Synchronize kubeflow pipelines manifests 2.5.0 (#3121)

* Update kubeflow/pipelines manifests from 2.5.0

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* update scripts

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* update kfp sdk version

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* consistency

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* update sdk

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* fix test

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

* fix test

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

---------

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

.github/workflows/full_kubeflow_integration_test.yaml

@@ -95,13 +95,13 @@ jobs:
         kustomize build apps/model-registry/upstream/options/ui/overlays/istio | kubectl apply -f -
 
     - name: Install Spark
-      run: chmod u+x tests/gh-actions/spark_*.sh && ./tests/gh-actions/spark_install.sh
+      run: chmod u+x tests/gh-actions/*.sh && ./tests/gh-actions/install_spark.sh
 
     - name: Wait for All Pods to be Ready
       run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 60s --field-selector=status.phase!=Succeeded
 
     - name: Install Dependencies
-      run: pip install pytest kubernetes kfp==2.11.0 kserve pytest-timeout pyyaml requests
+      run: pip install pytest kubernetes kfp==2.13.0 kserve pytest-timeout pyyaml requests
 
     - name: Port-forward the istio-ingress gateway
       run: ./tests/gh-actions/port_forward_gateway.sh
@@ -120,14 +120,14 @@ jobs:
     - name: Test Pipeline Access with Authorized Token
       run: |
         TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
-        python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
+        python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
 
     - name: Test Pipeline Access with Unauthorized Token
       run: |
         kubectl create namespace test-unauthorized
         kubectl create serviceaccount test-unauthorized -n test-unauthorized
         UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized)
-        python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "$UNAUTHORIZED_TOKEN" "${KF_PROFILE}"
+        python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "$UNAUTHORIZED_TOKEN" "${KF_PROFILE}"
 
     - name: Test Volumes Web Application API
       run: ./tests/gh-actions/test_volumes_web_application.sh "${KF_PROFILE}"
@@ -173,7 +173,7 @@ jobs:
 # TODO the individual KServe tests is currently being restructured. Afterwards we can also test inferencing
 
     - name: Run Spark Test
-      run: chmod u+x tests/gh-actions/spark_*.sh && ./tests/gh-actions/spark_test.sh "${KF_PROFILE}"
+      run: chmod u+x tests/gh-actions/*.sh && ./tests/gh-actions/test_spark.sh "${KF_PROFILE}"
 
     - name: Test Model Registry Deployment
       run: |

.github/workflows/katib_test.yaml

@@ -54,7 +54,7 @@ jobs:
 
 
     - name: Install Dependencies
-      run: pip install pytest kubernetes kfp==2.11.0 requests
+      run: pip install pytest kubernetes kfp==2.13.0 requests
 
     - name: Port-forward the istio-ingress gateway
       run: ./tests/gh-actions/port_forward_gateway.sh

.github/workflows/pipeline_swfs_test.yaml

@@ -67,17 +67,17 @@ jobs:
 
     - name: List and deploy test pipeline with authorized ServiceAccount Token
       run: |
-        pip3 install kfp==2.12.1
+        pip3 install kfp==2.13.0
         KF_PROFILE=kubeflow-user-example-com
         TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
-        python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
+        python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
 
     - name: Fail to list pipelines with unauthorized ServiceAccount Token
       run: |
-        pip3 install kfp==2.12.1
+        pip3 install kfp==2.13.0
         KF_PROFILE=kubeflow-user-example-com
         TOKEN="$(kubectl -n default create token default)"
-        python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
+        python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
         echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace."
 
 

.github/workflows/pipeline_test.yaml

@@ -3,7 +3,7 @@ on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
-    - .github/workflows/pipeline_test.yaml
+    - .github/workflows/test_pipeline.yaml
     - apps/pipeline/upstream/**
     - tests/gh-actions/install_istio.sh
     - tests/gh-actions/install_cert_manager.sh
@@ -11,7 +11,7 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
-    - tests/gh-actions/pipeline_test.py
+    - tests/gh-actions/test_pipeline.py
     - experimental/security/PSS/*
 
 jobs:
@@ -66,17 +66,17 @@ jobs:
 
     - name: List and deploy test pipeline with authorized ServiceAccount Token
       run: |
-        pip3 install kfp==2.12.1
+        pip3 install kfp==2.13.0
         KF_PROFILE=kubeflow-user-example-com
         TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
-        python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
+        python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
 
     - name: Fail to list pipelines with unauthorized ServiceAccount Token
       run: |
-        pip3 install kfp==2.12.1
+        pip3 install kfp==2.13.0
         KF_PROFILE=kubeflow-user-example-com
         TOKEN="$(kubectl -n default create token default)"
-        python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
+        python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
         echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace."
 
 

.github/workflows/spark_test.yaml

@@ -3,7 +3,7 @@ on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
-    - .github/workflows/spark_test.yaml
+    - .github/workflows/test_spark.yaml
     - apps/spark/**
     - tests/gh-actions/spark*.sh
     - tests/gh-actions/install_istio.sh
@@ -47,6 +47,6 @@ jobs:
         cd apps/spark
         # TODO remove the debugging lines
         ls -lah  ../../tests/gh-actions/
-        chmod u+x ../../tests/gh-actions/spark*
+        chmod u+x ../../tests/gh-actions/*.sh
-        ../../tests/gh-actions/spark_install.sh
+        ../../tests/gh-actions/install_spark.sh
-        ../../tests/gh-actions/spark_test.sh "kubeflow-user-example-com"
+        ../../tests/gh-actions/test_spark.sh "kubeflow-user-example-com"

.shellcheckrc

@@ -1,2 +1,2 @@
 # ~/.shellcheckrc
-disable=SC1017,SC2086,SC2070,SC2046,SC2155,SC2006
+disable=SC1017,SC2086,SC2070,SC2046,SC2155,SC2006,SC1091,SC2164

README.md

@@ -65,7 +65,7 @@ This repository periodically synchronizes all official Kubeflow components from
 | Katib | apps/katib/upstream | [v0.18.0](https://github.com/kubeflow/katib/tree/v0.18.0/manifests/v1beta1) |
 | KServe | apps/kserve/kserve | [v0.15.0](https://github.com/kserve/kserve/releases/tag/v0.15.0/install/v0.15.0) |
 | KServe Models Web Application | apps/kserve/models-web-app | [v0.14.0](https://github.com/kserve/models-web-app/tree/v0.14.0/config) |
-| Kubeflow Pipelines | apps/pipeline/upstream | [2.4.1](https://github.com/kubeflow/pipelines/tree/2.4.1/manifests/kustomize) |
+| Kubeflow Pipelines | apps/pipeline/upstream | [2.5.0](https://github.com/kubeflow/pipelines/tree/2.5.0/manifests/kustomize) |
 | Kubeflow Model Registry | apps/model-registry/upstream | [v0.2.16](https://github.com/kubeflow/model-registry/tree/v0.2.16/manifests/kustomize) |
 
 The following matrix shows the versions of common components used across different Kubeflow projects:

apps/pipeline/upstream/base/application/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - application.yaml
+- application.yaml

apps/pipeline/upstream/base/cache-deployer/cluster-scoped/kustomization.yaml

@@ -1,11 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+
 resources:
-  - cache-deployer-clusterrole.yaml
+- cache-deployer-clusterrole.yaml
-  - cache-deployer-clusterrolebinding.yaml
+- cache-deployer-clusterrolebinding.yaml
-  # HACK: although a service account(SA) is not a cluster-scoped resource.
+# HACK: although a service account(SA) is not a cluster-scoped resource.
-  # Presence of a SA referred by a clusterrolebinding allows kustomize to auto-add
+# Presence of a SA referred by a clusterrolebinding allows kustomize to auto-add
-  # namespace for the clusterrolebinding's SA ref.
+# namespace for the clusterrolebinding's SA ref.
-  - cache-deployer-sa.yaml
+- cache-deployer-sa.yaml
-  

apps/pipeline/upstream/base/cache-deployer/kustomization.yaml

@@ -4,8 +4,10 @@ resources:
   - cache-deployer-role.yaml
   - cache-deployer-rolebinding.yaml
   - cache-deployer-deployment.yaml
-commonLabels:
-  app: cache-deployer
 images:
   - name: ghcr.io/kubeflow/kfp-cache-deployer
-    newTag: 2.4.1
+    newTag: 2.5.0
+labels:
+  - includeSelectors: true
+    pairs:
+      app: cache-deployer

apps/pipeline/upstream/base/cache/cache-deployment.yaml

@@ -14,12 +14,13 @@ spec:
       labels:
         app: cache-server
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: server
         securityContext:
           allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
           runAsGroup: 0

apps/pipeline/upstream/base/cache/cache-role.yaml

@@ -31,20 +31,3 @@ rules:
   - watch
   - update
   - patch
-- apiGroups:
-  - tekton.dev
-  resources:
-  - pipelineruns
-  - customruns
-  - taskruns
-  - conditions
-  - runs
-  - tasks
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete

apps/pipeline/upstream/base/cache/kustomization.yaml

@@ -6,8 +6,10 @@ resources:
   - cache-rolebinding.yaml
   - cache-sa.yaml
   - cache-service.yaml
-commonLabels:
-  app: cache-server
 images:
   - name: ghcr.io/kubeflow/kfp-cache-server
-    newTag: 2.4.1
+    newTag: 2.5.0
+labels:
+  - includeSelectors: true
+    pairs:
+      app: cache-server

apps/pipeline/upstream/base/crds/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- pipelines.kubeflow.org_pipelines.yaml
+- pipelines.kubeflow.org_pipelineversions.yaml

apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelines.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: pipelines.pipelines.kubeflow.org
+spec:
+  group: pipelines.kubeflow.org
+  names:
+    kind: Pipeline
+    listKind: PipelineList
+    plural: pipelines
+    singular: pipeline
+  scope: Namespaced
+  versions:
+  - name: v2beta1
+    schema:
+      openAPIV3Schema:
+        description: Pipeline is the Schema for the pipelines API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PipelineSpec defines the desired state of Pipeline.
+            properties:
+              description:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelineversions.yaml

