kubeflow
/
manifests
mirror of https://github.com/kubeflow/manifests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Synchronize kubeflow pipelines manifests 2.5.0 (#3121) 

* Update kubeflow/pipelines manifests from 2.5.0

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* update scripts

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* update kfp sdk version

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* consistency

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* update sdk

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* fix test

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* fix test

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

---------

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
This commit is contained in:
Julius von Kohout 2025-04-30 08:38:03 +02:00 committed by GitHub
parent 7588f29d23
commit 8680bf79c0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
200 changed files with 2749 additions and 7175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/full_kubeflow_integration_test.yaml vendored
View File

@ -95,13 +95,13 @@ jobs:
kustomize build apps/model-registry/upstream/options/ui/overlays/istio | kubectl apply -f -
- name: Install Spark
run: chmod u+x tests/gh-actions/spark_*.sh && ./tests/gh-actions/spark_install.sh
run: chmod u+x tests/gh-actions/*.sh && ./tests/gh-actions/install_spark.sh
- name: Wait for All Pods to be Ready
run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 60s --field-selector=status.phase!=Succeeded
- name: Install Dependencies
run: pip install pytest kubernetes kfp==2.11.0 kserve pytest-timeout pyyaml requests
run: pip install pytest kubernetes kfp==2.13.0 kserve pytest-timeout pyyaml requests
- name: Port-forward the istio-ingress gateway
run: ./tests/gh-actions/port_forward_gateway.sh
@ -120,14 +120,14 @@ jobs:
- name: Test Pipeline Access with Authorized Token
run: |
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
- name: Test Pipeline Access with Unauthorized Token
run: |
kubectl create namespace test-unauthorized
kubectl create serviceaccount test-unauthorized -n test-unauthorized
UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized)
python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "$UNAUTHORIZED_TOKEN" "${KF_PROFILE}"
python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "$UNAUTHORIZED_TOKEN" "${KF_PROFILE}"
- name: Test Volumes Web Application API
run: ./tests/gh-actions/test_volumes_web_application.sh "${KF_PROFILE}"
@ -173,7 +173,7 @@ jobs:
# TODO the individual KServe tests is currently being restructured. Afterwards we can also test inferencing
- name: Run Spark Test
run: chmod u+x tests/gh-actions/spark_*.sh && ./tests/gh-actions/spark_test.sh "${KF_PROFILE}"
run: chmod u+x tests/gh-actions/*.sh && ./tests/gh-actions/test_spark.sh "${KF_PROFILE}"
- name: Test Model Registry Deployment
run: |

2
.github/workflows/katib_test.yaml vendored
View File

@ -54,7 +54,7 @@ jobs:
- name: Install Dependencies
run: pip install pytest kubernetes kfp==2.11.0 requests
run: pip install pytest kubernetes kfp==2.13.0 requests
- name: Port-forward the istio-ingress gateway
run: ./tests/gh-actions/port_forward_gateway.sh

8
.github/workflows/pipeline_swfs_test.yaml vendored
View File

@ -67,17 +67,17 @@ jobs:
- name: List and deploy test pipeline with authorized ServiceAccount Token
run: |
pip3 install kfp==2.12.1
pip3 install kfp==2.13.0
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
- name: Fail to list pipelines with unauthorized ServiceAccount Token
run: |
pip3 install kfp==2.12.1
pip3 install kfp==2.13.0
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n default create token default)"
python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace."

12
.github/workflows/pipeline_test.yaml vendored
View File

@ -3,7 +3,7 @@ on:
pull_request:
paths:
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- .github/workflows/pipeline_test.yaml
- .github/workflows/test_pipeline.yaml
- apps/pipeline/upstream/**
- tests/gh-actions/install_istio.sh
- tests/gh-actions/install_cert_manager.sh
@ -11,7 +11,7 @@ on:
- common/cert-manager/**
- common/oauth2-proxy/**
- common/istio*/**
- tests/gh-actions/pipeline_test.py
- tests/gh-actions/test_pipeline.py
- experimental/security/PSS/*
jobs:
@ -66,17 +66,17 @@ jobs:
- name: List and deploy test pipeline with authorized ServiceAccount Token
run: |
pip3 install kfp==2.12.1
pip3 install kfp==2.13.0
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
- name: Fail to list pipelines with unauthorized ServiceAccount Token
run: |
pip3 install kfp==2.12.1
pip3 install kfp==2.13.0
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n default create token default)"
python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace."

8
.github/workflows/spark_test.yaml vendored
View File

@ -3,7 +3,7 @@ on:
pull_request:
paths:
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- .github/workflows/spark_test.yaml
- .github/workflows/test_spark.yaml
- apps/spark/**
- tests/gh-actions/spark*.sh
- tests/gh-actions/install_istio.sh
@ -47,6 +47,6 @@ jobs:
cd apps/spark
# TODO remove the debugging lines
ls -lah ../../tests/gh-actions/
chmod u+x ../../tests/gh-actions/spark*
../../tests/gh-actions/spark_install.sh
../../tests/gh-actions/spark_test.sh "kubeflow-user-example-com"
chmod u+x ../../tests/gh-actions/*.sh
../../tests/gh-actions/install_spark.sh
../../tests/gh-actions/test_spark.sh "kubeflow-user-example-com"

2
.shellcheckrc
View File

@ -1,2 +1,2 @@
# ~/.shellcheckrc
disable=SC1017,SC2086,SC2070,SC2046,SC2155,SC2006
disable=SC1017,SC2086,SC2070,SC2046,SC2155,SC2006,SC1091,SC2164

2
README.md
View File

@ -65,7 +65,7 @@ This repository periodically synchronizes all official Kubeflow components from
| Katib | apps/katib/upstream | [v0.18.0](https://github.com/kubeflow/katib/tree/v0.18.0/manifests/v1beta1) |
| KServe | apps/kserve/kserve | [v0.15.0](https://github.com/kserve/kserve/releases/tag/v0.15.0/install/v0.15.0) |
| KServe Models Web Application | apps/kserve/models-web-app | [v0.14.0](https://github.com/kserve/models-web-app/tree/v0.14.0/config) |
| Kubeflow Pipelines | apps/pipeline/upstream | [2.4.1](https://github.com/kubeflow/pipelines/tree/2.4.1/manifests/kustomize) |
| Kubeflow Pipelines | apps/pipeline/upstream | [2.5.0](https://github.com/kubeflow/pipelines/tree/2.5.0/manifests/kustomize) |
| Kubeflow Model Registry | apps/model-registry/upstream | [v0.2.16](https://github.com/kubeflow/model-registry/tree/v0.2.16/manifests/kustomize) |
The following matrix shows the versions of common components used across different Kubeflow projects:

2
apps/pipeline/upstream/base/application/kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- application.yaml
- application.yaml

14
apps/pipeline/upstream/base/cache-deployer/cluster-scoped/kustomization.yaml
View File

@ -1,11 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cache-deployer-clusterrole.yaml
- cache-deployer-clusterrolebinding.yaml
# HACK: although a service account(SA) is not a cluster-scoped resource.
# Presence of a SA referred by a clusterrolebinding allows kustomize to auto-add
# namespace for the clusterrolebinding's SA ref.
- cache-deployer-sa.yaml
- cache-deployer-clusterrole.yaml
- cache-deployer-clusterrolebinding.yaml
# HACK: although a service account(SA) is not a cluster-scoped resource.
# Presence of a SA referred by a clusterrolebinding allows kustomize to auto-add
# namespace for the clusterrolebinding's SA ref.
- cache-deployer-sa.yaml

