-proxy + namespace: auth + creationTimestamp: null +spec: + template: + metadata: + name: oauth2-proxy + namespace: auth + creationTimestamp: null + data: null + encryptedData: + client-id: AgAlqGDH8XfqsHJ+haGJ/EXxxiKshZc+6Xyh0odKVCcjO1Ly5Nnos0G5Zql5VGkS7DMscnWrKmp39ieVj9gYRiFjUIVsb83R7O9S8doLcRnQ8HR+/8n0Tjtb8un6YllpGK2yD9OH8gZ7akhqpqPAdxJLIuZ3XLCvZ+7NqcvmsPzxvqDkIBo/HeFyi4Np5D6QsTytfikFmKPjB3JbEBKOv10CvVR4vJ2VgygLie0r/pmz5RFoQrhble/mrtKSi5N9GnTCQs8w8bOdMDj6FEKV7aM7yWe/02GazVWGSMoqirtHMOxO6li/zixzawkG0NFlwBcMHBRWrU7JkRec7vAS5D3yickaoHqAsJmSwOQdGv4dgvzVSJr+Qo4etRT2iGMSBB82vxIEg2/zwa00KS2Dujsz8MhSBriHuGogaIohu2Q4rlGeGVzbFgGQ8HwR/7qdquQ7kr8OwG0T30pXF7O3PBNzwBj3YOxdlQZVKEKNjCk26PSQ4d7niwhom54lnYB42AE/NxbTORzdJVHpQKdmkynW+XVit/XrOcuwNoMXk1wVF7TrYJweiF9ZN7uN7fYKC0CM6vsEkRJ/+qBINE5vzyht7rpTVao4WjJuEme4B7hGeLhcQHypppUQu/iHtjtUA6xBnLswbj7y9QIfLsES5YIoXwFWHYFAwbWGb/qaD6OYhM6w1gXEATNTwLG3QKoZMLa/wA7YZwiuUZvIkKKlGbuqEnlW1nyHDUVCXlRaXGc3jQ== + client-secret: AgB3M0CTKm1m0w1DWzQFM+bKv7ElaRB1tvLW6enXT9nOGbUeg28kEZIEcGwJo1XmVPT63aA7Gvpuc84NibJZzslb26BmGYyGQpFqWo2Pi8LG9SP5QCTxHoQ9EecBTiiBgqT9xVM/EbHdHCoLWfCfk+meW36M8Iya41f74c2QqcmFS5nQkVI6rCrcdi02CmU++sjDOarpiCUwlW0ntEDXlvy+zVJbA5VvjeXjbMcHLq5IQH/637E4n+CWSlPt86eP5uF5wDvKpi9uHaobuMoxUiLy2yMlVFnzdatJGiyayBTcZ9FvS5lovWe7hfpq4/ep3/n/6eSrBTDNNM2wiDNEBGGDvWhHCAMeNGBfGy+bE5MUKxHyex7j+9wERkcX2fkLfH5JyAPd9KnZJbFPwGg3LblxUiAqZzgL2QWynQg1pHzkDyTsPcwJLtiUd/cl38ZqjzYex9X30bycpOpdEIAZXx4oWtcR6O/0dPqeRwGEMInWBhslFAKfWboRhSe1xn0QdPvqO+yogY2NwVfyeyVfAYrudpOHmKL3lOs0Tr2nGR98jT7c2kr3W8H33+kmMEzglVxc8DechEoTb5hKgqRjVPnkRZkIq1/PvSOJOOc1RD6CZ9yGSMwz4fq++/5X7ZT/ThQtjiFL1FpXw2GjcVptn2IXsIa6vyhr/1V08B3P9RG3XmhTKo6wY0DWJHdk7Z2A73+NEcjYnYQ9DRQ4y71TP/E5hzPlIno+WpTmZxubkkG1Dqkd5MQ267W1XzDI43/hO8ovWb/DiflxbE1kqsq385NW + cookie-secret: AgA4K/cy6gCYXaEsM66aSBgWUVZnd2cFHtMz+AxGr7odsShTGo9wKUUJQA8FolpGaVjTSqeDDh0SG523vemJISjmshw9+B2Jn1LLNB5a71NsN0/TozH+ZqhUoPG2/ma+74+2O9plSmxhd4BHgJ6ZeSaS/h7NwYm9RvBTEx5O7opuLMWYmfGbE7T36dUGUgRtYmPC9Yjg7BJlRkTQRmhpkJ07eMNd8TyNy8XxJTdC4yFzJ6T/b8XC8pSyCJG6qrx8PoxSW1AVD1EHL4+lcd0137n6XYMNYZlZG3RQmATP5JVqJM/bDOOtQ5aStNHhGFbtRhZehnn/qXePGM5qQvhpxUT0fJiYLa6k+SDO2SX1CkqyoTjN1CZxax7OCAIeIZsYuJ8Mb0GG+4CLrbWrCOc0C2zErUrHFOs5ep4sdE/RIwb6DFPAoS3z8b+N0oV/an1PAHYRGHafK54zlpCMMWidtzm1hIPPPWXvvwNAZ2i5oLdWr1dWgGYf3ZhQs69evMQxDfV1jEWl5FM1ZDUjm//w8TGvUAugbp+ZkbzPsz9ppyii4KZgRJACIVETBRV+FWNP9tWB1pZcdKPcO/z6fAiXUjn9cRMyZtzyPelmzCFWcf3WcwJKOcpq7jPSGEHR8cbsQSzHF267T966hcKZ8VYzfA0ZaszlA7fMl1hjfoFVEyMvEiZpMm+maUGDjfYLMNREse8= diff --git a/distribution/oidc-auth/base/oauth2-proxy-signout-virtual-service.yaml b/distribution/oidc-auth/base/oauth2-proxy-signout-virtual-service.yaml new file mode 100644 index 000000000..cbbb88c3c --- /dev/null +++ b/distribution/oidc-auth/base/oauth2-proxy-signout-virtual-service.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: oauth2-proxy-logout + namespace: auth +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /logout + rewrite: + uri: "/oauth2/sign_out" + route: + - destination: + host: oauth2-proxy.auth.svc.cluster.local + port: + number: 4180 diff --git a/distribution/oidc-auth/base/oauth2-proxy.yaml b/distribution/oidc-auth/base/oauth2-proxy.yaml new file mode 100644 index 000000000..55193e95b --- /dev/null +++ b/distribution/oidc-auth/base/oauth2-proxy.yaml @@ -0,0 +1,80 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: oauth2-proxy + namespace: argocd +spec: + project: default + source: + chart: oauth2-proxy + helm: + parameters: + - name: image.repository + value: quay.io/oauth2-proxy/oauth2-proxy + - name: image.tag + value: v7.1.3 + - name: configSecret.create + value: "false" + - name: config.existingSecret + value: oauth2-proxy + - name: service.portNumber + value: "4180" + - name: extraArgs.provider + value: oidc + - name: extraArgs.set-xauthrequest + value: "true" + - name: extraArgs.cookie-secure + value: "true" + - name: extraArgs.cookie-samesite + value: lax + - name: extraArgs.cookie-refresh + value: 1h + - name: extraArgs.cookie-expire + value: 4h + - name: extraArgs.cookie-name + value: _oauth2_proxy + - name: extraArgs.email-domain + value: "*" + - name: extraArgs.upstream + value: "static://200" + - name: extraArgs.skip-provider-button + value: "true" + - name: extraArgs.cookie-domain + value: .<<__domain__>> + - name: extraArgs.whitelist-domain + value: .<<__domain__>> + - name: extraArgs.oidc-issuer-url + value: <<__oidc.issuer__>> + - name: extraArgs.scope + value: <<__oidc.scope__>> + - name: extraArgs.user-id-claim + value: <<__oidc.user_id_claim__>> + # - name: extraArgs.login-url + # value: "<<__oidc.issuer__>>/auth/realms/kubeflow/protocol/openid-connect/auth" + # - name: extraArgs.oidc-jwks-url + # value: "<<__oidc.issuer__>>/keys" + # - name: extraArgs.redeem-url + # value: "<<__oidc.issuer__>>/auth/realms/kubeflow/protocol/openid-connect/token" + # - name: extraArgs.profile-url + # value: "<<__oidc.issuer__>>/auth/realms/kubeflow/protocol/openid-connect/userinfo" + # - name: extraArgs.validate-url + # value: "<<__oidc.issuer__>>.nl/auth/realms/kubeflow/protocol/openid-connect/userinfo" + # - name: extraArgs.scope + # value: email + # - name: extraArgs.scope + # value: profile + # - name: extraArgs.scope + # value: openid + # - name: extraArgs.skip-oidc-discovery + # value: "true" + repoURL: https://oauth2-proxy.github.io/manifests + targetRevision: 4.0.5 + destination: + namespace: auth + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/distribution/oidc-auth/overlays/dex/auth-virtual-service.yaml b/distribution/oidc-auth/overlays/dex/auth-virtual-service.yaml new file mode 100644 index 000000000..f75ac5617 --- /dev/null +++ b/distribution/oidc-auth/overlays/dex/auth-virtual-service.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: auth + namespace: auth + labels: + app: auth +spec: + gateways: + - auth-gateway + hosts: + - <<__subdomain_auth__>>.<<__domain__>> + http: + - route: + - destination: + host: dex + port: + number: 5556 diff --git a/distribution/oidc-auth/overlays/dex/dex-config-secret.yaml b/distribution/oidc-auth/overlays/dex/dex-config-secret.yaml new file mode 100644 index 000000000..9e27b7a6e --- /dev/null +++ b/distribution/oidc-auth/overlays/dex/dex-config-secret.yaml @@ -0,0 +1,15 @@ +kind: SealedSecret +apiVersion: bitnami.com/v1alpha1 +metadata: + name: dex-config + namespace: auth + creationTimestamp: null +spec: + template: + metadata: + name: dex-config + namespace: auth + creationTimestamp: null + data: null + encryptedData: + config.yaml: AgBsLPn44PQfBvHkz96BczKlpVORm0AGxIDW0NtrBSfu+Al2B/JXsM4h4+EqZli7/0XxYj/VNNkGD5Zseb5n70lrZID3b7YQ3tAsNlkdbddSf6+ntEJ4WmSqCwUbF3hiL5EfEi2Ub9QtBVlR3rrGpOThU+E1lc09djPbg4e3NmCX9/O3jAzUaMkjfqNc8VuhSuUEwMJ2cDJ1hCr/J6pkNs7zkFpasFeNieGxuIa3IfpqchCvUs6cZnbqjN2SBs+5Soebiz2oKAqleTkwfX6Qd4aO3xoUJfOPxzN52h2B4kilx8RM+LyR/a4IbaNfYOdAvwonfdB06U0syBfrwQWGOP5COr2/CbIsEzCex3QWv9pFcroCZ593io2VKFHBHQ7dBDVq1AtBp4mBJrSEA6rKGRLiGpzs1OpSn4YpyzfcoHRUALLXyD0kForp2HrIYMd+c6nm5iUkicMKlAd2fj0h6lSAkPnGKRoUlpSRtomsrI7OjaDejJrACo1VUzxdJRs5aV45HVqQQuphl5tqDaYdpLYU9MZiawbKfdnmng+CkR51rLE+/6TzaVKM1TnwztjEgBZigOxlHKsVrztBk7tjMVIU05amtz99YJapm24CQhKnuuRP0/yMQhZXWhP1y60b6SB7dvw0lxcGESKCpDjCKy6ruVAsoi6E+DA/YDNkmHYGJAEbtIUgfQ87gTS2R9YKBGML63GyOy3A3yT6rHXiUcE8YuYWVdBcsz/AVwLtguEODKvB6bvwyHLF+DC5JrftLaI2Hw0m4rTaypCXo6/LYA5h1+QkTzpBusUC7PCuyUxLIEPPP5mqG/sJQsuN4Bpvm0xB2AFpYv+CQRLmZyJDqi88x8i3ta+oTv5bBCxpnjjy22CtzV4CPdW8+nKcuHGp6SIItrXcDdvvPVd9maTXazuRGEh8Ol7ffT7udY+7nASsEHGxyRP8hSjqLlJdTVI1YtQyyW0Vs5LN3yLNtJVbM7otMzg4ecnDtdl8LOpnx93QB7QP6yLRKwJ8cgU8QNtWNaNk0i1sxE//aAMxZp8xqUfsiW9rKNxPAbLrxtaeuZCi0yk6LL4YaADdphCOf2ooPGnnU/BrIzD42Me1cEFf+GDb335Y8XaYdzAV6gPfhKz4btPWZj2Ldx2k8mmuKbKOPHjv7JPRuOMryHf+VhY27hCtnRQ2rMQKZawFGzWELmY1hQGxqhWxcIfe//q4EyX0RtlIEMUikiS7jeSCpNx5/dThEEQnVf+sDwxhShlPBUGUxLzpR2jOfTrWRUwjsPViiD6Xhf4dfBv4ZeZtveUVNCZSPQY5h57dSQsWHXxVTzgI+xJF0A8aso+3ZA7eYqUhH/7Jc+gm/o3soW5sbFh+wwczySrABBcP9s+otfVyiVp1ZvWC1iXtMUWqQEBAgHbpD208Wbr374ttPwKUraBi46KXuWZhvlSzpSJ86hYR56W6RHglwW3W0R2y4SKpLzRN6Y7pEBsQUhQ9uKrgmiLkPJkMi3AZ2ze3wzBBzwRcnCtw/GOXwtQJhYn+hLgDSEgjAhWtu6vhj9ZNnedg7GJkqBvNH0Ti+WT6J6JKuvqkfWUZ9fqUB/McGbGI+ikEd8QYRokUhbGwv03KyR6ciTObrhlACibqFkdX1rL4Xftjdhh8oezhTfU2agiGAg8Vd0tLC0ZOVU6KAju5Zl1ckbeZu1GUAw6jJn0CLjvLyQag/LT+6lzSjAIt5wzymqE1p8TTjRXH0lZEb7CkFahKnR0gi6leRg/GptMZfYgdudbOG7s0s1IiOpDEeMvaLAIPNlFQSBgmA73BoV2EBJ4LFO3fWi9yJhmOBPfyPOlOrtMIDc069DGJKTN7k+ROXvrS7BW0i1SOEP9+L+NTfi8sc2XgRwvhty+ue4hOFuMXEPcvgy26x+4CnHUg/X8Zo0qeQLCReXCqHrLHT3eyrJHpchN0Hf+GJFtTrKta3PHSNI/J3lRrB/FF/50dKrnXPXObX2RI2QxZ0nYp/wQcquA5SkJbTRhXQaDxzRrMTYCgHMXZpirZVe+Icw4mypN8yNvKnGla0bf4TChyNNtFckaAS7CWcm4Pt77kog2EneRBiOdNqYg3ZlwADfXipZBnRdLGwAl51FwN8QFxaUl3/H7INDczvZET2OoNy9T2lUSJsjn5jrFRAFnobRS93ivLZDW8LHTkocITEnSxnHZv2gnb9x2g7eVXEaNGAT6lkbNBnhQZ5BFpKd9332UiSEvNM9FX0wjosmaxuBDGhsSaJDb3THxRFEHmWBWniNsToN1Ln+Zi87a96j+f6L7FdyZjiSe/A4HWGjkPP5p1oCGlr9enTTX6VKMBtjzLi45u3nbmmxilouNSRVU8PHRuJPZDOaWrBoreMiZcs91W9w0PwBHTPOAdjDMxY73gOVwr9TdkeSA72LAnCKO5tNFgMROc+W87O7gXXcIxYtxHCJwYDLYuUR3OMT/7M6yUokfCKBvW7LGee8xfcte9ymHsXjKsfAV/nv5K0FipsFvPsF9qc0l4bM3T8sbIfj3yiRUIBz66Wjg/ZScVnee+29iVgBTKsxg3+F9GRYKPIxc00JfoBHkn2hdD7AJDwqiba7EXqtqm4EaYuWI/DkW7kbbXEk3Yg8+A67N6Mx5Iw/X8R4dDQa0aHoFvOiIGDJz4X2s6JINNzqnPH0uDv+YOapxU6DCdAzLWtCVdOg3gOuD0hTg1ob4w23cPZqhNuEwTnn5nBzy8YoJHV/Vgvt+U/pnP494aGGhhZqEDCRiSDfl2SIrA3g2ss88paXjOfTlbE7stEAGfFqbGbh3ixAsyqFOV0vYOpSoC8HK8CLyWXy3gHQ7K5zbQQjrY4ENTMW1nUQIvj8lE/WZZx4bdRFWxs+XRarK9UbXj4+MiXlf4fk9RQM6yuOQF4JJmJxySJ7aHNYrrqPI/8EQB05H9f803tAC2xeSnNoZ7lY+l8ttokM236bhWcmCEQ3bG4MnxBtYL0nKAij8mfAWkhwRx3B11CvpQSZS+hT7ZWJFTVeNquXjsayRS7M813Pd5nJJZP+6Q22dK3XkCB2bI2VNYcfewJoDyr7FDa1v+IgKMO7qIvNqT5zRatf06ejnSpO3cnCGgr+TpDex/BXzIbJ+Ia0X573oNjyB9qRLVne7gj8renWjyNUYrPy88pXRZFQkd/akuFeqhlMEBnA== diff --git a/distribution/oidc-auth/overlays/dex/dex-config-template.yaml b/distribution/oidc-auth/overlays/dex/dex-config-template.yaml new file mode 100644 index 000000000..e1f5e2563 --- /dev/null +++ b/distribution/oidc-auth/overlays/dex/dex-config-template.yaml @@ -0,0 +1,30 @@ +issuer: https://<<__subdomain_auth__>>.