@@ -0,0 +1,89 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: pipelineversions.pipelines.kubeflow.org
+spec:
+  group: pipelines.kubeflow.org
+  names:
+    kind: PipelineVersion
+    listKind: PipelineVersionList
+    plural: pipelineversions
+    singular: pipelineversion
+  scope: Namespaced
+  versions:
+  - name: v2beta1
+    schema:
+      openAPIV3Schema:
+        description: PipelineVersion is the Schema for the pipelineversions API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PipelineVersionSpec defines the desired state of PipelineVersion.
+            properties:
+              codeSourceURL:
+                type: string
+              description:
+                type: string
+              pipelineName:
+                type: string
+              pipelineSpec:
+                x-kubernetes-preserve-unknown-fields: true
+            required:
+            - pipelineSpec
+            type: object
+          status:
+            description: PipelineVersionStatus defines the observed state of PipelineVersion.
+            properties:
+              conditions:
+                items:
+                  description: |-
+                    SimplifiedCondition is a metav1.Condition without lastTransitionTime since the database model doesn't have such
+                    a concept and it allows a default status in the CRD without a controller setting it.
+                  properties:
+                    message:
+                      maxLength: 32768
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

apps/pipeline/upstream/base/installs/generic/kustomization.yaml

@@ -2,46 +2,46 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubeflow
 resources:
-  - ../../pipeline
+- ../../pipeline
-  - ../../cache
+- ../../cache
-  - ../../cache-deployer
+- ../../cache-deployer
-  - pipeline-install-config.yaml
+- pipeline-install-config.yaml
-  - mysql-secret.yaml
+- mysql-secret.yaml
 vars:
-  - name: kfp-namespace
+- fieldref:
-    objref:
+    fieldPath: metadata.namespace
-      kind: Deployment
+  name: kfp-namespace
-      apiVersion: apps/v1
+  objref:
-      name: ml-pipeline
+    apiVersion: apps/v1
-    fieldref:
+    kind: Deployment
-      fieldpath: metadata.namespace
+    name: ml-pipeline
-  - name: kfp-app-name
+- fieldref:
-    objref:
+    fieldPath: data.appName
-      kind: ConfigMap
+  name: kfp-app-name
-      name: pipeline-install-config
+  objref:
-      apiVersion: v1
+    apiVersion: v1
-    fieldref:
+    kind: ConfigMap
-      fieldpath: data.appName
+    name: pipeline-install-config
-  - name: kfp-app-version
+- fieldref:
-    objref:
+    fieldPath: data.appVersion
-      kind: ConfigMap
+  name: kfp-app-version
-      name: pipeline-install-config
+  objref:
-      apiVersion: v1
+    apiVersion: v1
-    fieldref:
+    kind: ConfigMap
-      fieldpath: data.appVersion
+    name: pipeline-install-config
-  - name: kfp-artifact-bucket-name
+- fieldref:
-    objref:
+    fieldPath: data.bucketName
-      kind: ConfigMap
+  name: kfp-artifact-bucket-name
-      name: pipeline-install-config
+  objref:
-      apiVersion: v1
+    apiVersion: v1
-    fieldref:
+    kind: ConfigMap
-      fieldpath: data.bucketName
+    name: pipeline-install-config
-  - name: kfp-default-pipeline-root
+- fieldref:
-    objref:
+    fieldPath: data.defaultPipelineRoot
-      kind: ConfigMap
+  name: kfp-default-pipeline-root
-      name: pipeline-install-config
+  objref:
-      apiVersion: v1
+    apiVersion: v1
-    fieldref:
+    kind: ConfigMap
-      fieldpath: data.defaultPipelineRoot
+    name: pipeline-install-config
 configurations:
-  - params.yaml
+- params.yaml

apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml

@@ -11,7 +11,7 @@ data:
     until the changes take effect. A quick way to restart all deployments in a
     namespace: `kubectl rollout restart deployment -n <your-namespace>`.
   appName: pipeline
-  appVersion: 2.4.1
+  appVersion: 2.5.0
   dbHost: mysql # relic to be removed after release
   dbPort: "3306" # relic to be removed after release
   dbType: mysql

apps/pipeline/upstream/base/installs/generic/postgres/kustomization.yaml

@@ -8,40 +8,40 @@ resources:
 - pipeline-install-config.yaml
 - postgres-secret-extended.yaml
 vars:
-- name: kfp-namespace
+- fieldref:
+    fieldPath: metadata.namespace
+  name: kfp-namespace
   objref:
-    kind: Deployment
     apiVersion: apps/v1
+    kind: Deployment
     name: ml-pipeline
-  fieldref:
+- fieldref:
-    fieldpath: metadata.namespace
+    fieldPath: data.appName
-- name: kfp-app-name
+  name: kfp-app-name
   objref:
+    apiVersion: v1
     kind: ConfigMap
     name: pipeline-install-config
-    apiVersion: v1
+- fieldref:
-  fieldref:
+    fieldPath: data.appVersion
-    fieldpath: data.appName
+  name: kfp-app-version
-- name: kfp-app-version
   objref:
+    apiVersion: v1
     kind: ConfigMap
     name: pipeline-install-config
-    apiVersion: v1
+- fieldref:
-  fieldref:
+    fieldPath: data.bucketName
-    fieldpath: data.appVersion
+  name: kfp-artifact-bucket-name
-- name: kfp-artifact-bucket-name
   objref:
+    apiVersion: v1
     kind: ConfigMap
     name: pipeline-install-config
-    apiVersion: v1
+- fieldref:
-  fieldref:
+    fieldPath: data.defaultPipelineRoot
-    fieldpath: data.bucketName
+  name: kfp-default-pipeline-root
-- name: kfp-default-pipeline-root
   objref:
+    apiVersion: v1
     kind: ConfigMap
     name: pipeline-install-config
-    apiVersion: v1
-  fieldref:
-    fieldpath: data.defaultPipelineRoot
 configurations:
- - params.yaml
+- params.yaml

apps/pipeline/upstream/base/installs/multi-user/api-service/cluster-role.yaml

@@ -35,6 +35,20 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - pipelines.kubeflow.org
+  resources:
+  - pipelines
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - authorization.k8s.io
   resources:

apps/pipeline/upstream/base/installs/multi-user/api-service/kustomization.yaml

@@ -4,6 +4,6 @@ resources:
 - cluster-role-binding.yaml
 - cluster-role.yaml
 configMapGenerator:
-- name: pipeline-api-server-config
+- envs:
-  envs: 
   - params.env
+  name: pipeline-api-server-config

apps/pipeline/upstream/base/installs/multi-user/cache/kustomization.yaml

@@ -1,7 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-commonLabels:
-  app: cache-server
 resources:
 - cluster-role.yaml
 - cluster-role-binding.yaml
+labels:
+- includeSelectors: true
+  pairs:
+    app: cache-server

apps/pipeline/upstream/base/installs/multi-user/kustomization.yaml

@@ -1,9 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubeflow
-commonLabels:
-  app.kubernetes.io/name: kubeflow-pipelines
-  app.kubernetes.io/component: ml-pipeline
 resources:
 - ../../pipeline/cluster-scoped
 - ../../cache-deployer/cluster-scoped
@@ -31,3 +28,8 @@ patches:
 
 configurations:
 - params.yaml
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines

apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/deployment.yaml

@@ -6,7 +6,7 @@ spec:
   replicas: 1
   template:
     metadata:
-      annotations:
+      labels:
         sidecar.istio.io/inject: "false"
     spec:
       containers:
@@ -57,4 +57,3 @@ spec:
       - name: hooks
         configMap:
           name: kubeflow-pipelines-profile-controller-code
-

apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml

@@ -1,16 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubeflow
-commonLabels:
-  app: kubeflow-pipelines-profile-controller
 resources:
 - service.yaml
 - deployment.yaml
 - decorator-controller.yaml
 configMapGenerator:
-- name: kubeflow-pipelines-profile-controller-code
+- files:
-  files:
   - sync.py
-- name: kubeflow-pipelines-profile-controller-env
+  name: kubeflow-pipelines-profile-controller-code
-  envs:
+- envs:
   - params.env
+  name: kubeflow-pipelines-profile-controller-env
+labels:
+- includeSelectors: true
+  pairs:
+    app: kubeflow-pipelines-profile-controller

apps/pipeline/upstream/base/installs/multi-user/pipelines-ui/kustomization.yaml

@@ -1,8 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubeflow
-commonLabels:
-  app: ml-pipeline-ui
 resources:
 - cluster-role.yaml
 - cluster-role-binding.yaml
+labels:
+- includeSelectors: true
+  pairs:
+    app: ml-pipeline-ui

apps/pipeline/upstream/base/installs/multi-user/scheduled-workflow/cluster-role.yaml