8
apps/pipeline/upstream/base/cache-deployer/kustomization.yaml
View File

@ -4,8 +4,10 @@ resources:
- cache-deployer-role.yaml
- cache-deployer-rolebinding.yaml
- cache-deployer-deployment.yaml
commonLabels:
app: cache-deployer
images:
- name: ghcr.io/kubeflow/kfp-cache-deployer
newTag: 2.4.1
newTag: 2.5.0
labels:
- includeSelectors: true
pairs:
app: cache-deployer

5
apps/pipeline/upstream/base/cache/cache-deployment.yaml vendored
View File

@ -14,12 +14,13 @@ spec:
labels:
app: cache-server
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0

17
apps/pipeline/upstream/base/cache/cache-role.yaml vendored
View File

@ -31,20 +31,3 @@ rules:
- watch
- update
- patch
- apiGroups:
- tekton.dev
resources:
- pipelineruns
- customruns
- taskruns
- conditions
- runs
- tasks
verbs:
- create
- get
- list
- watch
- update
- patch
- delete

8
apps/pipeline/upstream/base/cache/kustomization.yaml vendored
View File

@ -6,8 +6,10 @@ resources:
- cache-rolebinding.yaml
- cache-sa.yaml
- cache-service.yaml
commonLabels:
app: cache-server
images:
- name: ghcr.io/kubeflow/kfp-cache-server
newTag: 2.4.1
newTag: 2.5.0
labels:
- includeSelectors: true
pairs:
app: cache-server

5
apps/pipeline/upstream/base/crds/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- pipelines.kubeflow.org_pipelines.yaml
- pipelines.kubeflow.org_pipelineversions.yaml

49
apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelines.yaml Normal file
View File

@ -0,0 +1,49 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
name: pipelines.pipelines.kubeflow.org
spec:
group: pipelines.kubeflow.org
names:
kind: Pipeline
listKind: PipelineList
plural: pipelines
singular: pipeline
scope: Namespaced
versions:
- name: v2beta1
schema:
openAPIV3Schema:
description: Pipeline is the Schema for the pipelines API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: PipelineSpec defines the desired state of Pipeline.
properties:
description:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

89
apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelineversions.yaml Normal file
View File

@ -0,0 +1,89 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.4
name: pipelineversions.pipelines.kubeflow.org
spec:
group: pipelines.kubeflow.org
names:
kind: PipelineVersion
listKind: PipelineVersionList
plural: pipelineversions
singular: pipelineversion
scope: Namespaced
versions:
- name: v2beta1
schema:
openAPIV3Schema:
description: PipelineVersion is the Schema for the pipelineversions API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: PipelineVersionSpec defines the desired state of PipelineVersion.
properties:
codeSourceURL:
type: string
description:
type: string
pipelineName:
type: string
pipelineSpec:
x-kubernetes-preserve-unknown-fields: true
required:
- pipelineSpec
type: object
status:
description: PipelineVersionStatus defines the observed state of PipelineVersion.
properties:
conditions:
items:
description: |-
SimplifiedCondition is a metav1.Condition without lastTransitionTime since the database model doesn't have such
a concept and it allows a default status in the CRD without a controller setting it.
properties:
message:
maxLength: 32768
type: string
reason:
type: string
status:
enum:
- "True"
- "False"
- Unknown
type: string
type:
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

82
apps/pipeline/upstream/base/installs/generic/kustomization.yaml
View File

@ -2,46 +2,46 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow
resources:
- ../../pipeline
- ../../cache
- ../../cache-deployer
- pipeline-install-config.yaml
- mysql-secret.yaml
- ../../pipeline
- ../../cache
- ../../cache-deployer
- pipeline-install-config.yaml
- mysql-secret.yaml
vars:
- name: kfp-namespace
objref:
kind: Deployment
apiVersion: apps/v1
name: ml-pipeline
fieldref:
fieldpath: metadata.namespace
- name: kfp-app-name
objref:
kind: ConfigMap
name: pipeline-install-config
apiVersion: v1
fieldref:
fieldpath: data.appName
- name: kfp-app-version
objref:
kind: ConfigMap
name: pipeline-install-config
apiVersion: v1
fieldref:
fieldpath: data.appVersion
- name: kfp-artifact-bucket-name
objref:
kind: ConfigMap
name: pipeline-install-config
apiVersion: v1
fieldref:
fieldpath: data.bucketName
- name: kfp-default-pipeline-root
objref:
kind: ConfigMap
name: pipeline-install-config
apiVersion: v1
fieldref:
fieldpath: data.defaultPipelineRoot
- fieldref:
fieldPath: metadata.namespace
name: kfp-namespace
objref:
apiVersion: apps/v1
kind: Deployment
name: ml-pipeline
- fieldref:
fieldPath: data.appName
name: kfp-app-name
objref:
apiVersion: v1
kind: ConfigMap
name: pipeline-install-config
- fieldref:
fieldPath: data.appVersion
name: kfp-app-version
objref:
apiVersion: v1
kind: ConfigMap
name: pipeline-install-config
- fieldref:
fieldPath: data.bucketName
name: kfp-artifact-bucket-name
objref:
apiVersion: v1
kind: ConfigMap
name: pipeline-install-config
- fieldref:
fieldPath: data.defaultPipelineRoot
name: kfp-default-pipeline-root
objref:
apiVersion: v1
kind: ConfigMap
name: pipeline-install-config
configurations:
- params.yaml
- params.yaml

2
apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml
View File

@ -11,7 +11,7 @@ data:
until the changes take effect. A quick way to restart all deployments in a
namespace: `kubectl rollout restart deployment -n <your-namespace>`.
appName: pipeline
appVersion: 2.4.1
appVersion: 2.5.0
dbHost: mysql # relic to be removed after release
dbPort: "3306" # relic to be removed after release
dbType: mysql

42
apps/pipeline/upstream/base/installs/generic/postgres/kustomization.yaml
View File

@ -8,40 +8,40 @@ resources:
- pipeline-install-config.yaml
- postgres-secret-extended.yaml
vars:
- name: kfp-namespace
- fieldref:
fieldPath: metadata.namespace
name: kfp-namespace
objref:
kind: Deployment
apiVersion: apps/v1
kind: Deployment
name: ml-pipeline
fieldref:
fieldpath: metadata.namespace
- name: kfp-app-name
- fieldref:
fieldPath: data.appName
name: kfp-app-name
objref:
apiVersion: v1
kind: ConfigMap
name: pipeline-install-config
apiVersion: v1
fieldref:
fieldpath: data.appName
- name: kfp-app-version
- fieldref:
fieldPath: data.appVersion
name: kfp-app-version
objref:
apiVersion: v1
kind: ConfigMap
name: pipeline-install-config
apiVersion: v1
fieldref:
fieldpath: data.appVersion
- name: kfp-artifact-bucket-name
- fieldref:
fieldPath: data.bucketName
name: kfp-artifact-bucket-name
objref:
apiVersion: v1
kind: ConfigMap
name: pipeline-install-config
apiVersion: v1
fieldref:
fieldpath: data.bucketName
- name: kfp-default-pipeline-root
- fieldref:
fieldPath: data.defaultPipelineRoot
name: kfp-default-pipeline-root
objref:
apiVersion: v1
kind: ConfigMap
name: pipeline-install-config
apiVersion: v1
fieldref:
fieldpath: data.defaultPipelineRoot
configurations:
- params.yaml
- params.yaml

14
apps/pipeline/upstream/base/installs/multi-user/api-service/cluster-role.yaml
View File

@ -35,6 +35,20 @@ rules:
- update
- patch
- delete
- apiGroups:
- kubeflow.org
resources:
- scheduledworkflows/finalizers
verbs:
- update
- apiGroups:
- pipelines.kubeflow.org
resources:
- pipelines
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:

4
apps/pipeline/upstream/base/installs/multi-user/api-service/kustomization.yaml
View File

@ -4,6 +4,6 @@ resources:
- cluster-role-binding.yaml
- cluster-role.yaml
configMapGenerator:
- name: pipeline-api-server-config
envs:
- envs:
- params.env
name: pipeline-api-server-config

6
apps/pipeline/upstream/base/installs/multi-user/cache/kustomization.yaml vendored
View File

@ -1,7 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: cache-server
resources:
- cluster-role.yaml
- cluster-role-binding.yaml
labels:
- includeSelectors: true
pairs:
app: cache-server

8
apps/pipeline/upstream/base/installs/multi-user/kustomization.yaml
View File

@ -1,9 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow
commonLabels:
app.kubernetes.io/name: kubeflow-pipelines
app.kubernetes.io/component: ml-pipeline
resources:
- ../../pipeline/cluster-scoped
- ../../cache-deployer/cluster-scoped
@ -31,3 +28,8 @@ patches:
configurations:
- params.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines

3
apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/deployment.yaml
View File

@ -6,7 +6,7 @@ spec:
replicas: 1
template:
metadata:
annotations:
labels:
sidecar.istio.io/inject: "false"
spec:
containers:
@ -57,4 +57,3 @@ spec:
- name: hooks
configMap:
name: kubeflow-pipelines-profile-controller-code

14
apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml
View File

@ -1,16 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow
commonLabels:
app: kubeflow-pipelines-profile-controller
resources:
- service.yaml
- deployment.yaml
- decorator-controller.yaml
configMapGenerator:
- name: kubeflow-pipelines-profile-controller-code
files:
- files:
- sync.py
- name: kubeflow-pipelines-profile-controller-env
envs:
name: kubeflow-pipelines-profile-controller-code
- envs:
- params.env
name: kubeflow-pipelines-profile-controller-env
labels:
- includeSelectors: true
pairs:
app: kubeflow-pipelines-profile-controller

6
apps/pipeline/upstream/base/installs/multi-user/pipelines-ui/kustomization.yaml
View File

@ -1,8 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow
commonLabels:
app: ml-pipeline-ui
resources:
- cluster-role.yaml
- cluster-role-binding.yaml
labels:
- includeSelectors: true
pairs:
app: ml-pipeline-ui

6
apps/pipeline/upstream/base/installs/multi-user/scheduled-workflow/cluster-role.yaml
View File

@ -15,6 +15,12 @@ rules:
- update
- patch
- delete
- apiGroups:
- pipelines.kubeflow.org
resources:
- runs
verbs:
- create
- apiGroups:
- kubeflow.org
resources:

2
apps/pipeline/upstream/base/metadata/base/kustomization.yaml
View File

@ -10,4 +10,4 @@ resources:
- metadata-grpc-sa.yaml
images:
- name: ghcr.io/kubeflow/kfp-metadata-envoy
newTag: 2.4.1
newTag: 2.5.0

1
apps/pipeline/upstream/base/metadata/base/metadata-envoy-deployment.yaml
View File

@ -13,7 +13,6 @@ spec:
metadata:
labels:
component: metadata-envoy
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:

3
apps/pipeline/upstream/base/metadata/base/metadata-grpc-deployment.yaml
View File

@ -14,6 +14,9 @@ spec:
labels:
component: metadata-grpc-server
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container
# ! Sync to the same MLMD version:

16
apps/pipeline/upstream/base/metadata/overlays/db/kustomization.yaml
View File

@ -12,13 +12,13 @@ patches:
- path: patches/metadata-grpc-deployment.yaml
configMapGenerator:
- name: metadata-db-parameters
envs:
- envs:
- params.env
name: metadata-db-parameters
secretGenerator:
- name: metadata-db-secrets
envs:
- envs:
- secrets.env
name: metadata-db-secrets
generatorOptions:
disableNameSuffixHash: true
@ -29,10 +29,10 @@ images:
newTag: 8.0.3
vars:
- name: MLMD_DB_HOST
- fieldref:
fieldPath: metadata.name
name: MLMD_DB_HOST
objref:
apiVersion: v1
kind: Service
name: metadata-db
apiVersion: v1
fieldref:
fieldpath: metadata.name

2
apps/pipeline/upstream/base/metadata/overlays/db/metadata-db-deployment.yaml
View File

@ -16,7 +16,6 @@ spec:
name: db
labels:
component: db
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
@ -49,4 +48,3 @@ spec:
- name: metadata-mysql
persistentVolumeClaim:
claimName: metadata-mysql

16
apps/pipeline/upstream/base/metadata/overlays/postgres/kustomization.yaml
View File

@ -12,13 +12,13 @@ patches:
- path: patches/metadata-grpc-deployment.yaml
configMapGenerator:
- name: metadata-postgres-db-parameters
envs:
- envs:
- params.env
name: metadata-postgres-db-parameters
secretGenerator:
- name: metadata-postgres-db-secrets
envs:
- envs:
- secrets.env
name: metadata-postgres-db-secrets
generatorOptions:
disableNameSuffixHash: true
@ -28,10 +28,10 @@ images:
newTag: 14.7-alpine3.17
vars:
- name: MLMD_DB_HOST
- fieldref:
fieldPath: metadata.name
name: MLMD_DB_HOST
objref:
apiVersion: v1
kind: Service
name: metadata-postgres-db
apiVersion: v1
fieldref:
fieldpath: metadata.name

6
apps/pipeline/upstream/base/metadata/overlays/postgres/metadata-db-deployment.yaml
View File

@ -16,15 +16,14 @@ spec:
name: db
labels:
component: db
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: db-container
image: postgres
env:
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
envFrom:
- configMapRef:
name: metadata-postgres-db-parameters
@ -40,4 +39,3 @@ spec:
- name: metadata-postgres
persistentVolumeClaim:
claimName: metadata-postgres

12
apps/pipeline/upstream/base/pipeline/kustomization.yaml
View File

@ -36,14 +36,14 @@ resources:
- kfp-launcher-configmap.yaml
images:
- name: ghcr.io/kubeflow/kfp-api-server
newTag: 2.4.1
newTag: 2.5.0
- name: ghcr.io/kubeflow/kfp-persistence-agent
newTag: 2.4.1
newTag: 2.5.0
- name: ghcr.io/kubeflow/kfp-scheduled-workflow-controller
newTag: 2.4.1
newTag: 2.5.0
- name: ghcr.io/kubeflow/kfp-frontend
newTag: 2.4.1
newTag: 2.5.0
- name: ghcr.io/kubeflow/kfp-viewer-crd-controller
newTag: 2.4.1
newTag: 2.5.0
- name: ghcr.io/kubeflow/kfp-visualization-server
newTag: 2.4.1
newTag: 2.5.0

2
apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml
View File

@ -7,4 +7,4 @@ resources:
- metadata-writer-sa.yaml
images:
- name: ghcr.io/kubeflow/kfp-metadata-writer
newTag: 2.4.1
newTag: 2.5.0

6
apps/pipeline/upstream/base/pipeline/metadata-writer/metadata-writer-deployment.yaml
View File

@ -14,6 +14,10 @@ spec:
labels:
app: metadata-writer
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: main
image: ghcr.io/kubeflow/kfp-metadata-writer:dummy
@ -24,8 +28,6 @@ spec:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0

319
apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-deployment.yaml
View File