<<__domain__>> +storage: + type: kubernetes + config: + inCluster: true +web: + http: 0.0.0.0:5556 +logger: + level: "debug" + format: text +oauth2: + skipApprovalScreen: true +expiry: + signingKeys: "4h" + idTokens: "1h" +enablePasswordDB: true +staticPasswords: +- email: + hash: + # https://github.com/dexidp/dex/pull/1601/commits + # FIXME: Use hashFromEnv instead + username: + userID: "15841185641784" +staticClients: +# https://github.com/dexidp/dex/pull/1664 +- id: + redirectURIs: + - "https://<<__subdomain_dashboard__>>.<<__domain__>>/oauth2/callback" + name: 'Dex Login Application' + secret: diff --git a/distribution/oidc-auth/overlays/dex/dex.yaml b/distribution/oidc-auth/overlays/dex/dex.yaml new file mode 100644 index 000000000..8347a96ad --- /dev/null +++ b/distribution/oidc-auth/overlays/dex/dex.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dex + namespace: argocd +spec: + project: default + source: + chart: dex + helm: + parameters: + - name: configSecret.create + value: "false" + - name: configSecret.name + value: dex-config + repoURL: https://charts.dexidp.io + targetRevision: 0.4.0 + destination: + namespace: auth + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/distribution/oidc-auth/overlays/dex/kustomization.yaml b/distribution/oidc-auth/overlays/dex/kustomization.yaml new file mode 100644 index 000000000..85defbe71 --- /dev/null +++ b/distribution/oidc-auth/overlays/dex/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../base +- auth-virtual-service.yaml +- dex-config-secret.yaml +- dex.yaml + +patchesStrategicMerge: +- oauth2-proxy-signout-virtual-service.yaml +- oauth2-proxy-patch.yaml +- oauth2-proxy-secret.yaml diff --git a/distribution/oidc-auth/overlays/dex/oauth2-proxy-patch.yaml b/distribution/oidc-auth/overlays/dex/oauth2-proxy-patch.yaml new file mode 100644 index 000000000..b62eef036 --- /dev/null +++ b/distribution/oidc-auth/overlays/dex/oauth2-proxy-patch.yaml @@ -0,0 +1,54 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: oauth2-proxy + namespace: argocd +spec: + project: default + source: + helm: + parameters: + - name: image.repository + value: quay.io/oauth2-proxy/oauth2-proxy + - name: image.tag + value: v7.1.3 + - name: configSecret.create + value: "false" + - name: config.existingSecret + value: oauth2-proxy + - name: service.portNumber + value: "4180" + - name: extraArgs.provider + value: oidc + - name: extraArgs.set-xauthrequest + value: "true" + - name: extraArgs.cookie-secure + value: "true" + - name: extraArgs.cookie-samesite + value: lax + - name: extraArgs.cookie-refresh + value: 1h + - name: extraArgs.cookie-expire + value: 4h + - name: extraArgs.cookie-name + value: _oauth2_proxy + - name: extraArgs.email-domain + value: "*" + - name: extraArgs.upstream + value: "static://200" + - name: extraArgs.skip-provider-button + value: "true" + - name: extraArgs.cookie-domain + value: .<<__domain__>> + - name: extraArgs.whitelist-domain + value: .<<__domain__>> + - name: extraArgs.oidc-issuer-url + value: "https://<<__subdomain_auth__>>.<<__domain__>>" + - name: extraArgs.login-url + value: "https://<<__subdomain_auth__>>.<<__domain__>>/auth" + - name: extraArgs.oidc-jwks-url + value: "https://<<__subdomain_auth__>>.<<__domain__>>/keys" + - name: extraArgs.redeem-url + value: "https://<<__subdomain_auth__>>.<<__domain__>>/token" + - name: extraArgs.skip-oidc-discovery + value: "true" diff --git a/distribution/oidc-auth/overlays/dex/oauth2-proxy-secret.yaml b/distribution/oidc-auth/overlays/dex/oauth2-proxy-secret.yaml new file mode 100644 index 000000000..e79d4dbe8 --- /dev/null +++ b/distribution/oidc-auth/overlays/dex/oauth2-proxy-secret.yaml @@ -0,0 +1,17 @@ +kind: SealedSecret +apiVersion: bitnami.com/v1alpha1 +metadata: + name: oauth2-proxy + namespace: auth + creationTimestamp: null +spec: + template: + metadata: + name: oauth2-proxy + namespace: auth + creationTimestamp: null + data: null + encryptedData: + client-id: AgCE+6kjVNcX+essPMgCU1GUW1mt/eQ2tJ4qpo5hz3U6jeGf/ZWjjaKxyV/vlIADYq2887Ecgu1wSAxuFG2Qrq+DzfzfIUyAETUTEPRXIhN5sk/xWDtsWYsueqGiUkaYZC8l27Vb87bZmuXhhuWgPGX1zilgBUjeemn1zBYesMT6iBU6xXN+YvGGPBcHqs4vlZggQN4QjmViiiOaAeX2bbh2DjSe84EvdqU8WBwE835lcMi7tKuLyGCCP27ajlXXAJAfGWazD8s8+3ADpNn6jIx1GFkT2ef6KJA7E6ldVekpG9cCNla9GMPyrfhaUqS4xRuqd1zFj3S5gG7tJWJ8Ju/unRhs0Bbge0VlxalRRq0FvuZZHOmyLzWz9j6GbifpwJcuO6S0dmFAh1o/T8ykyJUSET4K51GGRbBmdxx6gP7NZYMessiHDe8x3g5J1kOMudLR1lZWKy7zw3rRJijKsMRfXx+aeueBV/zDoD97j4iKKf1tgQOzoWpVQFDTNfHkGb6tq1kv6wdedzQiUO/PcQ2BOJCmqNcox/yLdzx2BtIB05AulTUIAxM+j+dzqFe51MwQmbJU3Sc0CwiMuRCc7Ks6hwZ23kaF53qLzBLn+n1aQvi615Ftq+PmirVYEzbrF7TVrzNhADzcNOT5WpLSwS1j8XKAVeh743CbOsphaj6eucqKFzO/r5E4wedc/aLJ0HlwaHemvw76+GtxKmEOTe4DJergu6dbTHriwvRENCRDZA== + client-secret: AgB80rxI4oJvhaF1i7paD6lmdloB6XZ+NAmKstWxujpCGvRSE2Lauk1RPivJM/o8dnMIj+cutK3CqCj9k1/g2y97/subxDyRq7HUG4w1r1Ae8P2v5k/buR67QsCGEsv4kHcriRUI18lwZCsGEL7a86abnEtnIa+UfIRY68DaetBt5Zc/0HYKSw4Tdzq4av5T+u6piURoRcEVWECmuO0YBRN0xElBZ6JxecxpQ9FQrMcs/2/rE6DBBnHzB5NGvLp7zyMdbk88/65aILv/McU24JMwU4GW/SFPqhEwz7RcCKP12OghFrbUIGLmxU5j7YWgKC/l9p7KHx5idQJhTr/nXf+Gnbr9B3yEIShyMT+d3/f6mzN6nfJ7ots/MjonyMatuax5aD9kJz7kYU+2peuzz3N7TffSMeoTRpFpWkgAnP8Hrjl6FPFSV/mb/Iy1TCCaHzuWK73LIpXNwbYcFckSoxTnZtq0fMcP9Fdzr6HZy/MnJ7+Vdl114Ux7XmV30DTroYY4pY3+G3LYO15Sx44ZTkq795rxSu/B34+2h40CyEdxCsMZx+ot1OrwhLZU8vY8g3CBtyVHt1nbwnw4Hy4Nj/xJ9j0ToePCJs3mBt3E7+hN1GRBBhY3eIzlKHoBpXp2NAR2nTlt5UUiC2AsRT7PLy8lc5R/zhF0dGGH99jEVhzQDdMXohUJDP1g2OYk5m1qWGINuBx4Exja2pvlVp2QfZnN1eja5HYMqxgPHgtZiBQc4Nu6OVQDaHwYCJNOQA0WDqgNg/rPhG5ASTRFuuei2rDk + cookie-secret: AgCBQB0kQs6awM5krsLHF0Fc8/Ff+Z2ufAeDOIPjd7vBEelly32T07VDJqsCTAp2gb0JSidx7MiHL9JOzMLps9uVd5kV104UEYa7dL5vptG+ORpjxuQXFgnSHJOtONaG10PVyUVfAOQJDGfX21DSOdNd64Wg35x1LCSj7Pfjwq+SxIuo0w/jyHK3SY21GpqARA7spOcZTPEBdlGvvfEM4s/g2XS1st5vTXsQfIIN7ny4MPNxdgufoHiyIA9C6mc1nrVrlRaxwSUmQ6S6bSaGHS3PCNkoxMNLyPuSBwnaUVCeyOtRVZnN1RZAKKHEdHh0lXfTOWt59TDhFpz98/7/Lmm4D6d/mWzeJxUShYEWUA6UK02mQaC/xCMwnAr9BVW7GeaodmhBFCA9nasyB7loichz1hPVBAfYMH9cPh4sw1JQQkYX+db0r8WQCZeqLdLQoxTTiV175suf96EPtdNn7897tNq2PqI1BRXbo6IP1USzUNnf0yHGwV5XRVqhQZH6WH/19nDyvrlEN/g7dIAofXKW/3fwIoky3pmaIgCQ17vYOlBQ+9PLMZ+8g2QrzUo2gDSEwPuKmidWRIOaHXjwFl919e7EtQGrQ1OhsaGpUcdwD7NN1NNXGGzvI+XXR33VusET1ueHqvsmddPksmJlfTl3F6LfpyEmtE1x9niXmnxDFcgtDGG35jnNwKfkdCT2kL+a3gBtMGLG37RtZ23ujpgX8aKgjFtGnN4= diff --git a/distribution/oidc-auth/overlays/dex/oauth2-proxy-signout-virtual-service.yaml b/distribution/oidc-auth/overlays/dex/oauth2-proxy-signout-virtual-service.yaml new file mode 100644 index 000000000..b2c84fdf4 --- /dev/null +++ b/distribution/oidc-auth/overlays/dex/oauth2-proxy-signout-virtual-service.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: oauth2-proxy-logout + namespace: auth +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - <<__subdomain_dashboard__>>.