@@ -15,6 +15,12 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - pipelines.kubeflow.org
+  resources:
+  - runs
+  verbs:
+  - create
 - apiGroups:
   - kubeflow.org
   resources:

apps/pipeline/upstream/base/metadata/base/kustomization.yaml

@@ -10,4 +10,4 @@ resources:
   - metadata-grpc-sa.yaml
 images:
   - name: ghcr.io/kubeflow/kfp-metadata-envoy
-    newTag: 2.4.1
+    newTag: 2.5.0

apps/pipeline/upstream/base/metadata/base/metadata-envoy-deployment.yaml

@@ -13,7 +13,6 @@ spec:
     metadata:
       labels:
         component: metadata-envoy
-      annotations:
         sidecar.istio.io/inject: "false"
     spec:
       containers:

apps/pipeline/upstream/base/metadata/base/metadata-grpc-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         component: metadata-grpc-server
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: container
         # ! Sync to the same MLMD version:

apps/pipeline/upstream/base/metadata/overlays/db/kustomization.yaml

@@ -12,13 +12,13 @@ patches:
 - path: patches/metadata-grpc-deployment.yaml
 
 configMapGenerator:
-- name: metadata-db-parameters
+- envs:
-  envs:
   - params.env
+  name: metadata-db-parameters
 secretGenerator:
-- name: metadata-db-secrets
+- envs:
-  envs:
   - secrets.env
+  name: metadata-db-secrets
 generatorOptions:
   disableNameSuffixHash: true
 
@@ -29,10 +29,10 @@ images:
   newTag: 8.0.3
 
 vars:
-- name: MLMD_DB_HOST
+- fieldref:
+    fieldPath: metadata.name
+  name: MLMD_DB_HOST
   objref:
+    apiVersion: v1
     kind: Service
     name: metadata-db
-    apiVersion: v1
-  fieldref:
-    fieldpath: metadata.name

apps/pipeline/upstream/base/metadata/overlays/db/metadata-db-deployment.yaml

@@ -16,7 +16,6 @@ spec:
       name: db
       labels:
         component: db
-      annotations:
         sidecar.istio.io/inject: "false"
     spec:
       containers:
@@ -49,4 +48,3 @@ spec:
       - name: metadata-mysql
         persistentVolumeClaim:
           claimName: metadata-mysql
-

apps/pipeline/upstream/base/metadata/overlays/postgres/kustomization.yaml

@@ -12,13 +12,13 @@ patches:
 - path: patches/metadata-grpc-deployment.yaml
 
 configMapGenerator:
-- name: metadata-postgres-db-parameters
+- envs:
-  envs:
   - params.env
+  name: metadata-postgres-db-parameters
 secretGenerator:
-- name: metadata-postgres-db-secrets
+- envs:
-  envs:
   - secrets.env
+  name: metadata-postgres-db-secrets
 generatorOptions:
   disableNameSuffixHash: true
 
@@ -28,10 +28,10 @@ images:
   newTag: 14.7-alpine3.17
 
 vars:
-- name: MLMD_DB_HOST
+- fieldref:
+    fieldPath: metadata.name
+  name: MLMD_DB_HOST
   objref:
+    apiVersion: v1
     kind: Service
     name: metadata-postgres-db
-    apiVersion: v1
-  fieldref:
-    fieldpath: metadata.name

apps/pipeline/upstream/base/metadata/overlays/postgres/metadata-db-deployment.yaml

@@ -16,15 +16,14 @@ spec:
       name: db
       labels:
         component: db
-      annotations:
         sidecar.istio.io/inject: "false"
     spec:
       containers:
       - name: db-container
         image: postgres
         env:
-          - name: PGDATA
+        - name: PGDATA
-            value: /var/lib/postgresql/data/pgdata
+          value: /var/lib/postgresql/data/pgdata
         envFrom:
         - configMapRef:
             name: metadata-postgres-db-parameters
@@ -40,4 +39,3 @@ spec:
       - name: metadata-postgres
         persistentVolumeClaim:
           claimName: metadata-postgres
-

apps/pipeline/upstream/base/pipeline/kustomization.yaml

@@ -36,14 +36,14 @@ resources:
   - kfp-launcher-configmap.yaml
 images:
   - name: ghcr.io/kubeflow/kfp-api-server
-    newTag: 2.4.1
+    newTag: 2.5.0
   - name: ghcr.io/kubeflow/kfp-persistence-agent
-    newTag: 2.4.1
+    newTag: 2.5.0
   - name: ghcr.io/kubeflow/kfp-scheduled-workflow-controller
-    newTag: 2.4.1
+    newTag: 2.5.0
   - name: ghcr.io/kubeflow/kfp-frontend
-    newTag: 2.4.1
+    newTag: 2.5.0
   - name: ghcr.io/kubeflow/kfp-viewer-crd-controller
-    newTag: 2.4.1
+    newTag: 2.5.0
   - name: ghcr.io/kubeflow/kfp-visualization-server
-    newTag: 2.4.1
+    newTag: 2.5.0

apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml

@@ -7,4 +7,4 @@ resources:
   - metadata-writer-sa.yaml
 images:
   - name: ghcr.io/kubeflow/kfp-metadata-writer
-    newTag: 2.4.1
+    newTag: 2.5.0

apps/pipeline/upstream/base/pipeline/metadata-writer/metadata-writer-deployment.yaml

@@ -14,6 +14,10 @@ spec:
       labels:
         app: metadata-writer
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+    
       containers:
       - name: main
         image: ghcr.io/kubeflow/kfp-metadata-writer:dummy
@@ -24,8 +28,6 @@ spec:
               fieldPath: metadata.namespace
         securityContext:
           allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
           runAsGroup: 0

apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-deployment.yaml

@@ -15,159 +15,170 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
-      - env:
+        - env:
-        - name: LOG_LEVEL
+            # Whether or not to publish component logs to the object store.
-          value: "info"
+            - name: PUBLISH_LOGS
-        - name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION
+              value: "true"
-          valueFrom:
+            - name: LOG_LEVEL
-            configMapKeyRef:
+              value: "info"
-              name: pipeline-install-config
+            # Driver / launcher log level during pipeline execution
-              key: autoUpdatePipelineDefaultVersion
+            - name: PIPELINE_LOG_LEVEL
-        - name: POD_NAMESPACE
+              value: "1"
-          valueFrom:
+            - name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION
-            fieldRef:
+              valueFrom:
-              fieldPath: metadata.namespace
+                configMapKeyRef:
-        - name: OBJECTSTORECONFIG_SECURE
+                  name: pipeline-install-config
-          value: "false"
+                  key: autoUpdatePipelineDefaultVersion
-        - name: OBJECTSTORECONFIG_BUCKETNAME
+            - name: POD_NAMESPACE
-          valueFrom:
+              valueFrom:
-            configMapKeyRef:
+                fieldRef:
-              name: pipeline-install-config
+                  fieldPath: metadata.namespace
-              key: bucketName
+            - name: OBJECTSTORECONFIG_SECURE
-        # relic variables
+              value: "false"
-        - name: DBCONFIG_USER
+            - name: OBJECTSTORECONFIG_BUCKETNAME
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                configMapKeyRef:
-              name: mysql-secret
+                  name: pipeline-install-config
-              key: username
+                  key: bucketName
-        - name: DBCONFIG_PASSWORD
+            # relic variables
-          valueFrom:
+            - name: DBCONFIG_USER
-            secretKeyRef:
+              valueFrom:
-              name: mysql-secret
+                secretKeyRef:
-              key: password
+                  name: mysql-secret
-        - name: DBCONFIG_DBNAME
+                  key: username
-          valueFrom:
+            - name: DBCONFIG_PASSWORD
-            configMapKeyRef:
+              valueFrom:
-              name: pipeline-install-config
+                secretKeyRef:
-              key: pipelineDb
+                  name: mysql-secret
-        - name: DBCONFIG_HOST
+                  key: password
-          valueFrom:
+            - name: DBCONFIG_DBNAME
-            configMapKeyRef:
+              valueFrom:
-              name: pipeline-install-config
+                configMapKeyRef:
-              key: dbHost
+                  name: pipeline-install-config
-        - name: DBCONFIG_PORT
+                  key: pipelineDb
-          valueFrom:
+            - name: DBCONFIG_HOST
-            configMapKeyRef:
+              valueFrom:
-              name: pipeline-install-config
+                configMapKeyRef:
-              key: dbPort
+                  name: pipeline-install-config
-        # end of relic variables
+                  key: dbHost
-        - name: DBCONFIG_CONMAXLIFETIME
+            - name: DBCONFIG_PORT
-          valueFrom:
+              valueFrom:
-            configMapKeyRef:
+                configMapKeyRef:
-              name: pipeline-install-config
+                  name: pipeline-install-config
-              key: ConMaxLifeTime
+                  key: dbPort
-        - name: DB_DRIVER_NAME
+            # end of relic variables
-          valueFrom:
+            - name: DBCONFIG_CONMAXLIFETIME
-            configMapKeyRef:
+              valueFrom:
-              name: pipeline-install-config
+                configMapKeyRef:
-              key: dbType
+                  name: pipeline-install-config
-        # MySQL Config
+                  key: ConMaxLifeTime
-        - name: DBCONFIG_MYSQLCONFIG_USER
+            - name: DB_DRIVER_NAME
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                configMapKeyRef:
-              name: mysql-secret
+                  name: pipeline-install-config
-              key: username
+                  key: dbType
-        - name: DBCONFIG_MYSQLCONFIG_PASSWORD
+            # MySQL Config
-          valueFrom:
+            - name: DBCONFIG_MYSQLCONFIG_USER
-            secretKeyRef:
+              valueFrom:
-              name: mysql-secret
+                secretKeyRef:
-              key: password
+                  name: mysql-secret
-        - name: DBCONFIG_MYSQLCONFIG_DBNAME
+                  key: username
-          valueFrom:
+            - name: DBCONFIG_MYSQLCONFIG_PASSWORD
-            configMapKeyRef:
+              valueFrom:
-              name: pipeline-install-config
+                secretKeyRef:
-              key: pipelineDb
+                  name: mysql-secret
-        - name: DBCONFIG_MYSQLCONFIG_HOST
+                  key: password
-          valueFrom:
+            - name: DBCONFIG_MYSQLCONFIG_DBNAME
-            configMapKeyRef:
+              valueFrom:
-              name: pipeline-install-config
+                configMapKeyRef:
-              key: mysqlHost
+                  name: pipeline-install-config
-        - name: DBCONFIG_MYSQLCONFIG_PORT
+                  key: pipelineDb
-          valueFrom:
+            - name: DBCONFIG_MYSQLCONFIG_HOST
-            configMapKeyRef:
+              valueFrom:
-              name: pipeline-install-config
+                configMapKeyRef:
-              key: mysqlPort
+                  name: pipeline-install-config
-        # end of MySQL Config
+                  key: mysqlHost
-        - name: OBJECTSTORECONFIG_ACCESSKEY
+            - name: DBCONFIG_MYSQLCONFIG_PORT
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                configMapKeyRef:
-              name: mlpipeline-minio-artifact
+                  name: pipeline-install-config
-              key: accesskey
+                  key: mysqlPort
-        - name: OBJECTSTORECONFIG_SECRETACCESSKEY
+            # end of MySQL Config
-          valueFrom:
+            - name: OBJECTSTORECONFIG_ACCESSKEY
-            secretKeyRef:
+              valueFrom:
-              name: mlpipeline-minio-artifact
+                secretKeyRef:
-              key: secretkey
+                  name: mlpipeline-minio-artifact
-        image: ghcr.io/kubeflow/kfp-api-server:dummy
+                  key: accesskey
-        imagePullPolicy: IfNotPresent
+            - name: OBJECTSTORECONFIG_SECRETACCESSKEY
-        name: ml-pipeline-api-server
+              valueFrom:
-        ports:
+                secretKeyRef:
-        - name: http
+                  name: mlpipeline-minio-artifact
-          containerPort: 8888
+                  key: secretkey
-        - name: grpc
+            - name: V2_DRIVER_IMAGE
-          containerPort: 8887
+              value: ghcr.io/kubeflow/kfp-driver:2.5.0
-        readinessProbe:
+            - name: V2_LAUNCHER_IMAGE
-          exec:
+              value: ghcr.io/kubeflow/kfp-launcher:2.5.0
-            command:
+          image: ghcr.io/kubeflow/kfp-api-server:dummy
-              - wget
+          imagePullPolicy: IfNotPresent
-              - -q # quiet
+          name: ml-pipeline-api-server
-              - -S # show server response
+          ports:
-              - -O
+            - name: http
-              - "-" # Redirect output to stdout
+              containerPort: 8888
-              - http://localhost:8888/apis/v1beta1/healthz
+            - name: grpc
-          initialDelaySeconds: 3
+              containerPort: 8887
-          periodSeconds: 5
+          readinessProbe:
-          timeoutSeconds: 2
+            exec:
-        livenessProbe:
+              command:
-          exec:
+                - wget
-            command:
+                - -q # quiet
-              - wget
+                - -S # show server response
-              - -q # quiet
+                - -O
-              - -S # show server response
+                - "-" # Redirect output to stdout
-              - -O
+                - http://localhost:8888/apis/v1beta1/healthz
-              - "-" # Redirect output to stdout
+            initialDelaySeconds: 3
-              - http://localhost:8888/apis/v1beta1/healthz
+            periodSeconds: 5
-          initialDelaySeconds: 3
+            timeoutSeconds: 2
-          periodSeconds: 5
+          livenessProbe:
-          timeoutSeconds: 2
+            exec:
-        # This startup probe provides up to a 60 second grace window before the
+              command:
-        # liveness probe takes over to accomodate the occasional database
+                - wget
-        # migration.
+                - -q # quiet
-        startupProbe:
+                - -S # show server response
-          exec:
+                - -O
-            command:
+                - "-" # Redirect output to stdout
-              - wget
+                - http://localhost:8888/apis/v1beta1/healthz
-              - -q # quiet
+            initialDelaySeconds: 3
-              - -S # show server response
+            periodSeconds: 5
-              - -O
+            timeoutSeconds: 2
-              - "-" # Redirect output to stdout
+          # This startup probe provides up to a 60 second grace window before the
-              - http://localhost:8888/apis/v1beta1/healthz
+          # liveness probe takes over to accomodate the occasional database
-          failureThreshold: 12
+          # migration.
-          periodSeconds: 5
+          startupProbe:
-          timeoutSeconds: 2
+            exec:
-        securityContext:
+              command:
-          allowPrivilegeEscalation: false
+                - wget
-          seccompProfile:
+                - -q # quiet
-            type: RuntimeDefault
+                - -S # show server response
-          runAsNonRoot: true
+                - -O
-          runAsUser: 1000
+                - "-" # Redirect output to stdout
-          runAsGroup: 0
+                - http://localhost:8888/apis/v1beta1/healthz
-          capabilities:
+            failureThreshold: 12
-            drop:
+            periodSeconds: 5
-            - ALL
+            timeoutSeconds: 2
-        resources:
+          securityContext:
-          requests:
+            allowPrivilegeEscalation: false
-            cpu: 250m
+            runAsNonRoot: true
-            memory: 500Mi
+            runAsUser: 1000
+            runAsGroup: 0
+            capabilities:
+              drop:
+                - ALL
+          resources:
+            requests:
+              cpu: 250m
+              memory: 500Mi
       serviceAccountName: ml-pipeline

apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml

@@ -37,6 +37,20 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - pipelines.kubeflow.org
+  resources:
+  - pipelines
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - authorization.k8s.io
   resources:
@@ -49,33 +63,3 @@ rules:
   - tokenreviews
   verbs:
   - create
-- apiGroups:
-  - tekton.dev
-  resources:
-  - pipelineruns
-  - taskruns
-  - conditions
-  - runs
-  - tasks
-  - customruns
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - custom.tekton.dev
-  resources:
-  - pipelineloops
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-  

apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml

@@ -15,6 +15,9 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - env:
           - name: NAMESPACE
@@ -39,8 +42,6 @@ spec:
             name: persistenceagent-sa-token
         securityContext:
           allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
           runAsGroup: 0

apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml

@@ -33,32 +33,3 @@ rules:
   verbs:
     - reportMetrics
     - readArtifact
-- apiGroups:
-  - tekton.dev
-  resources:
-  - pipelineruns
-  - taskruns
-  - conditions
-  - runs
-  - tasks
-  - customruns
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - custom.tekton.dev
-  resources:
-  - pipelineloops
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete

apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml

@@ -15,6 +15,9 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - image: ghcr.io/kubeflow/kfp-scheduled-workflow-controller:dummy
         imagePullPolicy: IfNotPresent
@@ -33,12 +36,21 @@ spec:
                 key: cronScheduleTimezone
         securityContext:
           allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
           runAsGroup: 0
           capabilities:
             drop:
             - ALL
+        volumeMounts:
+          - mountPath: /var/run/secrets/kubeflow/tokens
+            name: scheduledworkflow-sa-token
       serviceAccountName: ml-pipeline-scheduledworkflow
+      volumes:
+        - name: scheduledworkflow-sa-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: scheduledworkflow-sa-token
+                  expirationSeconds: 3600
+                  audience: pipelines.kubeflow.org

apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-role.yaml

@@ -30,6 +30,12 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - pipelines.kubeflow.org
+  resources:
+  - runs
+  verbs:
+  - create
 - apiGroups:
   - ''
   resources:

apps/pipeline/upstream/base/pipeline/ml-pipeline-ui-deployment.yaml

@@ -15,6 +15,9 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
       - name: config-volume
         configMap:
@@ -31,8 +34,6 @@ spec:
           readOnly: true
         securityContext:
           allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
           runAsGroup: 0
@@ -62,6 +63,10 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: ARGO_ARCHIVE_LOGS
+            value: "true"
+          - name: DISABLE_GKE_METADATA
+            value: "true"
         readinessProbe:
           exec:
             command:

apps/pipeline/upstream/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml

@@ -15,6 +15,9 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      securityContext:
+          seccompProfile:
+            type: RuntimeDefault
       containers:
       - image: ghcr.io/kubeflow/kfp-viewer-crd-controller:dummy
         imagePullPolicy: Always
@@ -28,8 +31,6 @@ spec:
               fieldPath: metadata.namespace
         securityContext:
           allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
           runAsGroup: 0

apps/pipeline/upstream/base/pipeline/ml-pipeline-visualization-deployment.yaml

@@ -15,6 +15,9 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - image: ghcr.io/kubeflow/kfp-visualization-server:dummy
         imagePullPolicy: IfNotPresent
@@ -48,8 +51,6 @@ spec:
           timeoutSeconds: 2
         securityContext:
           allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
           runAsGroup: 0

apps/pipeline/upstream/base/pipeline/pipeline-runner-role.yaml

@@ -78,32 +78,3 @@ rules:
   - seldondeployments
   verbs:
   - '*'
-- apiGroups:
-  - tekton.dev
-  resources:
-  - pipelineruns
-  - taskruns
-  - conditions
-  - runs
-  - tasks
-  - customruns
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - custom.tekton.dev
-  resources:
-  - pipelineloops
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete

apps/pipeline/upstream/base/postgresql/pipeline/kustomization.yaml

@@ -1,6 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../pipeline
+- ../../pipeline
 patches:
-  - path: ml-pipeline-apiserver-deployment-patch.yaml
+- path: ml-pipeline-apiserver-deployment-patch.yaml

apps/pipeline/upstream/base/webhook/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+
+resources:
+- pipelineversion-validating-webhook-config.yaml
+- pipelineversion-mutating-webhook-config.yaml
+
+configurations:
+- params.yaml

apps/pipeline/upstream/base/webhook/params.yaml

@@ -0,0 +1,13 @@
+varReference:
+  - path: metadata/annotations
+    kind: ValidatingWebhookConfiguration
+  - path: webhooks/clientConfig/service/namespace
+    kind: ValidatingWebhookConfiguration
+  - path: webhooks/name
+    kind: ValidatingWebhookConfiguration
+  - path: metadata/annotations
+    kind: MutatingWebhookConfiguration
+  - path: webhooks/clientConfig/service/namespace
+    kind: MutatingWebhookConfiguration
+  - path: webhooks/name
+    kind: MutatingWebhookConfiguration

apps/pipeline/upstream/base/webhook/pipelineversion-mutating-webhook-config.yaml

@@ -0,0 +1,27 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: pipelineversions.pipelines.kubeflow.org
+webhooks:
+  - name: pipelineversions.pipelines.kubeflow.org
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - pipelines.kubeflow.org
+        apiVersions:
+          - v2beta1
+        resources:
+          - pipelineversions
+        scope: Namespaced
+    admissionReviewVersions:
+      - v1
+    sideEffects: None
+    failurePolicy: Fail
+    clientConfig:
+      service:
+        name: ml-pipeline
+        namespace: $(kfp-namespace)
+        path: /webhooks/mutate-pipelineversion
+        port: 8443

apps/pipeline/upstream/base/webhook/pipelineversion-validating-webhook-config.yaml

@@ -0,0 +1,27 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: pipelineversions.pipelines.kubeflow.org
+webhooks:
+  - name: pipelineversions.pipelines.kubeflow.org
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - pipelines.kubeflow.org
+        apiVersions:
+          - v2beta1
+        resources:
+          - pipelineversions
+        scope: Namespaced
+    admissionReviewVersions:
+      - v1
+    sideEffects: None
+    failurePolicy: Fail
+    clientConfig:
+      service:
+        name: ml-pipeline
+        namespace: $(kfp-namespace)
+        path: /webhooks/validate-pipelineversion
+        port: 8443

apps/pipeline/upstream/cluster-scoped-resources-tekton/kustomization.yaml

@@ -1,26 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: kubeflow
-
-resources:
-- namespace.yaml
-bases:
-- ../third-party/application/cluster-scoped
-- ../base/pipeline/cluster-scoped
-- ../base/cache-deployer/cluster-scoped
-vars:
-# NOTE: var name must be unique globally to allow composition of multiple kustomize
-# packages. Therefore, we added prefix `kfp-cluster-scoped-` to distinguish it from
-# others.
-- name: kfp-cluster-scoped-namespace
-  objref:
-    # cache deployer sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml
-    # so that we only need to change kustomization.yaml's namespace field for namespace customization.
-    kind: ServiceAccount
-    name: kubeflow-pipelines-cache-deployer-sa
-    apiVersion: v1
-  fieldref:
-    fieldpath: metadata.namespace
-configurations:
-- params.yaml

apps/pipeline/upstream/cluster-scoped-resources-tekton/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: '$(kfp-cluster-scoped-namespace)'

apps/pipeline/upstream/cluster-scoped-resources-tekton/params.yaml

@@ -1,4 +0,0 @@
-# Allow Kustomize var to replace following fields.
-varReference:
-- path: metadata/name
-  kind: Namespace

apps/pipeline/upstream/cluster-scoped-resources/kustomization.yaml

@@ -13,14 +13,14 @@ vars:
 # NOTE: var name must be unique globally to allow composition of multiple kustomize
 # packages. Therefore, we added prefix `kfp-cluster-scoped-` to distinguish it from
 # others.
-- name: kfp-cluster-scoped-namespace
+- fieldref:
+    fieldPath: metadata.namespace
+  name: kfp-cluster-scoped-namespace
   objref:
     # cache deployer sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml
     # so that we only need to change kustomization.yaml's namespace field for namespace customization.
+    apiVersion: v1
     kind: ServiceAccount
     name: kubeflow-pipelines-cache-deployer-sa
-    apiVersion: v1
-  fieldref:
-    fieldpath: metadata.namespace
 configurations:
 - params.yaml

apps/pipeline/upstream/env/aws/kustomization.yaml

@@ -2,33 +2,38 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubeflow
 resources:
-  - ../../env/platform-agnostic
+- ../../env/platform-agnostic
 configMapGenerator:
-  - name: pipeline-install-config
+- behavior: merge
-    env: params.env
+  envs:
-    behavior: merge
+  - params.env
-  - name: workflow-controller-configmap
+  name: pipeline-install-config
-    behavior: replace
+- behavior: replace
-    files:
+  files:
-      - config
+  - config
-  - name: ml-pipeline-ui-configmap
+  name: workflow-controller-configmap
-    behavior: replace
+- behavior: replace
-    files:
+  files:
-      - viewer-pod-template.json
+  - viewer-pod-template.json
+  name: ml-pipeline-ui-configmap
 secretGenerator:
-  - name: mysql-secret
+- behavior: merge
-    env: secret.env
+  envs:
-    behavior: merge
+  - secret.env
-  - name: mlpipeline-minio-artifact
+  name: mysql-secret
-    env: minio-artifact-secret-patch.env
+- behavior: merge
-    behavior: merge
+  envs:
+  - minio-artifact-secret-patch.env
+  name: mlpipeline-minio-artifact
 generatorOptions:
   disableNameSuffixHash: true
 patches:
-  - path: aws-configuration-pipeline-patch.yaml
+- path: aws-configuration-pipeline-patch.yaml
-  - path: aws-configuration-pipeline-ui-patch.yaml
+- path: aws-configuration-pipeline-ui-patch.yaml
 # Identifier for application manager to apply ownerReference.
 # The ownerReference ensures the resources get garbage collected
 # when application is deleted.
-commonLabels:
+labels:
-  application-crd-id: kubeflow-pipelines
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/azure/kustomization.yaml

@@ -9,17 +9,21 @@ resources:
 - minio-azure-gateway
 
 configMapGenerator:
-- name: pipeline-install-config
+- behavior: merge
-  env: params.env
+  envs:
-  behavior: merge
+  - params.env
+  name: pipeline-install-config
 
 secretGenerator:
-- name: mysql-secret
+- behavior: merge
-  env: mysql-secret.env
+  envs:
-  behavior: merge
+  - mysql-secret.env
+  name: mysql-secret
 
 # Identifier for application manager to apply ownerReference.
 # The ownerReference ensures the resources get garbage collected
 # when application is deleted.
-commonLabels:
+labels:
-  application-crd-id: kubeflow-pipelines
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/azure/minio-azure-gateway/kustomization.yaml