@ -15,159 +15,170 @@ spec:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- env:
- name: LOG_LEVEL
value: "info"
- name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: autoUpdatePipelineDefaultVersion
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OBJECTSTORECONFIG_SECURE
value: "false"
- name: OBJECTSTORECONFIG_BUCKETNAME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: bucketName
# relic variables
- name: DBCONFIG_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: username
- name: DBCONFIG_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: password
- name: DBCONFIG_DBNAME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: pipelineDb
- name: DBCONFIG_HOST
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: dbHost
- name: DBCONFIG_PORT
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: dbPort
# end of relic variables
- name: DBCONFIG_CONMAXLIFETIME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: ConMaxLifeTime
- name: DB_DRIVER_NAME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: dbType
# MySQL Config
- name: DBCONFIG_MYSQLCONFIG_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: username
- name: DBCONFIG_MYSQLCONFIG_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: password
- name: DBCONFIG_MYSQLCONFIG_DBNAME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: pipelineDb
- name: DBCONFIG_MYSQLCONFIG_HOST
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: mysqlHost
- name: DBCONFIG_MYSQLCONFIG_PORT
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: mysqlPort
# end of MySQL Config
- name: OBJECTSTORECONFIG_ACCESSKEY
valueFrom:
secretKeyRef:
name: mlpipeline-minio-artifact
key: accesskey
- name: OBJECTSTORECONFIG_SECRETACCESSKEY
valueFrom:
secretKeyRef:
name: mlpipeline-minio-artifact
key: secretkey
image: ghcr.io/kubeflow/kfp-api-server:dummy
imagePullPolicy: IfNotPresent
name: ml-pipeline-api-server
ports:
- name: http
containerPort: 8888
- name: grpc
containerPort: 8887
readinessProbe:
exec:
command:
- wget
- -q # quiet
- -S # show server response
- -O
- "-" # Redirect output to stdout
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
livenessProbe:
exec:
command:
- wget
- -q # quiet
- -S # show server response
- -O
- "-" # Redirect output to stdout
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
# This startup probe provides up to a 60 second grace window before the
# liveness probe takes over to accomodate the occasional database
# migration.
startupProbe:
exec:
command:
- wget
- -q # quiet
- -S # show server response
- -O
- "-" # Redirect output to stdout
- http://localhost:8888/apis/v1beta1/healthz
failureThreshold: 12
periodSeconds: 5
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
resources:
requests:
cpu: 250m
memory: 500Mi
- env:
# Whether or not to publish component logs to the object store.
- name: PUBLISH_LOGS
value: "true"
- name: LOG_LEVEL
value: "info"
# Driver / launcher log level during pipeline execution
- name: PIPELINE_LOG_LEVEL
value: "1"
- name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: autoUpdatePipelineDefaultVersion
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OBJECTSTORECONFIG_SECURE
value: "false"
- name: OBJECTSTORECONFIG_BUCKETNAME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: bucketName
# relic variables
- name: DBCONFIG_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: username
- name: DBCONFIG_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: password
- name: DBCONFIG_DBNAME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: pipelineDb
- name: DBCONFIG_HOST
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: dbHost
- name: DBCONFIG_PORT
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: dbPort
# end of relic variables
- name: DBCONFIG_CONMAXLIFETIME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: ConMaxLifeTime
- name: DB_DRIVER_NAME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: dbType
# MySQL Config
- name: DBCONFIG_MYSQLCONFIG_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: username
- name: DBCONFIG_MYSQLCONFIG_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: password
- name: DBCONFIG_MYSQLCONFIG_DBNAME
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: pipelineDb
- name: DBCONFIG_MYSQLCONFIG_HOST
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: mysqlHost
- name: DBCONFIG_MYSQLCONFIG_PORT
valueFrom:
configMapKeyRef:
name: pipeline-install-config
key: mysqlPort
# end of MySQL Config
- name: OBJECTSTORECONFIG_ACCESSKEY
valueFrom:
secretKeyRef:
name: mlpipeline-minio-artifact
key: accesskey
- name: OBJECTSTORECONFIG_SECRETACCESSKEY
valueFrom:
secretKeyRef:
name: mlpipeline-minio-artifact
key: secretkey
- name: V2_DRIVER_IMAGE
value: ghcr.io/kubeflow/kfp-driver:2.5.0
- name: V2_LAUNCHER_IMAGE
value: ghcr.io/kubeflow/kfp-launcher:2.5.0
image: ghcr.io/kubeflow/kfp-api-server:dummy
imagePullPolicy: IfNotPresent
name: ml-pipeline-api-server
ports:
- name: http
containerPort: 8888
- name: grpc
containerPort: 8887
readinessProbe:
exec:
command:
- wget
- -q # quiet
- -S # show server response
- -O
- "-" # Redirect output to stdout
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
livenessProbe:
exec:
command:
- wget
- -q # quiet
- -S # show server response
- -O
- "-" # Redirect output to stdout
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
# This startup probe provides up to a 60 second grace window before the
# liveness probe takes over to accomodate the occasional database
# migration.
startupProbe:
exec:
command:
- wget
- -q # quiet
- -S # show server response
- -O
- "-" # Redirect output to stdout
- http://localhost:8888/apis/v1beta1/healthz
failureThreshold: 12
periodSeconds: 5
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
resources:
requests:
cpu: 250m
memory: 500Mi
serviceAccountName: ml-pipeline

44
apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml
View File

@ -37,6 +37,20 @@ rules:
- update
- patch
- delete
- apiGroups:
- kubeflow.org
resources:
- scheduledworkflows/finalizers
verbs:
- update
- apiGroups:
- pipelines.kubeflow.org
resources:
- pipelines
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
@ -49,33 +63,3 @@ rules:
- tokenreviews
verbs:
- create
- apiGroups:
- tekton.dev
resources:
- pipelineruns
- taskruns
- conditions
- runs
- tasks
- customruns
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- custom.tekton.dev
resources:
- pipelineloops
verbs:
- create
- get
- list
- watch
- update
- patch
- delete

5
apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml
View File

@ -15,6 +15,9 @@ spec:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- env:
- name: NAMESPACE
@ -39,8 +42,6 @@ spec:
name: persistenceagent-sa-token
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0

29
apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml
View File

@ -33,32 +33,3 @@ rules:
verbs:
- reportMetrics
- readArtifact
- apiGroups:
- tekton.dev
resources:
- pipelineruns
- taskruns
- conditions
- runs
- tasks
- customruns
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- custom.tekton.dev
resources:
- pipelineloops
verbs:
- create
- get
- list
- watch
- update
- patch
- delete

16
apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml
View File

@ -15,6 +15,9 @@ spec:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- image: ghcr.io/kubeflow/kfp-scheduled-workflow-controller:dummy
imagePullPolicy: IfNotPresent
@ -33,12 +36,21 @@ spec:
key: cronScheduleTimezone
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /var/run/secrets/kubeflow/tokens
name: scheduledworkflow-sa-token
serviceAccountName: ml-pipeline-scheduledworkflow
volumes:
- name: scheduledworkflow-sa-token
projected:
sources:
- serviceAccountToken:
path: scheduledworkflow-sa-token
expirationSeconds: 3600
audience: pipelines.kubeflow.org

6
apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-role.yaml
View File

@ -30,6 +30,12 @@ rules:
- update
- patch
- delete
- apiGroups:
- pipelines.kubeflow.org
resources:
- runs
verbs:
- create
- apiGroups:
- ''
resources:

9
apps/pipeline/upstream/base/pipeline/ml-pipeline-ui-deployment.yaml
View File

@ -15,6 +15,9 @@ spec:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- name: config-volume
configMap:
@ -31,8 +34,6 @@ spec:
readOnly: true
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
@ -62,6 +63,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ARGO_ARCHIVE_LOGS
value: "true"
- name: DISABLE_GKE_METADATA
value: "true"
readinessProbe:
exec:
command:

5
apps/pipeline/upstream/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml
View File