<<__domain__>> + http: + - match: + - uri: + prefix: /logout + rewrite: + uri: "/oauth2/sign_out" + route: + - destination: + host: oauth2-proxy.auth.svc.cluster.local + port: + number: 4180 diff --git a/distribution/oidc-auth/overlays/keycloak/keycloak-secret.yaml b/distribution/oidc-auth/overlays/keycloak/keycloak-secret.yaml new file mode 100644 index 000000000..68b9a9e0e --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/keycloak-secret.yaml @@ -0,0 +1,17 @@ +kind: SealedSecret +apiVersion: bitnami.com/v1alpha1 +metadata: + name: keycloak-secret + namespace: auth + creationTimestamp: null +spec: + template: + metadata: + name: keycloak-secret + namespace: auth + creationTimestamp: null + data: null + encryptedData: + admin-password: AgBbnhdZLrCkp+mKm9/F9b+RAKz4bbbXfM9yoU7aXoD1twyJyfQCApSYCx+PlwN0KN9I6s2Ry96jmBMRCbRNmVlvIupq3CB76H4b1NKZCfZxePHyIW37c6ZNZC3Ys6oOquDzwGbEletmqzYRElRUUB4C1BjTiDkydbMhThVIBTOGI796NMEr9DPwHaokiA+yufIJrhe8CxJaNUlZhUnzuFKChrLukqWZqeVu1JGmGAZAUZGmRdw93olUMJz1z14oUgh6D1LDD4xKwwyQ9GSImRr2qXeDZrktqlEjcoEqM0zZ3OmXP1KSIhbBdLcgbde/gK7Ig3/ujIKc1s+svHA8mGEZSG0zRt6bs2kxjdArsqEx8ctuBdpnG8H3sGDvUyW0cdgz1IFF2LD5sAMCGecU0GQnuQKxBhA+tVfz7I+pYMxTr+1oZCXOzm23UQelMiSdwcY+vAyHSEPBNTSYPMyjNiulY1sBEUYdQs2d8MhH1ocEG4p0AhwXDs00UhfEbPqvp9TJMgmE2ld+hAtT7Qb3399vtYZgnihSB3+85i27SK8We3aMO25vvGndb7X/Mmqb104ggdewtJGOQ5C6pR5+O2syS0Is+TdWKj2FH4yHD0Jw5PkMA7LZnIB1JSzyGnBjemLlAw5P8lGpz72aXO/flrQEZ54LiYhL4UICsuVxdSugo2PLV/2GORm0HE5861mDy8b0I5YTXA0jABPg + database-password: AgAr6U2hX+iixI414XWkvFHXm2nuvZ+UwniT+MBttjJZxRZ6N7f3Ykn2D+dEKMc0/M7CQQ4R8TX7UPnx34HHn8aUC7vr7fKCn57sKzyXTorKV9DMVKWvx2H6iobQAOt/GtJU8jR0zttgmznAR3GzplXwOXlzAXUFl2W+AzTkkonTgP94HafuBmE5+fHA/kGbeVlFfBJYtJ9/8+QGIl5ezaDOuhQ/HfO9/rE5jPhW1JARauBB59lqohr66i6wkHAUFjV3YQqzrBMlvxFG3ZdiSeYABYIRHKOpoOetgU+cPaDQyMj8k/jxj08CWISg1iPvFXVrMlDJeTZIX8zWgLWaOHuYYhnLy5H7gXBacmLrFHvuN3GxSNCugY8YRW5N8C8B/DNP0i+WwNl4ISMohY/ewyJFbmHARET5y+8OKzD69kjJxRDw2+AC/XxrArNU8/hiA9r7oxxh7q/VEAYm7JnLLMopzt6ooxIdyRl9ljAUfn/IzO9ss8Cc+jcpHAJzn64KKDIY2NPz/2vTQ4jPKZEeclQ09CW2sHGLGPV06WGQKlFFZePftCSqSVUl7KtYUQK3ld0XWEdBsUyXMl4+/ZSM76hdYo5b7ETJJKk+y4glgAHgpxBQq3jkAFUthzdSS8YLactnjbfLC3bA825YEgJ7fMcDgBLnrnwjOWmSHugQtVXbq2cn+RyEP/DniNJ+qM0rfroNV9LzRJk1gzPKaisPYdhA3+C54+Mvr452u/CcJQEr3w== + management-password: AgAGWi1gIX1Ut0Te0gmA9EMhwtRhzGio9dh/VUWREeYOpbrF8F+6eOCxhiMmmmED/d3OcvRn9ggLefnu1nTpGSqXYnchOglgoNneS5wFMKKEP4K32gNEuEcwE4MM35CLpQIhCc6rhvLskpJKM2uZ9vce/QiamtaHAVfvqmOe/sjU4Q20vZ5ct/KiQcXEzRVsabvKGtg3yM5TDLy+jwfdRTd4R+G1wLzqSJp41jUg7uUqSHbtMcAhLpRqgZPvQkm8F+MUlp5TC8zhufiS8fuUfbD9BiLyBhbcZCT8AIQOgUvtW5XSmGHPJdzpq/3c5XLE5k6HasWXIBGt6MyMB5kHj8h/LvBOWw8Ixuv77xIDgvp8cASlpLiQP/mxwL4A1H40PZTijVavNRizFD6vGSfRGm4rMwmjPMErVhbbrh0HTDGldf/FuvaVELBv7zAaJD9bJ9T0eUIDeyU3eKG7BpXLeLkSwicU8aGar6uIKuETpc8r6APcBnkYpSLvzOa6skem96Nl7IqxFJC8qBedSkEmfIkru6sH8vZyvhil5EDA4KVHkSRnbZDkiJcPw6FBn1Q6C7j2a8fPhsCT9i7FxalWAQNKvApkTDNJvMtGn/Zg9vjeAyhCC6iyAARiCK+5ASbofJ84SrIaZrbEkAXez5gKLlVTGLtXx7yLQe3ins5iqNmvhUKEEpg4t8XoUpEj9mz2jd2l1nayUDY+TXRj diff --git a/distribution/oidc-auth/overlays/keycloak/keycloak.yaml b/distribution/oidc-auth/overlays/keycloak/keycloak.yaml new file mode 100644 index 000000000..4f99fa428 --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/keycloak.yaml @@ -0,0 +1,58 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: keycloak + namespace: argocd +spec: + project: default + source: + repoURL: https://charts.bitnami.com/bitnami + targetRevision: 3.1.1 + chart: keycloak + helm: + parameters: + - name : auth.adminUser + value : admin + - name: auth.managementUser + value: manager + - name: proxyAddressForwarding + value: "true" + - name: auth.existingSecret + value: keycloak-secret + - name: postgresql.existingSecret + value: keycloak-postgresql + - name: extraVolumeMounts[0].name + value: config + - name: extraVolumeMounts[0].mountPath + value: "/config" + - name: extraVolumeMounts[0].readOnly + value: "true" + - name: extraVolumes[0].name + value: config + - name: extraVolumes[0].secret.secretName + value: kubeflow-realm + - name: extraEnvVars[0].name + value: KEYCLOAK_EXTRA_ARGS + - name: extraEnvVars[0].value + value: "-Dkeycloak.import=/config/kubeflow-realm.json" + - name: service.type + value: ClusterIP + - name: service.port + value: "8080" + - name: service.httpsPort + value: "8443" + - name: metrics.enabled + value: "true" + - name: metrics.serviceMonitor.enabled + value: "true" + - name: metrics.serviceMonitor.namespace + value: monitoring + destination: + server: https://kubernetes.default.svc + namespace: auth + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/distribution/oidc-auth/overlays/keycloak/kubeflow-realm-secret.yaml b/distribution/oidc-auth/overlays/keycloak/kubeflow-realm-secret.yaml new file mode 100644 index 000000000..92ce54a29 --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/kubeflow-realm-secret.yaml @@ -0,0 +1,15 @@ +kind: SealedSecret +apiVersion: bitnami.com/v1alpha1 +metadata: + name: kubeflow-realm + namespace: auth + creationTimestamp: null +spec: + template: + metadata: + name: kubeflow-realm + namespace: auth + creationTimestamp: null + data: null + encryptedData: + kubeflow-realm.json: AgAT4cO2BtdmQkb4f7rJoPA6g2hBscce7XIu2Q5PxMhN51cuIam7unIucbQy7tLtPq6ATwAL2sGFj9wuj2iY/Ylv4M2UrdDx6qWDA9LaXOA1JqxqgehdXYArtHfNadGs5qssvECEkTkAo9Yw3IERrntSurChTcEFucTNvKCg+lmzxQM3rW4UWosE/9EbBXuQLtxiLV/+Fh61Ip6VzNRNM4unq5il9EI+Jn1Vdhj4/UkZJhtqATft4fr99xNWbEH1+wUx3vHbB8K4yAfSW+gSLsMOgABVqGpEnOhHpXGS8nJSd6t/WtQAmjG0KViYz24p5AebQ5rojvC+jbhQ6iblWE5g+4kONPYl0nxEZT9xZNjYi4QtaIVSQjD8gPmXL+Z0K00XyyPhR0H3L5u4wDdgs7+YTm/9zmVv10j8f2Reg8TpUvBpQk9OFcO/rVwRq+zaHa3IWfNT61zvc0XyfbYGYIhEHJBIpkt+DmDF7jriHx8f4hfmrvqyiS8bNgt9FLcqbsP5O3CfvuPTjHg1NwRCcM/JGeFq4Pr1ZacfD6yNdH+ttOCVQ2QM7Chxxxs+jnRYGygkSdt9CWBr+KMIorp8ZB2KiF1ySYK87NjH4rWUwV3A8TVmRZ/kByOXtpxLaxAElx/+mqTYRS6qXO2Yy//nRqBWPd+Lg+VqBY+LvGeq6APlLIEkfVLNhYS8ySqySSoHKMWRHqrxT9YHhbHb4E8hK4zsz9vIJJQ7AaSADsAqaxI6zNp6wKGogmO6SQtAgj9ZcHjZdnWhot0LdwbdvalFnJZMBs+oFVjkqnrMgknTd/nUYFp88qDNUypEEDVxzxb+jFRuqXU7esWbOe2CrgiGTpE+8G4ZNHj0Rn8KNjcb6pO/LlYbeueiTwYc8iYdWY4uy5qmF+GIabzW3dzx8zWt79IOp+NOlNffgRCLlZ0WmFHl2njR0ihf0VmlJrWlNmobmYXIpzYdc1+NpSszkqubeMnLznmyrACPyQA0GqiXjij+SZ+g94XBv1NDZzh+6fpbsQLPeC6TVviNo4+658M9BmT7IOvuncE5fCIjRR2cVnTOvm/VYh8Opb00Y+U/zhXVwIJ7lPCy1kJiddjjVg6TBNKxHUlbv4CCYImMlpnRVxnBiKWzVwhSPHn0jvn+trfD2QdoU4Sa/VNIXoWKRldCDxxSMIHS5to+sQqopOz57fck3vsaNDIZz7cFj2I7JBkeAl6f+RcQ1SR80uYdNYlwYtTO9/iLSGoNfVhklcHffl/ydh5oTaaTN0+w8TVogaEMHp7UjJ6Zmj7klej7C9K+m8wTmMxGMkz1ggKwJgQrKofje12fPnMkzsL1NjUDW1Int0Q01/7mN9DCzvO8HoXcYhMxXos0YuJYWXnbDjwXA5hWBCd22JZVS563yByrgbwz76I8BUihKr3UYyhzisb88HdrPY8AQ5yKG25Sly8QoOPQO3N4i+QhZQBQHxKudP87gpl0JAbHRQVt+EGy/Qt0b9B4FjzylELR5RGyI36OR9P7r1g1e26x2GGxBuVeUZJ/wnwElDRuHmykhf0Y2tp2R4YewW2C4yGOixAsqHzWnH/ByTyIjh/aGWDVo4cvvAlR4xJDuhrVvmEUjT1XKvWCSvipdIRSuPDQENjhdw89gx6ghe0vX/siewNYiBio8nSwYxIng6PneKCsDXtyh3dJDJtUyJHth1qZuuT1IJKQk1L1BZtWLkvo788DBbHW4AW53o2kGCljU9+tH79BJS4/NWPFWhY7RfhFlgsgRLAHD5nfK1DiMIXDZ3qVooZ7SJDQZGjqSTOrBtABt1YPDQ6JwynesAELd7txreVeF/FWAHrtDTpm+spqa7lEZctwE7BxYtDrtgJLOC0/azRYta+aOPk3fhQnDNrgQF+IJhvIqb0SteL07nrvPd8tgNGL5T5g1nfVVfxbDbDxRfmnjS8a79Pm2ebVc56mWyEHx0fJ8m0PuN9ZeHVU3FFqIUpMOhKaaLjX16GO5/5Tb429IUJTBfBkNrZv4/ZKyFhJtHAHIiaMM59sapNQhD+E8pIpoAYUTrO6t6ZJ0OiQSqVqTpfhtZpESe9kTaR16rIyYYeOJgvmF2kZjy8HTe3waIptPd0b+QwCZFJIa6BkCouyYnAZXH7igJ5NAXBkLGndE9GPVNNfFjjSTHfbW1uVgjqWisgnYEx8ABmW9OH6UWnhk7xl3aR3wXZP4eRu0plplXywVlaTA+3u2n8c9van5qkId7LXvr7QphzvGNQWJDUMpWeBcq8hkAmyCjiyEhbWDgbL4jCtc8O72RfxfcLyoj+tumCEzsAxnMxPRRfdv/8D/LPT4L7vqhG9iMi2pKhWOHTJb0Hv5eFhkPIFQAcgRvXDBoQb8njSI7kV6TOxYzsdvzSZH0giF8zRMKz9hLu5hyjD+k+WlNO3Nvl9srj+hPGUgG55m9XarP6k4lMeZvuMyq+WtjOZUaU2gP8f2+QLcO1yD4RnUiXD6X7F6sdtdf5b9HSv7LVei6xCVwTlbRobB9uXMkDi4ar8hrLDDA0gjONeKQNyQHB3mw5nLeAR7MCaSohuC3f/3cjwetJ+I5LunmgUkjP1NiquhqTddVykBvjXE0TRWWM0zzz5womW3/fWAzk2fLya5UlJ5TQQP5ZHBhqgh5RetiCs6jUdAZoEQaHAwQPY/ispLEc1vf8KYVhFvRvzRRVsgJONmOQY2jAap1TqSCh60trWHEGO3XN1ykr1GaPuoy3aMRA/A1x4RJt2zCLq1SHAlO8iZVngFJ3qi8aFjr6Vy9mhdDxjLybYr0zz7In7C9pUceytwXpHcF2fS3qEIhL1VMlOiDAwjfWUMaAp3MIoK8ucw4fjA5DO5vCV7xL0PStIsrdJSZa3yJGCtSba5Fq+YiNxI/koY11/hSPJ1I9ArYwyru7GNpUZ+7T1TpRNOMLT/N6NSy4dX5wiAdJMsgZnRuBTPJHuxFLTuAkNEcnwyQPkgLjb0U+w16RJcfKOqNW252P7AZ7GyY/Adv6xE+bMYvgHZhWSyN4kgCvffT1qqc/oB2ML7JBAGH0Yws8lV296OsqgQZrNtvpyiGNaiKB3tXNUs1Vp/5thOcO7k17DrVthnENnY5sZPwoCq4kJiBSXzDLQ/aDCc4OfO31dcmM3oHm8DcnaEGg/YdgqCJN5NSfFCR08E7SL6jUFjFwoIFV47Tp4auAkG7N4ALzJP273GzfWvXPSdMHcPxu3IsRWuAw2iYbucRP+drR9TXiDTjdgXNgQ15NnQES9BT5A84UIeZhIOlRnpbSeTlBKbWcP00mK7rXcCPF1RJXz03p/xQc3rhrRokwCTjpOw56FgnYAVn+RdOEwnXamZOHDKmcGMenF91JqT8UTbQXg6w5C+YqdbxbmSzHNE8SspE15KDMgF/ynl2RT7RdihJEC2ljbqlejVxpdm+QMd0kCEnCviS+th06yCBNBOhn/Mc9GN96uUkGlSUBhhMvI4+YJvAocJVohU9NT9tSdcvAdQOSD9zd280BuGXPUE424gLaf0fq9o+F3hu3xUr8ZbV3+hDowmtvBwDCJxmwekDGhjoY+4waMkFk= diff --git a/distribution/oidc-auth/overlays/keycloak/kubeflow-realm-template.json b/distribution/oidc-auth/overlays/keycloak/kubeflow-realm-template.json new file mode 100644 index 000000000..5e3ee5212 --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/kubeflow-realm-template.json @@ -0,0 +1,83 @@ +{ + "id": "kubeflow", + "realm": "kubeflow", + "displayName": "Kubeflow Realm", + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "requiredCredentials": [ "password" ], + "users" : [ + { + "username" : "", + "enabled": true, + "email" : "", + "firstName": "", + "lastName": "", + "credentials" : [ + { "type" : "password", + "value" : "" } + ], + "realmRoles": [ "user" ], + "clientRoles": { + "account": ["view-profile", "manage-account"] + } + } + ], + "roles" : { + "realm" : [ + { + "name": "user", + "description": "User privileges", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "kubeflow", + "attributes": {} + }, + { + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "kubeflow", + "attributes": {} + }, + { + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "kubeflow", + "attributes": {} + } + ] + }, + "clients": [ + { + "id": "56185130-63f4-441f-b618-f471e7baac6d", + "clientId": "", + "name": "Oauth2 Proxy", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "", + "redirectUris": [ + "https://<<__subdomain_dashboard__>>.<<__domain__>>", + "https://<<__subdomain_dashboard__>>.