@@ -6,8 +6,9 @@ resources:
 - minio-azure-gateway-service.yaml
 
 secretGenerator:
-- name: mlpipeline-minio-artifact
+- envs:
-  env: minio-artifact-secret.env
+  - minio-artifact-secret.env
+  name: mlpipeline-minio-artifact
 generatorOptions:
   # mlpipeline-minio-artifact needs to be referred by exact name
-  disableNameSuffixHash: true
+  disableNameSuffixHash: true

apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert-issuer.yaml

@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: kfp-api-webhook-selfsigned-issuer
+spec:
+  selfSigned: {}

apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kfp-api-webhook-cert
+spec:
+  commonName: kfp-api-webhook-cert
+  isCA: true
+  dnsNames:
+  - ml-pipeline
+  - ml-pipeline.$(kfp-namespace)
+  - ml-pipeline.$(kfp-namespace).svc
+  issuerRef:
+    kind: Issuer
+    name: kfp-api-webhook-selfsigned-issuer
+  secretName: kfp-api-webhook-cert

apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./kfp-api-cert-issuer.yaml
+- ./kfp-api-cert.yaml
+
+configurations:
+- params.yaml
+
+# !!! If you want to customize the namespace,
+# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
+namespace: kubeflow

apps/pipeline/upstream/env/cert-manager/base-webhook-certs/params.yaml

@@ -0,0 +1,7 @@
+varReference:
+  - path: spec/commonName
+    kind: Certificate
+  - path: spec/dnsNames
+    kind: Certificate
+  - path: spec/issuerRef/name
+    kind: Certificate

apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml

@@ -1,13 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kubeflow 
+namespace: kubeflow
 
 resources:
-  - cache-cert-issuer.yaml
+- cache-cert-issuer.yaml
-  - cache-cert.yaml
+- cache-cert.yaml
-  - cache-webhook-config.yaml
+- cache-webhook-config.yaml
-commonLabels:
-  app: cache-server-cert-manager
 
 configurations:
 - params.yaml
+labels:
+- includeSelectors: true
+  pairs:
+    app: cache-server-cert-manager

apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../../base/crds
+- ../../platform-agnostic
+- ../../../base/webhook
+- ../base-webhook-certs/
+
+# !!! If you want to customize the namespace,
+# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
+namespace: kubeflow
+
+patches:
+- path: patches/deployment.yaml
+  target:
+    kind: Deployment
+    name: ml-pipeline
+- path: patches/service.yaml
+  target:
+    kind: Service
+    name: ml-pipeline
+- path: patches/validating-webhook.yaml
+  target:
+    kind: ValidatingWebhookConfiguration
+    name: pipelineversions.pipelines.kubeflow.org
+- path: patches/mutating-webhook.yaml
+  target:
+    kind: MutatingWebhookConfiguration
+    name: pipelineversions.pipelines.kubeflow.org

apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/deployment.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ml-pipeline
+spec:
+  template:
+    spec:
+      containers:
+        - name: ml-pipeline-api-server
+          ports:
+          - containerPort: 8443
+            name: webhook
+          command:
+            - "/bin/apiserver"
+          args:
+            - "--config=/config"
+            - "--sampleconfig=/config/sample_config.json"
+            - "-logtostderr=true"
+            - "--webhookTLSCertPath=/etc/webhook/certs/tls.crt"
+            - "--webhookTLSKeyPath=/etc/webhook/certs/tls.key"
+            - "--pipelinesStoreKubernetes=true"
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: kfp-api-webhook-cert

apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/mutating-webhook.yaml

@@ -0,0 +1,6 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: pipelineversions.pipelines.kubeflow.org
+  annotations:
+    cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert

apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ml-pipeline
+spec:
+  ports:
+    - name: webhook
+      port: 8443
+      protocol: TCP
+      targetPort: 8443

apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/validating-webhook.yaml

@@ -0,0 +1,6 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: pipelineversions.pipelines.kubeflow.org
+  annotations:
+    cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert

apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../../base/crds
+- ../platform-agnostic-multi-user
+- ../../../base/webhook
+- ../base-webhook-certs/
+
+# !!! If you want to customize the namespace,
+# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
+namespace: kubeflow
+
+patches:
+- path: patches/deployment.yaml
+  target:
+    kind: Deployment
+    name: ml-pipeline
+- path: patches/service.yaml
+  target:
+    kind: Service
+    name: ml-pipeline
+- path: patches/validating-webhook.yaml
+  target:
+    kind: ValidatingWebhookConfiguration
+    name: pipelineversions.pipelines.kubeflow.org
+- path: patches/mutating-webhook.yaml
+  target:
+    kind: MutatingWebhookConfiguration
+    name: pipelineversions.pipelines.kubeflow.org

apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/deployment.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ml-pipeline
+spec:
+  template:
+    spec:
+      containers:
+        - name: ml-pipeline-api-server
+          ports:
+          - containerPort: 8443
+            name: webhook
+          image: domain.local/apiserver:local
+          command:
+            - "/bin/apiserver"
+          args:
+            - "--config=/config"
+            - "--sampleconfig=/config/sample_config.json"
+            - "-logtostderr=true"
+            - "--webhookTLSCertPath=/etc/webhook/certs/tls.crt"
+            - "--webhookTLSKeyPath=/etc/webhook/certs/tls.key"
+            - "--pipelinesStoreKubernetes=true"
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: kfp-api-webhook-cert

apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/mutating-webhook.yaml

@@ -0,0 +1,6 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: pipelineversions.pipelines.kubeflow.org
+  annotations:
+    cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert

apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ml-pipeline
+spec:
+  ports:
+    - name: webhook
+      port: 8443
+      protocol: TCP
+      targetPort: 8443

apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/validating-webhook.yaml

@@ -0,0 +1,6 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: pipelineversions.pipelines.kubeflow.org
+  annotations:
+    cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert

apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml

@@ -2,30 +2,30 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../platform-agnostic-multi-user
+- ../../platform-agnostic-multi-user
-  - ../base
+- ../base
 namespace: kubeflow
 
 # Pass proper arguments to cache-server to use cert-manager certificate
 patches:
-  # Delete the cache deployer as we use the cert-manager instead
+# Delete the cache deployer as we use the cert-manager instead
-  - path: patches/delete.clusterrole.cache-deployer.yaml
+- path: patches/delete.clusterrole.cache-deployer.yaml
-  - path: patches/delete.crb.cache-deployer.yaml
+- path: patches/delete.crb.cache-deployer.yaml
-  - path: patches/delete.deployment.cache-deployer.yaml
+- path: patches/delete.deployment.cache-deployer.yaml
-  - path: patches/delete.role.cache-deployer.yaml
+- path: patches/delete.role.cache-deployer.yaml
-  - path: patches/delete.rolebinding.cache-deployer.yaml
+- path: patches/delete.rolebinding.cache-deployer.yaml
-  - path: patches/delete.sa.cache-deployer.yaml
+- path: patches/delete.sa.cache-deployer.yaml
-  - patch: |-
+- patch: |-
-      - op: add
+    - op: add
-        path: /spec/template/spec/containers/0/args/-
+      path: /spec/template/spec/containers/0/args/-
-        value: "--tls_cert_filename=tls.crt"
+      value: "--tls_cert_filename=tls.crt"
-    target:
+  target:
-      kind: Deployment
+    kind: Deployment
-      name: cache-server
+    name: cache-server
-  - patch: |-
+- patch: |-
-      - op: add
+    - op: add
-        path: /spec/template/spec/containers/0/args/-
+      path: /spec/template/spec/containers/0/args/-
-        value: "--tls_key_filename=tls.key"
+      value: "--tls_key_filename=tls.key"
-    target:
+  target:
-      kind: Deployment
+    kind: Deployment
-      name: cache-server
+    name: cache-server

apps/pipeline/upstream/env/dev-kind/forward-local-api-endpoint.yaml

@@ -15,3 +15,7 @@ subsets:
         appProtocol: http
         port: 8888
         protocol: TCP
+      - name: webhook
+        appProtocol: http
+        port: 8443
+        protocol: TCP

apps/pipeline/upstream/env/dev-kind/kustomization.yaml

@@ -2,9 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../base/application
+- ../cert-manager/platform-agnostic-k8s-native
-  - ./forward-local-api-endpoint.yaml
+- ./forward-local-api-endpoint.yaml
-  - ../platform-agnostic
 