@ -15,6 +15,9 @@ spec:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- image: ghcr.io/kubeflow/kfp-viewer-crd-controller:dummy
imagePullPolicy: Always
@ -28,8 +31,6 @@ spec:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0

5
apps/pipeline/upstream/base/pipeline/ml-pipeline-visualization-deployment.yaml
View File

@ -15,6 +15,9 @@ spec:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- image: ghcr.io/kubeflow/kfp-visualization-server:dummy
imagePullPolicy: IfNotPresent
@ -48,8 +51,6 @@ spec:
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0

29
apps/pipeline/upstream/base/pipeline/pipeline-runner-role.yaml
View File

@ -78,32 +78,3 @@ rules:
- seldondeployments
verbs:
- '*'
- apiGroups:
- tekton.dev
resources:
- pipelineruns
- taskruns
- conditions
- runs
- tasks
- customruns
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- custom.tekton.dev
resources:
- pipelineloops
verbs:
- create
- get
- list
- watch
- update
- patch
- delete

4
apps/pipeline/upstream/base/postgresql/pipeline/kustomization.yaml
View File

@ -1,6 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../pipeline
- ../../pipeline
patches:
- path: ml-pipeline-apiserver-deployment-patch.yaml
- path: ml-pipeline-apiserver-deployment-patch.yaml

10
apps/pipeline/upstream/base/webhook/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow
resources:
- pipelineversion-validating-webhook-config.yaml
- pipelineversion-mutating-webhook-config.yaml
configurations:
- params.yaml

13
apps/pipeline/upstream/base/webhook/params.yaml Normal file
View File

@ -0,0 +1,13 @@
varReference:
- path: metadata/annotations
kind: ValidatingWebhookConfiguration
- path: webhooks/clientConfig/service/namespace
kind: ValidatingWebhookConfiguration
- path: webhooks/name
kind: ValidatingWebhookConfiguration
- path: metadata/annotations
kind: MutatingWebhookConfiguration
- path: webhooks/clientConfig/service/namespace
kind: MutatingWebhookConfiguration
- path: webhooks/name
kind: MutatingWebhookConfiguration

27
apps/pipeline/upstream/base/webhook/pipelineversion-mutating-webhook-config.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: pipelineversions.pipelines.kubeflow.org
webhooks:
- name: pipelineversions.pipelines.kubeflow.org
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- pipelines.kubeflow.org
apiVersions:
- v2beta1
resources:
- pipelineversions
scope: Namespaced
admissionReviewVersions:
- v1
sideEffects: None
failurePolicy: Fail
clientConfig:
service:
name: ml-pipeline
namespace: $(kfp-namespace)
path: /webhooks/mutate-pipelineversion
port: 8443

27
apps/pipeline/upstream/base/webhook/pipelineversion-validating-webhook-config.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: pipelineversions.pipelines.kubeflow.org
webhooks:
- name: pipelineversions.pipelines.kubeflow.org
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- pipelines.kubeflow.org
apiVersions:
- v2beta1
resources:
- pipelineversions
scope: Namespaced
admissionReviewVersions:
- v1
sideEffects: None
failurePolicy: Fail
clientConfig:
service:
name: ml-pipeline
namespace: $(kfp-namespace)
path: /webhooks/validate-pipelineversion
port: 8443

26
apps/pipeline/upstream/cluster-scoped-resources-tekton/kustomization.yaml
View File

@ -1,26 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow
resources:
- namespace.yaml
bases:
- ../third-party/application/cluster-scoped
- ../base/pipeline/cluster-scoped
- ../base/cache-deployer/cluster-scoped
vars:
# NOTE: var name must be unique globally to allow composition of multiple kustomize
# packages. Therefore, we added prefix `kfp-cluster-scoped-` to distinguish it from
# others.
- name: kfp-cluster-scoped-namespace
objref:
# cache deployer sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml
# so that we only need to change kustomization.yaml's namespace field for namespace customization.
kind: ServiceAccount
name: kubeflow-pipelines-cache-deployer-sa
apiVersion: v1
fieldref:
fieldpath: metadata.namespace
configurations:
- params.yaml

4
apps/pipeline/upstream/cluster-scoped-resources-tekton/namespace.yaml
View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: '$(kfp-cluster-scoped-namespace)'

4
apps/pipeline/upstream/cluster-scoped-resources-tekton/params.yaml
View File

@ -1,4 +0,0 @@
# Allow Kustomize var to replace following fields.
varReference:
- path: metadata/name
kind: Namespace

8
apps/pipeline/upstream/cluster-scoped-resources/kustomization.yaml
View File

@ -13,14 +13,14 @@ vars:
# NOTE: var name must be unique globally to allow composition of multiple kustomize
# packages. Therefore, we added prefix `kfp-cluster-scoped-` to distinguish it from
# others.
- name: kfp-cluster-scoped-namespace
- fieldref:
fieldPath: metadata.namespace
name: kfp-cluster-scoped-namespace
objref:
# cache deployer sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml
# so that we only need to change kustomization.yaml's namespace field for namespace customization.
apiVersion: v1
kind: ServiceAccount
name: kubeflow-pipelines-cache-deployer-sa
apiVersion: v1
fieldref:
fieldpath: metadata.namespace
configurations:
- params.yaml

49
apps/pipeline/upstream/env/aws/kustomization.yaml vendored
View File

@ -2,33 +2,38 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow
resources:
- ../../env/platform-agnostic
- ../../env/platform-agnostic
configMapGenerator:
- name: pipeline-install-config
env: params.env
behavior: merge
- name: workflow-controller-configmap
behavior: replace
files:
- config
- name: ml-pipeline-ui-configmap
behavior: replace
files:
- viewer-pod-template.json
- behavior: merge
envs:
- params.env
name: pipeline-install-config
- behavior: replace
files:
- config
name: workflow-controller-configmap
- behavior: replace
files:
- viewer-pod-template.json
name: ml-pipeline-ui-configmap
secretGenerator:
- name: mysql-secret
env: secret.env
behavior: merge
- name: mlpipeline-minio-artifact
env: minio-artifact-secret-patch.env
behavior: merge
- behavior: merge
envs:
- secret.env
name: mysql-secret
- behavior: merge
envs:
- minio-artifact-secret-patch.env
name: mlpipeline-minio-artifact
generatorOptions:
disableNameSuffixHash: true
patches:
- path: aws-configuration-pipeline-patch.yaml
- path: aws-configuration-pipeline-ui-patch.yaml
- path: aws-configuration-pipeline-patch.yaml
- path: aws-configuration-pipeline-ui-patch.yaml
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

20
apps/pipeline/upstream/env/azure/kustomization.yaml vendored
View File

@ -9,17 +9,21 @@ resources:
- minio-azure-gateway
configMapGenerator:
- name: pipeline-install-config
env: params.env
behavior: merge
- behavior: merge
envs:
- params.env
name: pipeline-install-config
secretGenerator:
- name: mysql-secret
env: mysql-secret.env
behavior: merge
- behavior: merge
envs:
- mysql-secret.env
name: mysql-secret
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

7
apps/pipeline/upstream/env/azure/minio-azure-gateway/kustomization.yaml vendored
View File

@ -6,8 +6,9 @@ resources:
- minio-azure-gateway-service.yaml
secretGenerator:
- name: mlpipeline-minio-artifact
env: minio-artifact-secret.env
- envs:
- minio-artifact-secret.env
name: mlpipeline-minio-artifact
generatorOptions:
# mlpipeline-minio-artifact needs to be referred by exact name
disableNameSuffixHash: true
disableNameSuffixHash: true

6
apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert-issuer.yaml vendored Normal file
View File

@ -0,0 +1,6 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: kfp-api-webhook-selfsigned-issuer
spec:
selfSigned: {}