<<__domain__>>/oauth2/callback" + ], + "webOrigins": [] + } + ] +} diff --git a/distribution/oidc-auth/overlays/keycloak/kustomization.yaml b/distribution/oidc-auth/overlays/keycloak/kustomization.yaml new file mode 100644 index 000000000..418b6bd11 --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../base +- keycloak-secret.yaml +- kubeflow-realm-secret.yaml +- postgresql-secret.yaml +- virtual-service.yaml +- keycloak.yaml + +patchesStrategicMerge: +- oauth2-proxy-signout-virtual-service.yaml +- oauth2-proxy-patch.yaml +- oauth2-proxy-secret.yaml diff --git a/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-patch.yaml b/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-patch.yaml new file mode 100644 index 000000000..91991da21 --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-patch.yaml @@ -0,0 +1,58 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: oauth2-proxy + namespace: argocd +spec: + project: default + source: + helm: + parameters: + - name: image.repository + value: quay.io/oauth2-proxy/oauth2-proxy + - name: image.tag + value: v7.1.3 + - name: configSecret.create + value: "false" + - name: config.existingSecret + value: oauth2-proxy + - name: service.portNumber + value: "4180" + - name: extraArgs.provider + value: keycloak + - name: extraArgs.set-xauthrequest + value: "true" + - name: extraArgs.cookie-secure + value: "true" + - name: extraArgs.cookie-samesite + value: lax + - name: extraArgs.cookie-refresh + value: 1h + - name: extraArgs.cookie-expire + value: 4h + - name: extraArgs.cookie-name + value: _oauth2_proxy + - name: extraArgs.email-domain + value: "*" + - name: extraArgs.upstream + value: "static://200" + - name: extraArgs.skip-provider-button + value: "true" + - name: extraArgs.cookie-domain + value: .<<__domain__>> + - name: extraArgs.whitelist-domain + value: .<<__domain__>> + - name: extraArgs.login-url + value: "https://<<__subdomain_auth__>>.<<__domain__>>/auth/realms/kubeflow/protocol/openid-connect/auth" + - name: extraArgs.redeem-url + value: "https://<<__subdomain_auth__>>.<<__domain__>>/auth/realms/kubeflow/protocol/openid-connect/token" + - name: extraArgs.profile-url + value: "https://<<__subdomain_auth__>>.<<__domain__>>/auth/realms/kubeflow/protocol/openid-connect/userinfo" + - name: extraArgs.validate-url + value: "https://<<__subdomain_auth__>>.<<__domain__>>/auth/realms/kubeflow/protocol/openid-connect/userinfo" + - name: extraArgs.scope + value: email + - name: extraArgs.scope + value: profile + - name: extraArgs.scope + value: openid diff --git a/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-secret.yaml b/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-secret.yaml new file mode 100644 index 000000000..ac1c659f3 --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-secret.yaml @@ -0,0 +1,17 @@ +kind: SealedSecret +apiVersion: bitnami.com/v1alpha1 +metadata: + name: oauth2-proxy + namespace: auth + creationTimestamp: null +spec: + template: + metadata: + name: oauth2-proxy + namespace: auth + creationTimestamp: null + data: null + encryptedData: + client-id: AgBJ8V59qym1JC+Bk1Wsh7ao3E1vdUS5ECmZIL9NGrIXZFRLAjRxCj9UdzVQn3GT5jSK1Jl+D4J18QuMUXBxhcAkBCkwAZ9Hxpy84HquJ/Q/fqlog8njM8ipUbJ1qTVOYJz0elq5BUq5DX+rGM5VxF6gd7YYFUOUBv9gqwl2x1zn91BnIFY+K+1RlEcXt/XtI4tJersF49/wBdWDKkZTbxA/nhkq/GehVfFlnAAZMx2XgzGWKxYIN1laeFSpy5cTaC/9x1rS6ETil8xRtnBP6oTppUhHFEuFM+bVypag6OHc7q0s66kGuAtdFDapm6e0ng23p1fV2GUNqJW4zRsfQ1XVg6W4fFAyDKC+UXj7hkr/+kkCy0ab0JxYPQETujmIywmcmze0aUz70NxkcIEdOylp85l+xr213VapRdqlkBADFVOCkrqRYkUEkEvDeg+o6HAmVS5KYC/6pu+BdP/f8tt+3uzqVpgZaGl+t6jZpDlG+Xr1QdBoXK/9h13JG1UtRpYIjwGwixvHAwgRxaD7h56Nojede8rpEb0FtuDyaRb6O5xJfsv6DtBv2kfsgcH3e4EeC7tKBXn4dc1GVwzjShji1C/RWbhHiMNgfQBT7/xnKz8byKDsUWvCywCc01jyxEBapZ46I89RahUpTulEmmjNwPGhIiUR+M6Q935Pj2ktDLnX88sb/Md5fOxxlGHkTNkjOarYgUKX0eufER6Z57JhZAopho5DIe1s/t2jufV+gA== + client-secret: AgCA/fd77Nei8JQIQJWJH7pyUqGuVRG/FUljQcz8LVBilPYlux2xAt3FmJgmBJowpJrAgAZv6SnzMzPv4U4q6kaY3x3HS+LtsiOllcs4g+1LVMoxGBfXknBQQWHcKVhJGrkNs6WLWxlAGL3afU0S10kgZnWGQhYz7nhlU4reommChPZ9Hl8EQXB78vvhLggmPVgyoAZoM2/UaOFcwG0HL1osvIghsgZc6nfOd1PsZpV+CqJoA+UbsnGMeuVsJwdlYQlzctv6jB83DGMv0rXko+r6oi5o4WaYsvaSVtOttP3md9XWyGk5W43WKJcOJGrH40yjfeTcQA6pDRsgmNKlpoVdMfpUhJLYZwXmKiTJ3wuvPgWATuIxE5n2mNSFgUpPwdkZ3GoRwq1ijwgO496431SkQstR/0zR7rltQpunmFkr33YHYHN5cNyWY9Z9cahSv0IVLAvOz+4aka0l86vCsk3C2tYzbTNE4ByVKQV0EKrzVxZaJ28gg0hCj/uolXEJC63p4AVct4w+/C70/p6gpTeAA91bTdj2Eyt3uEQpSepcSgNTZu6blcIytIJC3TpvTjMuXBvsCiiJowKCFqNJvotcRZjMc5MODFlWGGzJuHICrKLFlqqa6/wrc7Yr8HdkkgaQRnmDcylJ/3XIoB2RPi7jVWKIzINRb0S/n4NCdYyfX949lp+8ntTD2rq+guz0VZkqiCBlVLcNkbiFsmCPZE28PJmeKhrH/K12sXK3CnVzUdfz8RNIKYoXki20DGmDWpftiS/dvBgyvnKQ6Wbs2lK5 + cookie-secret: AgAVlSDgx1eCthsRcWT3anr1/A8s3aDgQNcqPe1CaSGuKBh5zxkMHIZmEfEBIJ7DOrqzoHKWm0Q/EfmlnG8Mb/Jfx+7rujlkv8rZJ2kpjuYguPeP2MxKdBBFojrhecVyXACedrCpbI6Ctcc+mscwjCD+mgTZ3zYkGEK9Jjeqqtq93f/iLMxO7woVo5WOFlKGlb3qG7jgfSM+ZPR0jhLWaQKLJmAYEqzF3BAUdqbuUYlI6bZoepiMLH/iOUI8sYQWhxaUqbhqlXnEyP14pINvL0UO3OOJTulFXAZQ2AssGZw9CnytGTApvhvmwbPXLsT4f/2N7Incc8WfX+0UH2cIdt+8kwttp+c/3lybCUZi0aZv9LlPHSg/ba2sNVIRf2bF0oxxjpkctCCp6gsG+VoGRWHdSxuvJghzGnnIYERerpNcvsx04suh2dSJ4voYCgVfydQ8Lyrma7jqm5cYJnQxklhzjktHpKrctOB2EpyORMVkKAUGvXg4zT1MY74a0D8RUbdaxt1aBVKnujCz8N9TXV8GkwfOIe18Vbq1vKDo9dgy+Lmdi8W9gqGDqcanQqpW7oHTWr1IxdSDeQ+u8p19a2Tp+836aRhm6+0Op/WWw7wM/LePvksbCPO22mWq9puA78T7Ryq+osZkLiLhnJfUE3uFBusgoFXDdjYy5zspbSHQH658ra+HjUJWYcvAQeFU9CU3WB9ji9//ANar1LRvKjt0NI7kGSzbou4= diff --git a/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-signout-virtual-service.yaml b/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-signout-virtual-service.yaml new file mode 100644 index 000000000..f31221b06 --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/oauth2-proxy-signout-virtual-service.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: oauth2-proxy-logout + namespace: auth +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - <<__subdomain_dashboard__>>.<<__domain__>> + http: + - match: + - uri: + prefix: /logout + rewrite: + uri: "/oauth2/sign_out" + route: + - destination: + host: oauth2-proxy.auth.svc.cluster.local + port: + number: 4180 + headers: + request: + set: + X-Auth-Request-Redirect: "https://<<__subdomain_auth__>>.<<__domain__>>/auth/realms/kubeflow/protocol/openid-connect/logout?redirect_uri=https%%3A%%2F%%2F<<__subdomain_dashboard__>>.<<__domain__>>" diff --git a/distribution/oidc-auth/overlays/keycloak/postgresql-secret.yaml b/distribution/oidc-auth/overlays/keycloak/postgresql-secret.yaml new file mode 100644 index 000000000..da0a3a328 --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/postgresql-secret.yaml @@ -0,0 +1,16 @@ +kind: SealedSecret +apiVersion: bitnami.com/v1alpha1 +metadata: + name: keycloak-postgresql + namespace: auth + creationTimestamp: null +spec: + template: + metadata: + name: keycloak-postgresql + namespace: auth + creationTimestamp: null + data: null + encryptedData: + postgresql-password: AgAkHdRtdETM7Qrkgp454Za2HmFS11UW0b39dnoK0p8CuB09j6ovoAIOuudtV6EvjbnOjGtFQfMEmWTrog53H0chwUSvs1D6BOGQxvcVT52FEXygqj9U9TMY5hWvcsINbtrePed63rDsUNXvUjfs3zaL6Md5EgporDd+AbVOZ/iwdUd9W1IuvvKM/AbKzp260q4NA6eBYBy5BXQ7+yW+LgHozZFV0GA/h0mtcisSDrfpSuBE5efI0lkLLyJphdPlucfKsfqrHytSLSm2USchRXyp/QUpfmhZ6BM9iNM96FJ5KIUuSvWq4SujrBgFCAe2tc7G3i2RwzsHD9wC6kakFN4AkChS+H2KBgr1S5ZuyjzxB5rbELOiMbFf/QeBs8LDJ//ny7RDwXGPdZw0/4tDWh+qIjVmIp/d+Il+2XJXEnzHsHB6a8zP6I/9LwgX+Fqr7+6evTN2AkiNoSDnxM/qver+vNejwwUVILau7if+6nxVYpCcsYOsx8paj2Bno5qwNHJhD9paHL8i169FjtbkYTFquG17MQ3Oo0JekpFc6GEQIiE5vlRYr0JBV5Q1iM+K4pzG/Z7M2YLi45iBHB/ovubwtPoWsVTkjJKK40JsY6EqtmeCK4TBysXIEN7yG/KwaojKE6kLCABVAtgImUGnCD5bFvod92DnY4txdfbmjBvMRTb2G9z/tBROx7yg1cSZBOoEGRaA0QgaZOM9FM0itkZwmhdIwS4T5CdVMowjxGgyTQ== + postgresql-postgres-password: AgAnl6O/FL7xDwjmyb7Ayv+mOshanvon8649tYn0Tgb6vObYMHv597m9yaFjDc0PdsEOvsytH7hJzRUq1je/9SLxJP0dHVX9OkqV4AjqKpnqo4mwaeECGEB58+XvbqzvsV5srLxQocG/F/cEHN/jK/0T04VqAElWucitU0JqS61gg+N79adZAawHzDAhEz6aEHyNroQVo6z+TiCgTAIBvV7pZ1qSfXl7ZeUX0B/McrcfSE3e+UdPQCnWNAmsiY+75pKj/KsdnKb9OJTuaibs6bHsTY/wjGD+bGFSDvq9owBx7yp/sxjF0SCVquDzEmKPccXxwnRrCOYQZQgFLEEEso2AjU+LUyVmst+nXh510Td1v6WNG4VIcDESsnzEJDg4kvyVi6VKIcp4aCOJGiN9eYzeLlnxFT4WfAd7d4ljItfQyafVcQk3dm7qvuCKRjOxjGa2X+JqR/C5kxRd05/uiLs+MvAnQuKDApzgRdVhjO9FiMi/P1/Jp/Xp8YYS+TNbC8rUFRInmEOnnzpUeNBvdHiWdWTzgJF2Bpl8a/mvBzRnN4Xf2V2DYVfSEnPrwhUiqkUCAYeFNXn3cK3j/1d3/aDS27Vv17gUpi82VdwAVZzIhIqBPUB4LyrGqKQJ0i3j3VEtSfkrDHNk29tCV4mVc9+xMVeMH3rvVEO46pQ8a/c3mWPuEpaiwCTnDrkzhSaTxgbSmP/Obeg7Zta0TEiZy47NcowSXisGPkTN9MBlJwtjfg== diff --git a/distribution/oidc-auth/overlays/keycloak/virtual-service.yaml b/distribution/oidc-auth/overlays/keycloak/virtual-service.yaml new file mode 100644 index 000000000..e7c8057da --- /dev/null +++ b/distribution/oidc-auth/overlays/keycloak/virtual-service.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: auth + namespace: auth + labels: + app: auth +spec: + gateways: + - auth-gateway + hosts: + - <<__subdomain_auth__>>.