 # !!! If you want to customize the namespace,
 # please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources
@@ -126,5 +125,42 @@ patches:
         port: 8887
         protocol: TCP
         targetPort: 8887
+      - name: webhook
+        port: 8443
+        protocol: TCP
+        targetPort: 8443
       selector:
         $patch: delete
+- patch: |-
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingWebhookConfiguration
+    metadata:
+      name: pipelineversions.pipelines.kubeflow.org
+    webhooks:
+      - name: pipelineversions.pipelines.kubeflow.org
+        clientConfig:
+          service:
+            name: ml-pipeline-reverse-proxy
+- patch: |-
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: MutatingWebhookConfiguration
+    metadata:
+      name: pipelineversions.pipelines.kubeflow.org
+    webhooks:
+      - name: pipelineversions.pipelines.kubeflow.org
+        clientConfig:
+          service:
+            name: ml-pipeline-reverse-proxy
+- patch: |-
+    apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: kfp-api-webhook-cert
+    spec:
+      dnsNames:
+      - ml-pipeline
+      - ml-pipeline.$(kfp-namespace)
+      - ml-pipeline.$(kfp-namespace).svc
+      - ml-pipeline-reverse-proxy
+      - ml-pipeline-reverse-proxy.$(kfp-namespace)
+      - ml-pipeline-reverse-proxy.$(kfp-namespace).svc

apps/pipeline/upstream/env/dev/kustomization.yaml

@@ -2,18 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  # Application controller is used to provide Google Cloud Console integration.
+# Application controller is used to provide Google Cloud Console integration.
-  - ../../third-party/application
+- ../../third-party/application
-  - ../../base/application
+- ../../base/application
-  - ../platform-agnostic
+- ../platform-agnostic
-  - ../gcp/inverse-proxy
+- ../gcp/inverse-proxy
-
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
 
 # !!! If you want to customize the namespace,
 # please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources
 namespace: kubeflow
+# Identifier for application manager to apply ownerReference.
+# The ownerReference ensures the resources get garbage collected
+# when application is deleted.
+labels:
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/dev/postgresql/kustomization.yaml

@@ -2,18 +2,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  # Application controller is used to provide Google Cloud Console integration.
+# Application controller is used to provide Google Cloud Console integration.
-  - ../../../third-party/application
+- ../../../third-party/application
-  - ../../../base/application
+- ../../../base/application
-  - ../../platform-agnostic-postgresql
+- ../../platform-agnostic-postgresql
-  - ../../gcp/inverse-proxy
+- ../../gcp/inverse-proxy
-
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
 
 # !!! If you want to customize the namespace,
 # please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources
 namespace: kubeflow
+
+# Identifier for application manager to apply ownerReference.
+# The ownerReference ensures the resources get garbage collected
+# when application is deleted.
+labels:
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
   - name: ghcr.io/kubeflow/kfp-inverse-proxy-agent
-    newTag: 2.4.1
+    newTag: 2.5.0
 resources:
   - proxy-configmap.yaml
   - proxy-deployment.yaml

apps/pipeline/upstream/env/gcp/kustomization.yaml

@@ -2,31 +2,35 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  # Application controller is used to provide Google Cloud Console integration.
+# Application controller is used to provide Google Cloud Console integration.
-  - ../../third-party/application
+- ../../third-party/application
-  - ../../base/application
+- ../../base/application
-  - ../../base/installs/generic
+- ../../base/installs/generic
-  - ../../base/metadata/base
+- ../../base/metadata/base
-  - ../../third-party/argo/installs/namespace
+- ../../third-party/argo/installs/namespace
-  - inverse-proxy
+- inverse-proxy
-  - minio-gcs-gateway
+- minio-gcs-gateway
-  - cloudsql-proxy
+- cloudsql-proxy
 
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
 
 # !!! If you want to customize the namespace,
 # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
 namespace: kubeflow
 
 patches:
-  - path: gcp-configurations-patch.yaml
+- path: gcp-configurations-patch.yaml
 
 # Used by Kustomize
 configMapGenerator:
-  - name: pipeline-install-config
+- behavior: merge
-    env: params.env
+  envs:
-    behavior: merge
+  - params.env
+  name: pipeline-install-config
+
+# Identifier for application manager to apply ownerReference.
+# The ownerReference ensures the resources get garbage collected
+# when application is deleted.
+labels:
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/gcp/minio-gcs-gateway/kustomization.yaml

@@ -7,8 +7,9 @@ resources:
 - minio-gcs-gateway-service.yaml
 
 secretGenerator:
-- name: mlpipeline-minio-artifact
+- envs:
-  env: minio-artifact-secret.env
+  - minio-artifact-secret.env
+  name: mlpipeline-minio-artifact
 generatorOptions:
   # mlpipeline-minio-artifact needs to be referred by exact name
   disableNameSuffixHash: true

apps/pipeline/upstream/env/plain-multi-user/kustomization.yaml

@@ -2,21 +2,24 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../base/installs/multi-user
+- ../../base/installs/multi-user
-  - ../../base/metadata/base
+- ../../base/metadata/base
-  - ../../base/metadata/options/istio
+- ../../base/metadata/options/istio
-  - ../../third-party/mysql/base
+- ../../third-party/mysql/base
-  - ../../third-party/mysql/options/istio
+- ../../third-party/mysql/options/istio
-  - ../../third-party/minio/base
+- ../../third-party/minio/base
-  - ../../third-party/minio/options/istio
+- ../../third-party/minio/options/istio
-  - ../../third-party/metacontroller/base
+- ../../third-party/metacontroller/base
 
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
 
 # !!! If you want to customize the namespace,
 # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
 namespace: kubeflow
+
+# Identifier for application manager to apply ownerReference.
+# The ownerReference ensures the resources get garbage collected
+# when application is deleted.
+labels:
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/plain/kustomization.yaml

@@ -2,19 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../cluster-scoped-resources-tekton
+- ../../base/installs/generic
-  - ../../base/installs/generic
+- ../../base/metadata/base
-  - ../../base/metadata/base
+- ../../third-party/minio/base
-  - ../../third-party/minio/base
+- ../../third-party/mysql/base
-  - ../../third-party/mysql/base
 
 # Identifier for application manager to apply ownerReference.
 # The ownerReference ensures the resources get garbage collected
 # when application is deleted.
 labels:
-  - includeSelectors: true
+- includeSelectors: true
-    pairs:
+  pairs:
-      application-crd-id: kubeflow-pipelines
+    application-crd-id: kubeflow-pipelines
 
 # !!! If you want to customize the namespace,
 # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml

apps/pipeline/upstream/env/platform-agnostic-emissary/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../platform-agnostic
+- ../platform-agnostic

apps/pipeline/upstream/env/platform-agnostic-multi-user-emissary/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../platform-agnostic-multi-user
+- ../platform-agnostic-multi-user

apps/pipeline/upstream/env/platform-agnostic-multi-user-legacy/kustomization.yaml

@@ -2,22 +2,25 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../third-party/metacontroller/base
+- ../../third-party/metacontroller/base
-  - ../../base/installs/multi-user
+- ../../base/installs/multi-user
-  - ../../base/metadata/overlays/db
+- ../../base/metadata/overlays/db
-  - ../../base/metadata/options/istio
+- ../../base/metadata/options/istio
-  - ../../third-party/argo/installs/cluster
+- ../../third-party/argo/installs/cluster
-  - ../../third-party/mysql/base
+- ../../third-party/mysql/base
-  - ../../third-party/mysql/options/istio
+- ../../third-party/mysql/options/istio
-  - ../../third-party/minio/base
+- ../../third-party/minio/base
-  - ../../third-party/minio/options/istio
+- ../../third-party/minio/options/istio
 
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
 
 # !!! If you want to customize the namespace,
 # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
 namespace: kubeflow
+
+# Identifier for application manager to apply ownerReference.
+# The ownerReference ensures the resources get garbage collected
+# when application is deleted.
+labels:
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/platform-agnostic-multi-user/kustomization.yaml

@@ -2,22 +2,25 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../third-party/metacontroller/base
+- ../../third-party/metacontroller/base
-  - ../../base/installs/multi-user
+- ../../base/installs/multi-user
-  - ../../base/metadata/base
+- ../../base/metadata/base
-  - ../../base/metadata/options/istio
+- ../../base/metadata/options/istio
-  - ../../third-party/argo/installs/cluster
+- ../../third-party/argo/installs/cluster
-  - ../../third-party/mysql/base
+- ../../third-party/mysql/base
-  - ../../third-party/mysql/options/istio
+- ../../third-party/mysql/options/istio
-  - ../../third-party/minio/base
+- ../../third-party/minio/base
-  - ../../third-party/minio/options/istio
+- ../../third-party/minio/options/istio
 
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
 
 # !!! If you want to customize the namespace,
 # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
 namespace: kubeflow
+
+# Identifier for application manager to apply ownerReference.
+# The ownerReference ensures the resources get garbage collected
+# when application is deleted.
+labels:
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/platform-agnostic-postgresql/kustomization.yaml

@@ -2,18 +2,21 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../base/installs/generic/postgres
+- ../../base/installs/generic/postgres
-  - ../../base/metadata/overlays/postgres
+- ../../base/metadata/overlays/postgres
-  - ../../third-party/argo/installs/namespace
+- ../../third-party/argo/installs/namespace
-  - ../../third-party/minio/base
+- ../../third-party/minio/base
-  - ../../third-party/postgresql/base
+- ../../third-party/postgresql/base
 
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
 
 # !!! If you want to customize the namespace,
 # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
 namespace: kubeflow
+
+# Identifier for application manager to apply ownerReference.
+# The ownerReference ensures the resources get garbage collected
+# when application is deleted.
+labels:
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/kustomization.yaml