15
apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert.yaml vendored Normal file
View File

@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kfp-api-webhook-cert
spec:
commonName: kfp-api-webhook-cert
isCA: true
dnsNames:
- ml-pipeline
- ml-pipeline.$(kfp-namespace)
- ml-pipeline.$(kfp-namespace).svc
issuerRef:
kind: Issuer
name: kfp-api-webhook-selfsigned-issuer
secretName: kfp-api-webhook-cert

13
apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kustomization.yaml vendored Normal file
View File

@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./kfp-api-cert-issuer.yaml
- ./kfp-api-cert.yaml
configurations:
- params.yaml
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow

7
apps/pipeline/upstream/env/cert-manager/base-webhook-certs/params.yaml vendored Normal file
View File

@ -0,0 +1,7 @@
varReference:
- path: spec/commonName
kind: Certificate
- path: spec/dnsNames
kind: Certificate
- path: spec/issuerRef/name
kind: Certificate

14
apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml vendored
View File

@ -1,13 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow
namespace: kubeflow
resources:
- cache-cert-issuer.yaml
- cache-cert.yaml
- cache-webhook-config.yaml
commonLabels:
app: cache-server-cert-manager
- cache-cert-issuer.yaml
- cache-cert.yaml
- cache-webhook-config.yaml
configurations:
- params.yaml
labels:
- includeSelectors: true
pairs:
app: cache-server-cert-manager

30
apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/kustomization.yaml vendored Normal file
View File

@ -0,0 +1,30 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/crds
- ../../platform-agnostic
- ../../../base/webhook
- ../base-webhook-certs/
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow
patches:
- path: patches/deployment.yaml
target:
kind: Deployment
name: ml-pipeline
- path: patches/service.yaml
target:
kind: Service
name: ml-pipeline
- path: patches/validating-webhook.yaml
target:
kind: ValidatingWebhookConfiguration
name: pipelineversions.pipelines.kubeflow.org
- path: patches/mutating-webhook.yaml
target:
kind: MutatingWebhookConfiguration
name: pipelineversions.pipelines.kubeflow.org

29
apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/deployment.yaml vendored Normal file
View File

@ -0,0 +1,29 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline
spec:
template:
spec:
containers:
- name: ml-pipeline-api-server
ports:
- containerPort: 8443
name: webhook
command:
- "/bin/apiserver"
args:
- "--config=/config"
- "--sampleconfig=/config/sample_config.json"
- "-logtostderr=true"
- "--webhookTLSCertPath=/etc/webhook/certs/tls.crt"
- "--webhookTLSKeyPath=/etc/webhook/certs/tls.key"
- "--pipelinesStoreKubernetes=true"
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
volumes:
- name: webhook-certs
secret:
secretName: kfp-api-webhook-cert

6
apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/mutating-webhook.yaml vendored Normal file
View File

@ -0,0 +1,6 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: pipelineversions.pipelines.kubeflow.org
annotations:
cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert

10
apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/service.yaml vendored Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: ml-pipeline
spec:
ports:
- name: webhook
port: 8443
protocol: TCP
targetPort: 8443

6
apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/validating-webhook.yaml vendored Normal file
View File

@ -0,0 +1,6 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: pipelineversions.pipelines.kubeflow.org
annotations:
cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert

30
apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/kustomization.yaml vendored Normal file
View File

@ -0,0 +1,30 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/crds
- ../platform-agnostic-multi-user
- ../../../base/webhook
- ../base-webhook-certs/
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow
patches:
- path: patches/deployment.yaml
target:
kind: Deployment
name: ml-pipeline
- path: patches/service.yaml
target:
kind: Service
name: ml-pipeline
- path: patches/validating-webhook.yaml
target:
kind: ValidatingWebhookConfiguration
name: pipelineversions.pipelines.kubeflow.org
- path: patches/mutating-webhook.yaml
target:
kind: MutatingWebhookConfiguration
name: pipelineversions.pipelines.kubeflow.org

30
apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/deployment.yaml vendored Normal file
View File

@ -0,0 +1,30 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline
spec:
template:
spec:
containers:
- name: ml-pipeline-api-server
ports:
- containerPort: 8443
name: webhook
image: domain.local/apiserver:local
command:
- "/bin/apiserver"
args:
- "--config=/config"
- "--sampleconfig=/config/sample_config.json"
- "-logtostderr=true"
- "--webhookTLSCertPath=/etc/webhook/certs/tls.crt"
- "--webhookTLSKeyPath=/etc/webhook/certs/tls.key"
- "--pipelinesStoreKubernetes=true"
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
volumes:
- name: webhook-certs
secret:
secretName: kfp-api-webhook-cert

6
apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/mutating-webhook.yaml vendored Normal file
View File

@ -0,0 +1,6 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: pipelineversions.pipelines.kubeflow.org
annotations:
cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert

10
apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/service.yaml vendored Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: ml-pipeline
spec:
ports:
- name: webhook
port: 8443
protocol: TCP
targetPort: 8443

6
apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/validating-webhook.yaml vendored Normal file
View File

@ -0,0 +1,6 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: pipelineversions.pipelines.kubeflow.org
annotations:
cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert

46
apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml vendored
View File

@ -2,30 +2,30 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../platform-agnostic-multi-user
- ../base
- ../../platform-agnostic-multi-user
- ../base
namespace: kubeflow
# Pass proper arguments to cache-server to use cert-manager certificate
patches:
# Delete the cache deployer as we use the cert-manager instead
- path: patches/delete.clusterrole.cache-deployer.yaml
- path: patches/delete.crb.cache-deployer.yaml
- path: patches/delete.deployment.cache-deployer.yaml
- path: patches/delete.role.cache-deployer.yaml
- path: patches/delete.rolebinding.cache-deployer.yaml
- path: patches/delete.sa.cache-deployer.yaml
- patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls_cert_filename=tls.crt"
target:
kind: Deployment
name: cache-server
- patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls_key_filename=tls.key"
target:
kind: Deployment
name: cache-server
# Delete the cache deployer as we use the cert-manager instead
- path: patches/delete.clusterrole.cache-deployer.yaml
- path: patches/delete.crb.cache-deployer.yaml
- path: patches/delete.deployment.cache-deployer.yaml
- path: patches/delete.role.cache-deployer.yaml
- path: patches/delete.rolebinding.cache-deployer.yaml
- path: patches/delete.sa.cache-deployer.yaml
- patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls_cert_filename=tls.crt"
target:
kind: Deployment
name: cache-server
- patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls_key_filename=tls.key"
target:
kind: Deployment
name: cache-server

4
apps/pipeline/upstream/env/dev-kind/forward-local-api-endpoint.yaml vendored
View File

@ -15,3 +15,7 @@ subsets:
appProtocol: http
port: 8888
protocol: TCP
- name: webhook
appProtocol: http
port: 8443
protocol: TCP

42
apps/pipeline/upstream/env/dev-kind/kustomization.yaml vendored
View File

@ -2,9 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base/application
- ./forward-local-api-endpoint.yaml
- ../platform-agnostic
- ../cert-manager/platform-agnostic-k8s-native
- ./forward-local-api-endpoint.yaml
# !!! If you want to customize the namespace,
# please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources
@ -126,5 +125,42 @@ patches:
port: 8887
protocol: TCP
targetPort: 8887
- name: webhook
port: 8443
protocol: TCP
targetPort: 8443
selector:
$patch: delete
- patch: |-
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: pipelineversions.pipelines.kubeflow.org
webhooks:
- name: pipelineversions.pipelines.kubeflow.org
clientConfig:
service:
name: ml-pipeline-reverse-proxy
- patch: |-
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: pipelineversions.pipelines.kubeflow.org
webhooks:
- name: pipelineversions.pipelines.kubeflow.org
clientConfig:
service:
name: ml-pipeline-reverse-proxy
- patch: |-
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kfp-api-webhook-cert
spec:
dnsNames:
- ml-pipeline
- ml-pipeline.$(kfp-namespace)
- ml-pipeline.$(kfp-namespace).svc
- ml-pipeline-reverse-proxy
- ml-pipeline-reverse-proxy.$(kfp-namespace)
- ml-pipeline-reverse-proxy.$(kfp-namespace).svc