<<__domain__>> + http: + - route: + - destination: + host: keycloak + port: + number: 8080 diff --git a/rook-ceph/cluster-patch.yaml b/distribution/rook-ceph/cluster-patch.yaml similarity index 91% rename from rook-ceph/cluster-patch.yaml rename to distribution/rook-ceph/cluster-patch.yaml index 7b25b0698..b4dbd0058 100644 --- a/rook-ceph/cluster-patch.yaml +++ b/distribution/rook-ceph/cluster-patch.yaml @@ -5,7 +5,7 @@ metadata: namespace: rook-ceph spec: cephVersion: - image: ceph/ceph:v16.2.3 + image: ceph/ceph:v16.2.4 resources: osd: limits: diff --git a/rook-ceph/dashboard-ingress.yaml b/distribution/rook-ceph/dashboard-ingress.yaml similarity index 79% rename from rook-ceph/dashboard-ingress.yaml rename to distribution/rook-ceph/dashboard-ingress.yaml index f4a322079..200e36c56 100644 --- a/rook-ceph/dashboard-ingress.yaml +++ b/distribution/rook-ceph/dashboard-ingress.yaml @@ -12,10 +12,10 @@ metadata: spec: tls: - hosts: - - rook-ceph.example.com - secretName: rook-ceph-example-com + - <<__subdomain_ceph__>>.<<__domain__>> + secretName: rook-ceph-ingressgateway-certs rules: - - host: rook-ceph.example.com + - host: <<__subdomain_ceph__>>.<<__domain__>> http: paths: - path: / diff --git a/rook-ceph/kustomization.yaml b/distribution/rook-ceph/kustomization.yaml similarity index 54% rename from rook-ceph/kustomization.yaml rename to distribution/rook-ceph/kustomization.yaml index 42e1de6eb..6d9780e2f 100644 --- a/rook-ceph/kustomization.yaml +++ b/distribution/rook-ceph/kustomization.yaml @@ -2,22 +2,22 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/common.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/crds.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/operator.yaml -- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml -- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml -- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml -- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.0/deploy/kubernetes/snapshot-controller/rbac-snapshot-controller.yaml -- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.0/deploy/kubernetes/snapshot-controller/setup-snapshot-controller.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/csi/rbd/storageclass.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/csi/rbd/snapshotclass.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/csi/cephfs/storageclass.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/csi/cephfs/snapshotclass.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/object.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/storageclass-bucket-delete.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/filesystem.yaml -- https://raw.githubusercontent.com/rook/rook/v1.6.2/cluster/examples/kubernetes/ceph/cluster.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/common.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/crds.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/operator.yaml +- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml +- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml +- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml +- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/deploy/kubernetes/snapshot-controller/rbac-snapshot-controller.yaml +- https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/deploy/kubernetes/snapshot-controller/setup-snapshot-controller.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/csi/rbd/storageclass.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/csi/rbd/snapshotclass.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/csi/cephfs/storageclass.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/csi/cephfs/snapshotclass.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/object.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/storageclass-bucket-delete.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/filesystem.yaml +- https://raw.githubusercontent.com/rook/rook/v1.6.5/cluster/examples/kubernetes/ceph/cluster.yaml - rook-ceph-cert.yaml - rook-rgw-cert.yaml - dashboard-ingress.yaml @@ -31,5 +31,5 @@ patchesStrategicMerge: images: - name: rook/ceph newName: rook/ceph - newTag: v1.6.2 + newTag: v1.6.5 # digest: sha256:2ae80a20563f1d90ce6e312af284fb11b8b60b6721b7eb8e65f5a728ecc21e54 diff --git a/rook-ceph/monitoring/csi-metrics-service-monitor.yaml b/distribution/rook-ceph/monitoring/csi-metrics-service-monitor.yaml similarity index 100% rename from rook-ceph/monitoring/csi-metrics-service-monitor.yaml rename to distribution/rook-ceph/monitoring/csi-metrics-service-monitor.yaml diff --git a/rook-ceph/monitoring/dashboard-set-grafana-uri.yaml b/distribution/rook-ceph/monitoring/dashboard-set-grafana-uri.yaml similarity index 94% rename from rook-ceph/monitoring/dashboard-set-grafana-uri.yaml rename to distribution/rook-ceph/monitoring/dashboard-set-grafana-uri.yaml index b1336d589..8dfbb16fb 100644 --- a/rook-ceph/monitoring/dashboard-set-grafana-uri.yaml +++ b/distribution/rook-ceph/monitoring/dashboard-set-grafana-uri.yaml @@ -45,7 +45,7 @@ spec: # be run in the toolbox pod. The output of the commands can be seen by getting the pod log. # # example: print the ceph status - ceph dashboard set-grafana-api-url https://grafana.example.com + ceph dashboard set-grafana-api-url https://<<__subdomain_grafana__>>.<<__domain__>> volumes: - name: mon-endpoint-volume configMap: diff --git a/rook-ceph/monitoring/dashboards/ceph-cephfs-overview-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-cephfs-overview-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-cephfs-overview-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-cephfs-overview-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-cluster-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-cluster-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-cluster-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-cluster-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-cluster-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-cluster-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-cluster-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-cluster-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-host-details-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-host-details-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-host-details-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-host-details-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-host-overview-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-host-overview-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-host-overview-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-host-overview-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-osd-device-details-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-osd-device-details-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-osd-device-details-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-osd-device-details-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-osd-overview-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-osd-overview-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-osd-overview-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-osd-overview-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-pool-detail-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-pool-detail-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-pool-detail-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-pool-detail-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-pool-overview-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-pool-overview-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-pool-overview-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-pool-overview-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-radosgw-detail-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-radosgw-detail-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-radosgw-detail-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-radosgw-detail-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-radosgw-overview-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-radosgw-overview-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-radosgw-overview-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-radosgw-overview-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-radosgw-sync-overview-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-radosgw-sync-overview-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-radosgw-sync-overview-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-radosgw-sync-overview-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-rdb-details-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-rdb-details-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-rdb-details-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-rdb-details-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/dashboards/ceph-rdb-overview-integrated-dashboard.yaml