@@ -1,68 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - ../../third-party/tekton/installs/cluster
-  - ../../third-party/tekton-custom-task
-  - ../plain-multi-user
-
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
-
-patches:
-- path: tekton-config.yaml
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ml-pipeline
-    spec:
-      template:
-        spec:
-          containers:
-            - name: ml-pipeline-api-server
-              env:
-              - name: EXECUTIONTYPE
-                value: PipelineRun
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ml-pipeline-persistenceagent
-    spec:
-      template:
-        spec:
-          containers:
-            - name: ml-pipeline-persistenceagent
-              env:
-              - name: EXECUTIONTYPE
-                value: PipelineRun
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ml-pipeline-scheduledworkflow
-    spec:
-      template:
-        spec:
-          containers:
-            - name: ml-pipeline-scheduledworkflow
-              env:
-              - name: EXECUTIONTYPE
-                value: PipelineRun
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ml-pipeline-ui
-    spec:
-      template:
-        spec:
-          containers:
-            - name: ml-pipeline-ui
-              env:
-              - name: POD_LOG_CONTAINER_NAME
-                value: step-user-main

apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/tekton-config.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: feature-flags
-  namespace: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-pipelines
-data:
-  running-in-environment-with-injected-sidecars: "true"

apps/pipeline/upstream/env/platform-agnostic-tekton/kustomization.yaml

@@ -1,70 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- ../../third-party/tekton/installs/cluster
-- ../../third-party/tekton-custom-task
-- ../plain
-
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-
-labels:
-- includeSelectors: true
-  pairs:
-    application-crd-id: kubeflow-pipelines
-
-patches:
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ml-pipeline
-    spec:
-      template:
-        spec:
-          containers:
-            - name: ml-pipeline-api-server
-              env:
-              - name: EXECUTIONTYPE
-                value: PipelineRun
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ml-pipeline-persistenceagent
-    spec:
-      template:
-        spec:
-          containers:
-            - name: ml-pipeline-persistenceagent
-              env:
-              - name: EXECUTIONTYPE
-                value: PipelineRun
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ml-pipeline-scheduledworkflow
-    spec:
-      template:
-        spec:
-          containers:
-            - name: ml-pipeline-scheduledworkflow
-              env:
-              - name: EXECUTIONTYPE
-                value: PipelineRun
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ml-pipeline-ui
-    spec:
-      template:
-        spec:
-          containers:
-            - name: ml-pipeline-ui
-              env:
-              - name: POD_LOG_CONTAINER_NAME
-                value: step-user-main

apps/pipeline/upstream/env/platform-agnostic/kustomization.yaml

@@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../base/installs/generic
+- ../../base/installs/generic
-  - ../../base/metadata/base
+- ../../base/metadata/base
-  - ../../third-party/argo/installs/namespace
+- ../../third-party/argo/installs/namespace
-  - ../../third-party/minio/base
+- ../../third-party/minio/base
-  - ../../third-party/mysql/base
+- ../../third-party/mysql/base
 
 # Identifier for application manager to apply ownerReference.
 # The ownerReference ensures the resources get garbage collected
@@ -16,6 +16,6 @@ resources:
 # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
 namespace: kubeflow
 labels:
-  - includeSelectors: true
+- includeSelectors: true
-    pairs:
+  pairs:
-      application-crd-id: kubeflow-pipelines
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/hack/release.sh

@@ -40,3 +40,14 @@ do
 done
 
 yq w -i "${MANIFEST_DIR}/base/installs/generic/pipeline-install-config.yaml" data.appVersion "$TAG_NAME"
+
+## Driver & Launcher images are added as environment variables
+API_SERVER_MANIFEST="${MANIFEST_DIR}/base/pipeline/ml-pipeline-apiserver-deployment.yaml"
+
+yq w -i ${API_SERVER_MANIFEST} \
+  "spec.template.spec.containers.(name==ml-pipeline-api-server).env.(name==V2_LAUNCHER_IMAGE).value" \
+  "ghcr.io/kubeflow/kfp-launcher:${TAG_NAME}"
+
+yq w -i ${API_SERVER_MANIFEST} \
+  "spec.template.spec.containers.(name==ml-pipeline-api-server).env.(name==V2_DRIVER_IMAGE).value" \
+  "ghcr.io/kubeflow/kfp-driver:${TAG_NAME}"

apps/pipeline/upstream/sample/cluster-scoped-resources/kustomization.yaml

@@ -6,5 +6,5 @@ kind: Kustomization
 namespace: kubeflow
 
 resources:
-  # Or github.com/kubeflow/pipelines/manifests/kustomize/cluster-scoped-resources?ref=1.0.0
+# Or github.com/kubeflow/pipelines/manifests/kustomize/cluster-scoped-resources?ref=1.0.0
-  - ../../cluster-scoped-resources
+- ../../cluster-scoped-resources

apps/pipeline/upstream/sample/kustomization.yaml

@@ -3,7 +3,7 @@ kind: Kustomization
 
 resources:
   # Or github.com/kubeflow/pipelines/manifests/kustomize/env/gcp?ref=1.0.0
-  - ../env/gcp
+- ../env/gcp
   # Kubeflow Pipelines servers are capable of collecting Prometheus metrics.
   # If you want to monitor your Kubeflow Pipelines servers with those metrics, you'll need a Prometheus server in your Kubeflow Pipelines cluster.
   # If you don't already have a Prometheus server up, you can uncomment the following configuration files for Prometheus.
@@ -11,28 +11,28 @@ resources:
   # - ../third_party/prometheus
   # - ../third_party/grafana
 
-# Identifier for application manager to apply ownerReference.
-# The ownerReference ensures the resources get garbage collected
-# when application is deleted.
-commonLabels:
-  application-crd-id: kubeflow-pipelines
 
 # Used by Kustomize
 configMapGenerator:
-  - name: pipeline-install-config
+- behavior: merge
-    env: params.env
+  envs:
-    behavior: merge
+  - params.env
+  name: pipeline-install-config
 
 secretGenerator:
-  - name: mysql-secret
+- behavior: merge
-    env: params-db-secret.env
+  envs:
-    behavior: merge
+  - params-db-secret.env
+  name: mysql-secret
 
 # !!! If you want to customize the namespace,
 # please also update sample/cluster-scoped-resources/kustomization.yaml's namespace field to the same value
 namespace: kubeflow
-#### Customization ###
+
-# 1. Change values in params.env file
+# Identifier for application manager to apply ownerReference.
-# 2. Change values in params-db-secret.env file for CloudSQL username and password
+# The ownerReference ensures the resources get garbage collected
-# 3. kustomize build ./ | kubectl apply -f -
+# when application is deleted.
-####
+labels:
+- includeSelectors: true
+  pairs:
+    application-crd-id: kubeflow-pipelines

apps/pipeline/upstream/third-party/application/kustomization.yaml

@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - application-controller-deployment.yaml
+- application-controller-deployment.yaml
-  - application-controller-role.yaml
+- application-controller-role.yaml
-  - application-controller-rolebinding.yaml
+- application-controller-rolebinding.yaml
-  - application-controller-sa.yaml
+- application-controller-sa.yaml
-  - application-controller-service.yaml
+- application-controller-service.yaml

apps/pipeline/upstream/third-party/argo/base/kustomization.yaml

@@ -2,13 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../upstream/manifests/base/workflow-controller
+- ../upstream/manifests/base/workflow-controller
 
 patches:
-  - path: workflow-controller-deployment-patch.yaml
+- path: workflow-controller-deployment-patch.yaml
-  - path: workflow-controller-configmap-patch.yaml
+- path: workflow-controller-configmap-patch.yaml
 
 # Allow Kustomize vars to replace fields defined in params.yaml.
 # The vars can be defined anywhere.
 configurations:
-  - params.yaml
+- params.yaml

apps/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml

@@ -4,9 +4,9 @@ metadata:
   name: workflow-controller-configmap
 data:
   # References:
-  # * https://github.com/argoproj/argo-workflows/blob/v3.4.17/config/config.go
+  # * https://github.com/argoproj/argo-workflows/blob/v3.5.14/config/config.go
-  # * https://github.com/argoproj/argo-workflows/blob/v3.4.17/docs/workflow-controller-configmap.md
+  # * https://github.com/argoproj/argo-workflows/blob/v3.5.14/docs/workflow-controller-configmap.md
-  # * https://github.com/argoproj/argo-workflows/blob/v3.4.17/docs/workflow-controller-configmap.yaml
+  # * https://github.com/argoproj/argo-workflows/blob/v3.5.14/docs/workflow-controller-configmap.yaml
 
   # In artifactRepository.s3.endpoint, $(kfp-namespace) is needed, because in multi-user mode, pipelines may run in other namespaces.
   artifactRepository: |

apps/pipeline/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml

@@ -7,12 +7,12 @@ spec:
     spec:
       containers:
         - name: workflow-controller
-          image: gcr.io/ml-pipeline/workflow-controller:v3.4.17-license-compliance
+          image: quay.io/argoproj/workflow-controller:v3.5.14
           args:
             - --configmap
             - workflow-controller-configmap
             - --executor-image
-            - gcr.io/ml-pipeline/argoexec:v3.4.17-license-compliance
+            - quay.io/argoproj/argoexec:v3.5.14
           securityContext:
             seccompProfile:
               type: RuntimeDefault