23
apps/pipeline/upstream/env/dev/kustomization.yaml vendored
View File

@ -2,18 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Application controller is used to provide Google Cloud Console integration.
- ../../third-party/application
- ../../base/application
- ../platform-agnostic
- ../gcp/inverse-proxy
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
# Application controller is used to provide Google Cloud Console integration.
- ../../third-party/application
- ../../base/application
- ../platform-agnostic
- ../gcp/inverse-proxy
# !!! If you want to customize the namespace,
# please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources
namespace: kubeflow
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

24
apps/pipeline/upstream/env/dev/postgresql/kustomization.yaml vendored
View File

@ -2,18 +2,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Application controller is used to provide Google Cloud Console integration.
- ../../../third-party/application
- ../../../base/application
- ../../platform-agnostic-postgresql
- ../../gcp/inverse-proxy
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
# Application controller is used to provide Google Cloud Console integration.
- ../../../third-party/application
- ../../../base/application
- ../../platform-agnostic-postgresql
- ../../gcp/inverse-proxy
# !!! If you want to customize the namespace,
# please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources
namespace: kubeflow
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

2
apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml vendored
View File

@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: ghcr.io/kubeflow/kfp-inverse-proxy-agent
newTag: 2.4.1
newTag: 2.5.0
resources:
- proxy-configmap.yaml
- proxy-deployment.yaml

40
apps/pipeline/upstream/env/gcp/kustomization.yaml vendored
View File

@ -2,31 +2,35 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Application controller is used to provide Google Cloud Console integration.
- ../../third-party/application
- ../../base/application
- ../../base/installs/generic
- ../../base/metadata/base
- ../../third-party/argo/installs/namespace
- inverse-proxy
- minio-gcs-gateway
- cloudsql-proxy
# Application controller is used to provide Google Cloud Console integration.
- ../../third-party/application
- ../../base/application
- ../../base/installs/generic
- ../../base/metadata/base
- ../../third-party/argo/installs/namespace
- inverse-proxy
- minio-gcs-gateway
- cloudsql-proxy
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow
patches:
- path: gcp-configurations-patch.yaml
- path: gcp-configurations-patch.yaml
# Used by Kustomize
configMapGenerator:
- name: pipeline-install-config
env: params.env
behavior: merge
- behavior: merge
envs:
- params.env
name: pipeline-install-config
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

5
apps/pipeline/upstream/env/gcp/minio-gcs-gateway/kustomization.yaml vendored
View File

@ -7,8 +7,9 @@ resources:
- minio-gcs-gateway-service.yaml
secretGenerator:
- name: mlpipeline-minio-artifact
env: minio-artifact-secret.env
- envs:
- minio-artifact-secret.env
name: mlpipeline-minio-artifact
generatorOptions:
# mlpipeline-minio-artifact needs to be referred by exact name
disableNameSuffixHash: true

29
apps/pipeline/upstream/env/plain-multi-user/kustomization.yaml vendored
View File

@ -2,21 +2,24 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base/installs/multi-user
- ../../base/metadata/base
- ../../base/metadata/options/istio
- ../../third-party/mysql/base
- ../../third-party/mysql/options/istio
- ../../third-party/minio/base
- ../../third-party/minio/options/istio
- ../../third-party/metacontroller/base
- ../../base/installs/multi-user
- ../../base/metadata/base
- ../../base/metadata/options/istio
- ../../third-party/mysql/base
- ../../third-party/mysql/options/istio
- ../../third-party/minio/base
- ../../third-party/minio/options/istio
- ../../third-party/metacontroller/base
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

15
apps/pipeline/upstream/env/plain/kustomization.yaml vendored
View File

@ -2,19 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../cluster-scoped-resources-tekton
- ../../base/installs/generic
- ../../base/metadata/base
- ../../third-party/minio/base
- ../../third-party/mysql/base
- ../../base/installs/generic
- ../../base/metadata/base
- ../../third-party/minio/base
- ../../third-party/mysql/base
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml

2
apps/pipeline/upstream/env/platform-agnostic-emissary/kustomization.yaml vendored
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../platform-agnostic
- ../platform-agnostic

2
apps/pipeline/upstream/env/platform-agnostic-multi-user-emissary/kustomization.yaml vendored
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../platform-agnostic-multi-user
- ../platform-agnostic-multi-user

31
apps/pipeline/upstream/env/platform-agnostic-multi-user-legacy/kustomization.yaml vendored
View File

@ -2,22 +2,25 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../third-party/metacontroller/base
- ../../base/installs/multi-user
- ../../base/metadata/overlays/db
- ../../base/metadata/options/istio
- ../../third-party/argo/installs/cluster
- ../../third-party/mysql/base
- ../../third-party/mysql/options/istio
- ../../third-party/minio/base
- ../../third-party/minio/options/istio
- ../../third-party/metacontroller/base
- ../../base/installs/multi-user
- ../../base/metadata/overlays/db
- ../../base/metadata/options/istio
- ../../third-party/argo/installs/cluster
- ../../third-party/mysql/base
- ../../third-party/mysql/options/istio
- ../../third-party/minio/base
- ../../third-party/minio/options/istio
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

31
apps/pipeline/upstream/env/platform-agnostic-multi-user/kustomization.yaml vendored
View File

@ -2,22 +2,25 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../third-party/metacontroller/base
- ../../base/installs/multi-user
- ../../base/metadata/base
- ../../base/metadata/options/istio
- ../../third-party/argo/installs/cluster
- ../../third-party/mysql/base
- ../../third-party/mysql/options/istio
- ../../third-party/minio/base
- ../../third-party/minio/options/istio
- ../../third-party/metacontroller/base
- ../../base/installs/multi-user
- ../../base/metadata/base
- ../../base/metadata/options/istio
- ../../third-party/argo/installs/cluster
- ../../third-party/mysql/base
- ../../third-party/mysql/options/istio
- ../../third-party/minio/base
- ../../third-party/minio/options/istio
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

23
apps/pipeline/upstream/env/platform-agnostic-postgresql/kustomization.yaml vendored
View File

@ -2,18 +2,21 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base/installs/generic/postgres
- ../../base/metadata/overlays/postgres
- ../../third-party/argo/installs/namespace
- ../../third-party/minio/base
- ../../third-party/postgresql/base
- ../../base/installs/generic/postgres
- ../../base/metadata/overlays/postgres
- ../../third-party/argo/installs/namespace
- ../../third-party/minio/base
- ../../third-party/postgresql/base
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
# !!! If you want to customize the namespace,
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

68
apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/kustomization.yaml vendored
View File

@ -1,68 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../third-party/tekton/installs/cluster
- ../../third-party/tekton-custom-task
- ../plain-multi-user
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
patches:
- path: tekton-config.yaml
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline
spec:
template:
spec:
containers:
- name: ml-pipeline-api-server
env:
- name: EXECUTIONTYPE
value: PipelineRun
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline-persistenceagent
spec:
template:
spec:
containers:
- name: ml-pipeline-persistenceagent
env:
- name: EXECUTIONTYPE
value: PipelineRun
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline-scheduledworkflow
spec:
template:
spec:
containers:
- name: ml-pipeline-scheduledworkflow
env:
- name: EXECUTIONTYPE
value: PipelineRun
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline-ui
spec:
template:
spec:
containers:
- name: ml-pipeline-ui
env:
- name: POD_LOG_CONTAINER_NAME
value: step-user-main