b/distribution/rook-ceph/monitoring/dashboards/ceph-rdb-overview-integrated-dashboard.yaml similarity index 100% rename from rook-ceph/monitoring/dashboards/ceph-rdb-overview-integrated-dashboard.yaml rename to distribution/rook-ceph/monitoring/dashboards/ceph-rdb-overview-integrated-dashboard.yaml diff --git a/rook-ceph/monitoring/kustomization.yaml b/distribution/rook-ceph/monitoring/kustomization.yaml similarity index 100% rename from rook-ceph/monitoring/kustomization.yaml rename to distribution/rook-ceph/monitoring/kustomization.yaml diff --git a/rook-ceph/monitoring/prometheus-ceph-rules.yaml b/distribution/rook-ceph/monitoring/prometheus-ceph-rules.yaml similarity index 100% rename from rook-ceph/monitoring/prometheus-ceph-rules.yaml rename to distribution/rook-ceph/monitoring/prometheus-ceph-rules.yaml diff --git a/rook-ceph/monitoring/service-monitor.yaml b/distribution/rook-ceph/monitoring/service-monitor.yaml similarity index 100% rename from rook-ceph/monitoring/service-monitor.yaml rename to distribution/rook-ceph/monitoring/service-monitor.yaml diff --git a/rook-ceph/rgw-external-ingress.yaml b/distribution/rook-ceph/rgw-external-ingress.yaml similarity index 70% rename from rook-ceph/rgw-external-ingress.yaml rename to distribution/rook-ceph/rgw-external-ingress.yaml index 2b4d422aa..02edc39ba 100644 --- a/rook-ceph/rgw-external-ingress.yaml +++ b/distribution/rook-ceph/rgw-external-ingress.yaml @@ -8,16 +8,16 @@ metadata: kubernetes.io/tls-acme: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTP" nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/server-alias: "*.rgw.example.com" + nginx.ingress.kubernetes.io/server-alias: "*.<<__subdomain_radosgw__>>.<<__domain__>>" nginx.ingress.kubernetes.io/server-snippet: | proxy_ssl_verify off; spec: tls: - hosts: - - rgw.example.com - secretName: rgw-abs-cloud-nl + - <<__subdomain_radosgw__>>.<<__domain__>> + secretName: radosgw-ingressgateway-certs rules: - - host: rgw.example.com + - host: <<__subdomain_radosgw__>>.<<__domain__>> http: paths: - path: / diff --git a/distribution/rook-ceph/rook-ceph-cert.yaml b/distribution/rook-ceph/rook-ceph-cert.yaml new file mode 100644 index 000000000..2be45c78c --- /dev/null +++ b/distribution/rook-ceph/rook-ceph-cert.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: rook-ceph-ingressgateway-certs + namespace: rook-ceph +spec: + secretName: rook-ceph-ingressgateway-certs + issuerRef: + name: gateways-issuer + kind: ClusterIssuer + commonName: <<__subdomain_ceph__>>.<<__domain__>> + dnsNames: + - <<__subdomain_ceph__>>.<<__domain__>> diff --git a/distribution/rook-ceph/rook-rgw-cert.yaml b/distribution/rook-ceph/rook-rgw-cert.yaml new file mode 100644 index 000000000..58d5d6353 --- /dev/null +++ b/distribution/rook-ceph/rook-rgw-cert.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: radosgw-ingressgateway-certs + namespace: rook-ceph +spec: + secretName: radosgw-ingressgateway-certs + issuerRef: + name: gateways-issuer + kind: ClusterIssuer + commonName: <<__subdomain_radosgw__>>.<<__domain__>> + dnsNames: + - <<__subdomain_radosgw__>>.<<__domain__>> + - '*.<<__subdomain_radosgw__>>.<<__domain__>>' diff --git a/rook-ceph/set-default-storage.yaml b/distribution/rook-ceph/set-default-storage.yaml similarity index 100% rename from rook-ceph/set-default-storage.yaml rename to distribution/rook-ceph/set-default-storage.yaml diff --git a/images/vwa-pvcviewer-demo.gif b/docs/images/vwa-pvcviewer-demo.gif similarity index 100% rename from images/vwa-pvcviewer-demo.gif rename to docs/images/vwa-pvcviewer-demo.gif diff --git a/examples/setup.conf b/examples/setup.conf new file mode 100644 index 000000000..db707a768 --- /dev/null +++ b/examples/setup.conf @@ -0,0 +1,19 @@ +<<__git_repo.url__>>=https://gitlab.mycompany.com/argoflow-aws-initialised.git +<<__git_repo.target_revision__>>=123456789012/my-cluster.my-domain.com +<<__domain__>>=my-cluster.my-domain.com +<<__subdomain_dashboard__>>=kubeflow +<<__subdomain_serving__>>=serving +<<__subdomain_argocd__>>=argocd +<<__subdomain_auth__>>=auth +<<__subdomain_grafana__>>=grafana +<<__subdomain_kiali__>>=kiali +<<__subdomain_kubecost__>>=kubecost +<<__subdomain_ceph__>>=rook-ceph +<<__subdomain_radosgw__>>=rgw +<<__oidc.issuer__>>=https://auth.my-cluster.my-domain.com +<<__oidc.scope__>>=openid profile email +<<__oidc.user_id_claim__>>=email +<<__cert_manager.email_user__>>=info +<<__cert_manager.email_domain__>>=my-domain.com +<<__cert_manager.server__>>=https://acme-staging-v02.api.letsencrypt.org/directory +<<__cloudflare.email__>>=info@my-domain.com \ No newline at end of file diff --git a/istio/ingress-certificate.yaml b/istio/ingress-certificate.yaml deleted file mode 100644 index 39d17fd43..000000000 --- a/istio/ingress-certificate.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: istio-ingressgateway-certs - namespace: istio-system -spec: - secretName: istio-ingressgateway-certs - issuerRef: - name: kubeflow-self-signing-issuer - kind: ClusterIssuer - commonName: kubeflow.example.com - dnsNames: - - kubeflow.example.com diff --git a/istio/istio-spec.yaml b/istio/istio-spec.yaml deleted file mode 100644 index f3193458e..000000000 --- a/istio/istio-spec.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: istio -spec: - profile: default - tag: 1.9.5 # istio/operator - hub: docker.io/istio - meshConfig: - accessLogFile: /dev/stdout - enablePrometheusMerge: true diff --git a/kubeflow/common/dex-istio/configmap-patch.yaml b/kubeflow/common/dex-istio/configmap-patch.yaml deleted file mode 100644 index 095848589..000000000 --- a/kubeflow/common/dex-istio/configmap-patch.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: dex -data: - config.yaml: | - issuer: http://dex.auth.svc.cluster.local:5556/dex - storage: - type: kubernetes - config: - inCluster: true - web: - http: 0.0.0.0:5556 - logger: - level: "debug" - format: text - oauth2: - skipApprovalScreen: true - enablePasswordDB: true - staticPasswords: - - email: user@kubeflow.org - hash: $2y$12$4K/VkmDd1q1Orb3xAt82zu8gk7Ad6ReFR4LCP9UeYE90NLiN9Df72 - # https://github.com/dexidp/dex/pull/1601/commits - # FIXME: Use hashFromEnv instead - username: user - userID: "15841185641784" - staticClients: - # https://github.com/dexidp/dex/pull/1664 - - idEnv: OIDC_CLIENT_ID - redirectURIs: ["/login/oidc"] - name: 'Dex Login Application' - secretEnv: OIDC_CLIENT_SECRET diff --git a/kubeflow/common/dex-istio/kustomization.yaml b/kubeflow/common/dex-istio/kustomization.yaml deleted file mode 100644 index 1dfd1be66..000000000 --- a/kubeflow/common/dex-istio/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: auth - -resources: -- github.com/kubeflow/manifests/common/dex/overlays/istio - -patchesStrategicMerge: -- configmap-patch.yaml - -images: -- name: quay.io/dexidp/dex - newName: ghcr.io/dexidp/dex - newTag: v2.28.1 - # digest: sha256:5e88f2205de172b60fd7af23ac92f34321688a83de9f7de7c9a6f394f6950877 diff --git a/kubeflow/common/istio/gateway-service.yaml b/kubeflow/common/istio/gateway-service.yaml deleted file mode 100644 index c34192576..000000000 --- a/kubeflow/common/istio/gateway-service.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istio-ingressgateway - namespace: istio-system -spec: - type: LoadBalancer diff --git a/kubeflow/common/istio/ingress-certificate.yaml b/kubeflow/common/istio/ingress-certificate.yaml deleted file mode 100644 index 39d17fd43..000000000 --- a/kubeflow/common/istio/ingress-certificate.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: istio-ingressgateway-certs - namespace: istio-system -spec: - secretName: istio-ingressgateway-certs - issuerRef: - name: kubeflow-self-signing-issuer - kind: ClusterIssuer - commonName: kubeflow.example.com - dnsNames: - - kubeflow.example.com diff --git a/kubeflow/common/istio/kustomization.yaml b/kubeflow/common/istio/kustomization.yaml deleted file mode 100644 index d0d3dc6c1..000000000 --- a/kubeflow/common/istio/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- github.com/kubeflow/manifests/common/istio-1-9-0/istio-namespace/base -- github.com/kubeflow/manifests/common/istio-1-9-0/istio-crds/base -- github.com/kubeflow/manifests/common/istio-1-9-0/istio-install/base -- github.com/kubeflow/manifests/common/istio-1-9-0/cluster-local-gateway/base -- github.com/kubeflow/manifests/common/istio-1-9-0/kubeflow-istio-resources/base -- ingress-certificate.yaml - -patchesStrategicMerge: -- gateway-service.yaml -- sidecar-configmap-patch.yaml -- https-gateway.yaml - -images: -- name: docker.io/istio/proxyv2 - newName: docker.io/istio/proxyv2 - newTag: 1.9.2 - # digest: sha256:ee9c153e2f973937befb8af61e7269ab368020b6e7d91b5d891bbbeba55eb266 -- name: docker.io/istio/pilot - newName: docker.io/istio/pilot - newTag: 1.9.2 - # digest: sha256:e8166f78ba0f153814a259b07fa60f8c96ef602cf1f87b75789cd5202306dfe3 diff --git a/kubeflow/common/istio/sidecar-configmap-patch.yaml b/kubeflow/common/istio/sidecar-configmap-patch.yaml deleted file mode 100644 index 8b91240d7..000000000 --- a/kubeflow/common/istio/sidecar-configmap-patch.yaml +++ /dev/null @@ -1,654 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector - namespace: istio-system -data: - - values: |- - { - "global": { - "arch": { - "amd64": 2, - "ppc64le": 2, - "s390x": 2 - }, - "caAddress": "", - "configValidation": true, - "defaultNodeSelector": {}, - "defaultPodDisruptionBudget": { - "enabled": true - }, - "defaultResources": { - "requests": { - "cpu": "10m" - } - }, - "enabled": true, - "externalIstiod": false, - "hub": "docker.io/istio", - "imagePullPolicy": "", - "imagePullSecrets": [], - "istioNamespace": "istio-system", - "istiod": { - "enableAnalysis": false - }, - "jwtPolicy": "third-party-jwt", - "logAsJson": false, - "logging": { - "level": "default:info" - }, - "meshID": "", - "meshNetworks": {}, - "mountMtlsCerts": false, - "multiCluster": { - "clusterName": "", - "enabled": false - }, - "namespace": "istio-system", - "network": "", - "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, - "operatorManageWebhooks": false, - "pilotCertProvider": "istiod", - "priorityClassName": "", - "proxy": { - "autoInject": "enabled", - "clusterDomain": "cluster.local", - "componentLogLevel": "misc:error", - "enableCoreDump": false, - "excludeIPRanges": "", - "excludeInboundPorts": "", - "excludeOutboundPorts": "", - "holdApplicationUntilProxyStarts": false, - "image": "proxyv2", - "includeIPRanges": "*", - "logLevel": "warning", - "privileged": false, - "readinessFailureThreshold": 30, - "readinessInitialDelaySeconds": 1, - "readinessPeriodSeconds": 2, - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "10m", - "memory": "40Mi" - } - }, - "statusPort": 15020, - "tracer": "zipkin" - }, - "proxy_init": { - "image": "proxyv2", - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } - } - }, - "remotePilotAddress": "", - "sds": { - "token": { - "aud": "istio-ca" - } - }, - "sts": { - "servicePort": 0 - }, - "tag": "1.9.2", - "tracer": { - "datadog": { - "address": "$(HOST_IP):8126" - }, - "lightstep": { - "accessToken": "", - "address": "" - }, - "stackdriver": { - "debug": false, - "maxNumberOfAnnotations": 200, - "maxNumberOfAttributes": 200, - "maxNumberOfMessageEvents": 200 - }, - "zipkin": { - "address": "" - } - }, - "trustDomain": "", - "useMCP": false - }, - "istio_cni": { - "enabled": false - }, - "revision": "", - "sidecarInjectorWebhook": { - "alwaysInjectSelector": [], - "defaultTemplates": [], - "enableNamespacesByDefault": false, - "injectedAnnotations": {}, - "neverInjectSelector": [], - "objectSelector": { - "autoInject": true, - "enabled": true - }, - "rewriteAppHTTPProbe": true, - "templates": {}, - "useLegacySelectors": true - } - } -# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching -# and istiod webhook functionality. -# -# New fields should not use Values - it is a 'primary' config object, users should be able -# to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - defaultTemplates: [sidecar] - policy: enabled - alwaysInjectSelector: - [] - neverInjectSelector: - [] - injectedAnnotations: - template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" - templates: - sidecar: | - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - istio.io/rev: {{ .Revision | default "default" | quote }} - annotations: { - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{ end }} - {{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{- end }} - } - spec: - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - args: - - istio-iptables - - "-p" - - "15001" - - "-z" - - "15006" - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - restartPolicy: Always - {{ end -}} - {{- if eq .Values.global.proxy.enableCoreDump true }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - resources: {} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} - - --concurrency - - "{{ .ProxyConfig.Concurrency.GetValue }}" - {{- end -}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} - runAsGroup: 1337 - fsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - path: "cpu-limit" - resourceFieldRef: - containerName: istio-proxy - resource: limits.cpu - divisor: 1m - - path: "cpu-request" - resourceFieldRef: - containerName: istio-proxy - resource: requests.cpu - divisor: 1m - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/kubeflow/common/oidc-authservice/kustomization.yaml b/kubeflow/common/oidc-authservice/kustomization.yaml deleted file mode 100644 index bf2a9ffd2..000000000 --- a/kubeflow/common/oidc-authservice/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- github.com/kubeflow/manifests/common/oidc-authservice/base - -images: -- name: gcr.io/arrikto/kubeflow/oidc-authservice - newName: gcr.io/arrikto/kubeflow/oidc-authservice - newTag: 28c59ef - # digest: sha256:c9450b805ad5c333f6a0d9491719a1d3fb4449fe017e37d3ad4c7591c763746b diff --git a/kubeflow/common/user-namespace/kustomization.yaml b/kubeflow/common/user-namespace/kustomization.yaml deleted file mode 100644 index cd2dc88d3..000000000 --- a/kubeflow/common/user-namespace/kustomization.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kubeflow - -resources: -- profile-instance.yaml -configMapGenerator: -- name: default-install-config - envs: - - params.env -vars: -# These vars are used for substituing in the parameters from the config map -# into the Profiles custom resource. -- name: user - objref: - kind: ConfigMap - name: default-install-config - apiVersion: v1 - fieldref: - fieldpath: data.user -- name: profile-name - objref: - kind: ConfigMap - name: default-install-config - apiVersion: v1 - fieldref: - fieldpath: data.profile-name -configurations: -- params.yaml diff --git a/kubeflow/common/user-namespace/params.env b/kubeflow/common/user-namespace/params.env deleted file mode 100644 index a403887c6..000000000 --- a/kubeflow/common/user-namespace/params.env +++ /dev/null @@ -1,2 +0,0 @@ -user=user@kubeflow.org -profile-name=kubeflow-user diff --git a/kubeflow/common/user-namespace/params.yaml b/kubeflow/common/user-namespace/params.yaml deleted file mode 100644 index 40501647d..000000000 --- a/kubeflow/common/user-namespace/params.yaml +++ /dev/null @@ -1,5 +0,0 @@ -varReference: -- path: spec/owner/name - kind: Profile -- path: metadata/name - kind: Profile diff --git a/kubeflow/common/user-namespace/profile-instance.yaml b/kubeflow/common/user-namespace/profile-instance.yaml deleted file mode 100644 index 3210d0919..000000000 --- a/kubeflow/common/user-namespace/profile-instance.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kubeflow.org/v1beta1 -kind: Profile -metadata: - name: $(profile-name) -spec: - owner: - kind: User - name: $(user) diff --git a/metallb/secret.yaml b/metallb/secret.yaml deleted file mode 100644 index 2d489aae6..000000000 --- a/metallb/secret.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: memberlist - namespace: metallb-system -stringData: - secretkey: "T2CeZ4unC+1RdZ6p01mqrcOyWzZxdW4h7V/9ccfRkDbW+39iqP71LbPby1nJKkvs\notbPChkiMQfacmWXSeRSRiYrRs6KCEr/ANGivui+ch+wBZQiC1ycq2Jgpwcnao5a\nL68IOV+oYnfn52BSPJVBXvm3YEoZlPVsye8HsyMFc98=" diff --git a/monitoring-resources/grafana-cert.yaml b/monitoring-resources/grafana-cert.yaml deleted file mode 100644 index f68e78a8d..000000000 --- a/monitoring-resources/grafana-cert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: grafana-example-com - namespace: monitoring -spec: - secretName: grafana-example-com - issuerRef: - name: kubeflow-self-signing-issuer - kind: ClusterIssuer - commonName: grafana.example.com - dnsNames: - - grafana.example.com diff --git a/monitoring-resources/kiali-cert.yaml b/monitoring-resources/kiali-cert.yaml deleted file mode 100644 index 6fbf219cc..000000000 --- a/monitoring-resources/kiali-cert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kiali-example-com - namespace: istio-system -spec: - secretName: kiali-example-com - issuerRef: - name: kubeflow-self-signing-issuer - kind: ClusterIssuer - commonName: kiali.example.com - dnsNames: - - kiali.example.com diff --git a/monitoring-resources/kustomization.yaml b/monitoring-resources/kustomization.yaml deleted file mode 100644 index 760f4e059..000000000 --- a/monitoring-resources/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- grafana-cert.yaml -- kiali-cert.yaml -- nvidia-dcgm-service-monitor.yaml -- nvidia-dcgm-exporter-dashboard.yaml diff --git a/rook-ceph/rook-ceph-cert.yaml b/rook-ceph/rook-ceph-cert.yaml deleted file mode 100644 index 4ca436efd..000000000 --- a/rook-ceph/rook-ceph-cert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: rook-ceph-example-com - namespace: rook-ceph -spec: - secretName: rook-ceph-example-com - issuerRef: - name: kubeflow-self-signing-issuer - kind: ClusterIssuer - commonName: rook-ceph.example.com - dnsNames: - - rook-ceph.example.com diff --git a/rook-ceph/rook-rgw-cert.yaml b/rook-ceph/rook-rgw-cert.yaml deleted file mode 100644 index 84615446c..000000000 --- a/rook-ceph/rook-rgw-cert.