10
apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/tekton-config.yaml vendored
View File

@ -1,10 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: feature-flags
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
running-in-environment-with-injected-sidecars: "true"

70
apps/pipeline/upstream/env/platform-agnostic-tekton/kustomization.yaml vendored
View File

@ -1,70 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../third-party/tekton/installs/cluster
- ../../third-party/tekton-custom-task
- ../plain
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines
patches:
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline
spec:
template:
spec:
containers:
- name: ml-pipeline-api-server
env:
- name: EXECUTIONTYPE
value: PipelineRun
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline-persistenceagent
spec:
template:
spec:
containers:
- name: ml-pipeline-persistenceagent
env:
- name: EXECUTIONTYPE
value: PipelineRun
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline-scheduledworkflow
spec:
template:
spec:
containers:
- name: ml-pipeline-scheduledworkflow
env:
- name: EXECUTIONTYPE
value: PipelineRun
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ml-pipeline-ui
spec:
template:
spec:
containers:
- name: ml-pipeline-ui
env:
- name: POD_LOG_CONTAINER_NAME
value: step-user-main

16
apps/pipeline/upstream/env/platform-agnostic/kustomization.yaml vendored
View File

@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base/installs/generic
- ../../base/metadata/base
- ../../third-party/argo/installs/namespace
- ../../third-party/minio/base
- ../../third-party/mysql/base
- ../../base/installs/generic
- ../../base/metadata/base
- ../../third-party/argo/installs/namespace
- ../../third-party/minio/base
- ../../third-party/mysql/base
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
@ -16,6 +16,6 @@ resources:
# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
namespace: kubeflow
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

11
apps/pipeline/upstream/hack/release.sh
View File

@ -40,3 +40,14 @@ do
done
yq w -i "${MANIFEST_DIR}/base/installs/generic/pipeline-install-config.yaml" data.appVersion "$TAG_NAME"
## Driver & Launcher images are added as environment variables
API_SERVER_MANIFEST="${MANIFEST_DIR}/base/pipeline/ml-pipeline-apiserver-deployment.yaml"
yq w -i ${API_SERVER_MANIFEST} \
"spec.template.spec.containers.(name==ml-pipeline-api-server).env.(name==V2_LAUNCHER_IMAGE).value" \
"ghcr.io/kubeflow/kfp-launcher:${TAG_NAME}"
yq w -i ${API_SERVER_MANIFEST} \
"spec.template.spec.containers.(name==ml-pipeline-api-server).env.(name==V2_DRIVER_IMAGE).value" \
"ghcr.io/kubeflow/kfp-driver:${TAG_NAME}"

4
apps/pipeline/upstream/sample/cluster-scoped-resources/kustomization.yaml
View File

@ -6,5 +6,5 @@ kind: Kustomization
namespace: kubeflow
resources:
# Or github.com/kubeflow/pipelines/manifests/kustomize/cluster-scoped-resources?ref=1.0.0
- ../../cluster-scoped-resources
# Or github.com/kubeflow/pipelines/manifests/kustomize/cluster-scoped-resources?ref=1.0.0
- ../../cluster-scoped-resources

34
apps/pipeline/upstream/sample/kustomization.yaml
View File

@ -3,7 +3,7 @@ kind: Kustomization
resources:
# Or github.com/kubeflow/pipelines/manifests/kustomize/env/gcp?ref=1.0.0
- ../env/gcp
- ../env/gcp
# Kubeflow Pipelines servers are capable of collecting Prometheus metrics.
# If you want to monitor your Kubeflow Pipelines servers with those metrics, you'll need a Prometheus server in your Kubeflow Pipelines cluster.
# If you don't already have a Prometheus server up, you can uncomment the following configuration files for Prometheus.
@ -11,28 +11,28 @@ resources:
# - ../third_party/prometheus
# - ../third_party/grafana
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
commonLabels:
application-crd-id: kubeflow-pipelines
# Used by Kustomize
configMapGenerator:
- name: pipeline-install-config
env: params.env
behavior: merge
- behavior: merge
envs:
- params.env
name: pipeline-install-config
secretGenerator:
- name: mysql-secret
env: params-db-secret.env
behavior: merge
- behavior: merge
envs:
- params-db-secret.env
name: mysql-secret
# !!! If you want to customize the namespace,
# please also update sample/cluster-scoped-resources/kustomization.yaml's namespace field to the same value
namespace: kubeflow
#### Customization ###
# 1. Change values in params.env file
# 2. Change values in params-db-secret.env file for CloudSQL username and password
# 3. kustomize build ./ | kubectl apply -f -
####
# Identifier for application manager to apply ownerReference.
# The ownerReference ensures the resources get garbage collected
# when application is deleted.
labels:
- includeSelectors: true
pairs:
application-crd-id: kubeflow-pipelines

10
apps/pipeline/upstream/third-party/application/kustomization.yaml vendored
View File

@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- application-controller-deployment.yaml
- application-controller-role.yaml
- application-controller-rolebinding.yaml
- application-controller-sa.yaml
- application-controller-service.yaml
- application-controller-deployment.yaml
- application-controller-role.yaml
- application-controller-rolebinding.yaml
- application-controller-sa.yaml
- application-controller-service.yaml

8
apps/pipeline/upstream/third-party/argo/base/kustomization.yaml vendored
View File

@ -2,13 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../upstream/manifests/base/workflow-controller
- ../upstream/manifests/base/workflow-controller
patches:
- path: workflow-controller-deployment-patch.yaml
- path: workflow-controller-configmap-patch.yaml
- path: workflow-controller-deployment-patch.yaml
- path: workflow-controller-configmap-patch.yaml
# Allow Kustomize vars to replace fields defined in params.yaml.
# The vars can be defined anywhere.
configurations:
- params.yaml
- params.yaml

6
apps/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml vendored
View File

@ -4,9 +4,9 @@ metadata:
name: workflow-controller-configmap
data:
# References:
# * https://github.com/argoproj/argo-workflows/blob/v3.4.17/config/config.go
# * https://github.com/argoproj/argo-workflows/blob/v3.4.17/docs/workflow-controller-configmap.md
# * https://github.com/argoproj/argo-workflows/blob/v3.4.17/docs/workflow-controller-configmap.yaml
# * https://github.com/argoproj/argo-workflows/blob/v3.5.14/config/config.go
# * https://github.com/argoproj/argo-workflows/blob/v3.5.14/docs/workflow-controller-configmap.md
# * https://github.com/argoproj/argo-workflows/blob/v3.5.14/docs/workflow-controller-configmap.yaml
# In artifactRepository.s3.endpoint, $(kfp-namespace) is needed, because in multi-user mode, pipelines may run in other namespaces.
artifactRepository: |

4
apps/pipeline/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml vendored
View File

@ -7,12 +7,12 @@ spec:
spec:
containers:
- name: workflow-controller
image: gcr.io/ml-pipeline/workflow-controller:v3.4.17-license-compliance
image: quay.io/argoproj/workflow-controller:v3.5.14
args:
- --configmap
- workflow-controller-configmap
- --executor-image
- gcr.io/ml-pipeline/argoexec:v3.4.17-license-compliance
- quay.io/argoproj/argoexec:v3.5.14
securityContext:
seccompProfile:
type: RuntimeDefault

Some files were not shown because too many files have changed in this diff Show More