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: rgw-example-com - namespace: rook-ceph -spec: - secretName: rgw-example-com - issuerRef: - name: kubeflow-self-signing-issuer - kind: ClusterIssuer - commonName: rgw.example.com - dnsNames: - - rgw.example.com - - '*.rgw.example.com' diff --git a/setup_repo.sh b/setup_repo.sh index 69c3a798d..e03bd4992 100755 --- a/setup_repo.sh +++ b/setup_repo.sh @@ -1,31 +1,99 @@ #!/bin/bash -# set secretkey for metallb -echo "generating secret for metallb" -yq eval -i ".stringData.secretkey = \"$(openssl rand -base64 128)\"" metallb/secret.yaml - -if [ -z "$1" ] - then - echo "no repo URL provided, using upstream" - else - yq e -i ".spec.source.repoURL = \"$1\"" kubeflow.yaml - for filename in ./argocd-applications/*.yaml; do - if [ $(yq e ".spec.source | has (\"helm\")" $filename) == false ] - then - yq e -i ".spec.source.repoURL = \"$1\"" $filename - fi - done -fi - -if [ -z "$2" ] - then - echo "no target branch provided, using HEAD" - else - yq e -i ".spec.source.targetRevision = \"$2\"" kubeflow.yaml - for filename in ./argocd-applications/*.yaml; do - if [ $(yq e ".spec.source | has (\"helm\")" $filename) == false ] - then - yq e -i ".spec.source.targetRevision = \"$2\"" $filename - fi - done -fi +# Perform a simple recursive find-and-replace on all variables defined in setup.conf +export SETUP_CONF_PATH=$1 # location of the setup config +export DISTRIBUTION_PATH=./distribution # folder where the distribution's YAML files are to be found + +while IFS="=" read PLACEHOLDER VALUE # While loop that will perform simple parsing. On each line MY_VAR=123 will be read into PLACEHOLDER=MY_VAR, VALUE=123 +do + # recursively look for $PLACEHOLDER in all files in the $DISTRIBUTION_PATH and replace it with $VALUE + echo ${VALUE} + VALUE=$(echo "${VALUE////$'\/'}") #escape forward slashes (needed for sed to work correctly) + grep -rli ${PLACEHOLDER} ${DISTRIBUTION_PATH}/* | xargs -i@ sed -i "s/${PLACEHOLDER}/${VALUE}/g" @ #perform recursive replace +done <${SETUP_CONF_PATH} # pass the setup config into the while loop + +# Create metallb secret +# kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/metallb/secret.yaml + +# Auth setup + +COOKIE_SECRET=$(python3 -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(16)).decode())') +OIDC_CLIENT_ID=$(python3 -c 'import secrets; print(secrets.token_hex(16))') +OIDC_CLIENT_SECRET=$(python3 -c 'import secrets; print(secrets.token_hex(32))') + +kubectl create secret generic -n auth oauth2-proxy --from-literal=client-id=${OIDC_CLIENT_ID} --from-literal=client-secret=${OIDC_CLIENT_SECRET} --from-literal=cookie-secret=${COOKIE_SECRET} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/oidc-auth/overlays/dex/oauth2-proxy-secret.yaml +kubectl create secret generic -n auth oauth2-proxy --from-literal=client-id=${OIDC_CLIENT_ID} --from-literal=client-secret=${OIDC_CLIENT_SECRET} --from-literal=cookie-secret=${COOKIE_SECRET} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/oidc-auth/overlays/keycloak/oauth2-proxy-secret.yaml + +DATABASE_PASS=$(python3 -c 'import secrets; print(secrets.token_hex(16))') +POSTGRESQL_PASS=$(python3 -c 'import secrets; print(secrets.token_hex(16))') +KEYCLOAK_ADMIN_PASS=$(python3 -c 'import secrets; print(secrets.token_hex(16))') +KEYCLOAK_MANAGEMENT_PASS=$(python3 -c 'import secrets; print(secrets.token_hex(16))') + +kubectl create secret generic -n auth keycloak-secret --from-literal=admin-password=${KEYCLOAK_ADMIN_PASS} --from-literal=database-password=${DATABASE_PASS} --from-literal=management-password=${KEYCLOAK_MANAGEMENT_PASS} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/oidc-auth/overlays/keycloak/keycloak-secret.yaml +kubectl create secret generic -n auth keycloak-postgresql --from-literal=postgresql-password=${DATABASE_PASS} --from-literal=postgresql-postgres-password=${POSTGRESQL_PASS} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/oidc-auth/overlays/keycloak/postgresql-secret.yaml + +read -p 'Email: ' EMAIL +read -p 'Username: ' USERNAME +read -p 'First name (for Kubeflow account): ' FIRSTNAME +read -p 'Last name (for Kubeflow account): ' LASTNAME +echo 'Password (for Kubeflow login):' +read -s ADMIN_PASS + +ADMIN_PASS_DEX=$(python3 -c "from passlib.hash import bcrypt; import secrets; print(bcrypt.using(rounds=12, ident='2y').hash(\"${ADMIN_PASS}\"))") + +yq eval -i ".data.ADMIN = \"${EMAIL}\"" ${DISTRIBUTION_PATH}/kubeflow/notebooks/profile-controller_access-management/patch-admin.yaml + +yq eval ".staticClients[0].id = \"${OIDC_CLIENT_ID}\" | .staticClients[0].secret = \"${OIDC_CLIENT_SECRET}\" | .staticPasswords[0].hash = \"${ADMIN_PASS_DEX}\" | .staticPasswords[0].email = \"${EMAIL}\" | .staticPasswords[0].username = \"${USERNAME}\"" ${DISTRIBUTION_PATH}/oidc-auth/overlays/dex/dex-config-template.yaml | kubectl create secret generic -n auth dex-config --dry-run=client --from-file=config.yaml=/dev/stdin -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/oidc-auth/overlays/dex/dex-config-secret.yaml +yq eval -j -P ".users[0].username = \"${USERNAME}\" | .users[0].email = \"${EMAIL}\" | .users[0].firstName = \"${FIRSTNAME}\" | .users[0].lastName = \"${LASTNAME}\" | .users[0].credentials[0].value = \"${ADMIN_PASS}\" | .clients[0].clientId = \"${OIDC_CLIENT_ID}\" | .clients[0].secret = \"${OIDC_CLIENT_SECRET}\"" ${DISTRIBUTION_PATH}/oidc-auth/overlays/keycloak/kubeflow-realm-template.json | kubectl create secret generic -n auth kubeflow-realm --dry-run=client --from-file=kubeflow-realm.json=/dev/stdin -o json | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/oidc-auth/overlays/keycloak/kubeflow-realm-secret.yaml + +# Monitoring setup + +read -p 'Grafana Admin Username: ' GRAFANA_ADMIN_USERNAME +echo 'Grafana Admin Password:' +read -s GRAFANA_ADMIN_PASS + +kubectl create secret generic -n monitoring grafana-admin-secret --from-literal=admin-user=${GRAFANA_ADMIN_USERNAME} --from-literal=admin-password=${GRAFANA_ADMIN_PASS} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/monitoring-resources/grafana-admin-secret.yaml + +# External OIDC setup + +echo "Do you want to setup an external OIDC client rather than using an on-cluster provider?" +select yn in "Yes" "No"; do + case $yn in + Yes ) + read -p 'OIDC Client ID: ' OIDC_CLIENT_ID_INPUT + echo "OIDC Client Secret:" + read -s OIDC_CLIENT_SECRET_INPUT + kubectl create secret generic -n auth oauth2-proxy --from-literal=client-id=${OIDC_CLIENT_ID_INPUT} --from-literal=client-secret=${OIDC_CLIENT_SECRET_INPUT} --from-literal=cookie-secret=${COOKIE_SECRET} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/oidc-auth/base/oauth2-proxy-secret.yaml + break;; + No ) break;; + esac +done + +# Cloudflare setup + +echo "Do you want to setup CloudFlare with cert-manager and External DNS?" +select yn in "Yes" "No"; do + case $yn in + Yes ) + read -p 'CloudFlare API Token: ' CLOUDFLARE_API_TOKEN + kubectl create secret generic -n cert-manager cloudflare-api-token-secret --from-literal=api-token=${CLOUDFLARE_API_TOKEN} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/cloudflare-secrets/cloudflare-api-token-secret-cert-manager.yaml + kubectl create secret generic -n kube-system cloudflare-api-token-secret --from-literal=cloudflare_api_token=${CLOUDFLARE_API_TOKEN} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/cloudflare-secrets/cloudflare-api-token-secret-external-dns.yaml + break;; + No ) break;; + esac +done + +# Private repo setup + +echo "Are you using a private repo" +select yn in "Yes" "No"; do + case $yn in + Yes ) + read -p 'Repository HTTPS Username: ' REPO_HTTPS_USERNAME + echo 'Repository HTTPS Password:' + read -s REPO_HTTPS_PASSWORD + kubectl create secret generic -n argocd git-repo-secret --from-literal=HTTPS_USERNAME=${REPO_HTTPS_USERNAME} --from-literal=HTTPS_PASSWORD=${REPO_HTTPS_PASSWORD} --dry-run=client -o yaml | kubeseal | yq eval -P > ${DISTRIBUTION_PATH}/argocd/overlays/private-repo/secret.yaml + break;; + No ) break;; + esac +done diff --git a/setup_repo_mac.sh b/setup_repo_mac.sh new file mode 100755 index 000000000..14a5c2114 --- /dev/null +++ b/setup_repo_mac.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# Perform a simple recursive find-and-replace on all variables defined in setup.conf +export SETUP_CONF_PATH=$1 # location of the setup config +export DISTRIBUTION_PATH=./distribution # folder where the distribution's YAML files are to be found + +while IFS="=" read PLACEHOLDER VALUE # While loop that will perform simple parsing. On each line MY_VAR=123 will be read into PLACEHOLDER=MY_VAR, VALUE=123 +do + # recursively look for $PLACEHOLDER in all files in the $DISTRIBUTION_PATH and replace it with $VALUE + VALUE=$(echo "${VALUE////$'\/'}") #escape forward slashes (need for sed to work correctly) + grep -rli ${PLACEHOLDER} ${DISTRIBUTION_PATH}/* | xargs -I@ sed -I '' "s/${PLACEHOLDER}/${VALUE}/g" @ #perform recursive replace +done <${SETUP_CONF_PATH} # pass the setup config into the while loop