update kfctl_ibm KfDef to kustomize v3 (#1246)

* update kfctl_ibm kfdef to kustomize v3

* small update to README

* update to use katib, minio and mysql generic

* update after platform test

* fix test failure

application/v3/kustomization.yaml

@@ -7,6 +7,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubeflow
 nameprefix: application-controller-
+commonLabels:
+  app.kubernetes.io/component: kubeflow
+  app.kubernetes.io/name: kubeflow
 resources:
 - ../application-crds/base
 - ../application/base/cluster-role.yaml

kfdef/kfctl_ibm.yaml

@@ -4,349 +4,96 @@ metadata:
   namespace: kubeflow
 spec:
   applications:
+  # Install istio in a different namespace: istio-system
+  # Remove this application if istio is already installed
   - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
       repoRef:
         name: manifests
-        path: istio/istio-crds
-    name: istio-crds
+        path: stacks/ibm/application/istio-stack
+    name: istio-stack
   - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
       repoRef:
         name: manifests
-        path: istio/istio-install
-    name: istio-install
-  - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
-      repoRef:
-        name: manifests
-        path: istio/cluster-local-gateway
+        path: stacks/ibm/application/cluster-local-gateway
     name: cluster-local-gateway
   - kustomizeConfig:
-      parameters:
-      - name: clusterRbacConfig
-        value: 'OFF'
       repoRef:
         name: manifests
-        path: istio/istio
+        path: stacks/ibm/application/istio
     name: istio
   - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
       repoRef:
         name: manifests
-        path: istio/add-anonymous-user-filter
+        path: stacks/ibm/application/add-anonymous-user-filter
     name: add-anonymous-user-filter
   - kustomizeConfig:
       repoRef:
         name: manifests
-        path: application/application-crds
-    name: application-crds
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: application/application
+        path: application/v3
     name: application
   - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: cert-manager
       repoRef:
         name: manifests
-        path: cert-manager/cert-manager-crds
-    name: cert-manager-crds
-  - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: kube-system
-      repoRef:
-        name: manifests
-        path: cert-manager/cert-manager-kube-system-resources
-    name: cert-manager-kube-system-resources
-  - kustomizeConfig:
-      overlays:
-      - self-signed
-      - application
-      parameters:
-      - name: namespace
-        value: cert-manager
-      repoRef:
-        name: manifests
-        path: cert-manager/cert-manager
-    name: cert-manager
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: metacontroller
-    name: metacontroller
-  - kustomizeConfig:
-      overlays:
-      - istio
-      - application
-      parameters:
-      - name: containerRuntimeExecutor
-        value: pns
-      repoRef:
-        name: manifests
-        path: argo
-    name: argo
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: kubeflow-roles
-    name: kubeflow-roles
-  - kustomizeConfig:
-      overlays:
-      - istio
-      - application
-      repoRef:
-        name: manifests
-        path: common/centraldashboard
-    name: centraldashboard
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: admission-webhook/bootstrap
+        path: stacks/ibm/application/bootstrap
     name: bootstrap
   - kustomizeConfig:
-      overlays:
-      - application
       repoRef:
         name: manifests
-        path: admission-webhook/webhook
-    name: webhook
+        path: stacks/ibm/application/cert-manager-crds
+    name: cert-manager-crds
   - kustomizeConfig:
-      overlays:
-      - istio
-      - application
-      parameters:
-      - name: userid-header
-        value: kubeflow-userid
       repoRef:
         name: manifests
-        path: jupyter/jupyter-web-app
-    name: jupyter-web-app
+        path: stacks/ibm/application/cert-manager-kube-system-resources
+    name: cert-manager-kube-system-resources
   - kustomizeConfig:
-      overlays:
-      - application
       repoRef:
         name: manifests
-        path: spark/spark-operator
-    name: spark-operator
+        path: stacks/ibm/application/cert-manager
+    name: cert-manager
+  # Install Kubeflow applications.
   - kustomizeConfig:
-      overlays:
-      - istio
-      - application
-      - ibm-storage-config
-      - db
       repoRef:
         name: manifests
-        path: metadata
+        path: stacks/ibm
+    name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: metacontroller/base
+    name: metacontroller
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/metadata
     name: metadata
   - kustomizeConfig:
-      overlays:
-      - istio
-      - application
       repoRef:
         name: manifests
-        path: jupyter/notebook-controller
-    name: notebook-controller
+        path: stacks/ibm/application/spark-operator
+    name: spark-operator
   - kustomizeConfig:
-      overlays:
-      - application
       repoRef:
         name: manifests
-        path: pytorch-job/pytorch-job-crds
-    name: pytorch-job-crds
+        path: knative/installs/generic
+    name: knative
   - kustomizeConfig:
-      overlays:
-      - application
       repoRef:
         name: manifests
-        path: pytorch-job/pytorch-operator
-    name: pytorch-operator
+        path: kfserving/installs/generic
+    name: kfserving
+  # Spartakus is a separate applications so that kfctl can remove it
+  # to disable usage reporting
   - kustomizeConfig:
-      overlays:
-      - application
-      parameters:
-      - name: namespace
-        value: knative-serving
       repoRef:
         name: manifests
-        path: knative/knative-serving-crds
-    name: knative-crds
-  - kustomizeConfig:
-      overlays:
-      - application
-      parameters:
-      - name: namespace
-        value: knative-serving
-      repoRef:
-        name: manifests
-        path: knative/knative-serving-install
-    name: knative-install
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: kfserving/kfserving-crds
-    name: kfserving-crds
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: kfserving/kfserving-install
-    name: kfserving-install
-  - kustomizeConfig:
-      overlays:
-      - application
-      parameters:
-      - name: usageId
-        value: <randomly-generated-id>
-      - name: reportUsage
-        value: 'true'
-      repoRef:
-        name: manifests
-        path: common/spartakus
+        path: stacks/ibm/application/spartakus
     name: spartakus
   - kustomizeConfig:
-      overlays:
-      - istio
       repoRef:
         name: manifests
-        path: tensorboard
+        path: stacks/ibm/application/tensorboard
     name: tensorboard
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: tf-training/tf-job-crds
-    name: tf-job-crds
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: tf-training/tf-job-operator
-    name: tf-job-operator
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: katib/katib-crds
-    name: katib-crds
-  - kustomizeConfig:
-      overlays:
-      - application
-      - istio
-      - ibm-storage-config
-      repoRef:
-        name: manifests
-        path: katib/katib-controller
-    name: katib-controller
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: pipeline/api-service
-    name: api-service
-  - kustomizeConfig:
-      overlays:
-      - application
-      parameters:
-      - name: minioPvcName
-        value: minio-pv-claim
-      repoRef:
-        name: manifests
-        path: pipeline/minio
-    name: minio
-  - kustomizeConfig:
-      overlays:
-      - application
-      parameters:
-      - name: mysqlPvcName
-        value: mysql-pv-claim
-      repoRef:
-        name: manifests
-        path: pipeline/mysql
-    name: mysql
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: pipeline/persistent-agent
-    name: persistent-agent
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: pipeline/pipelines-runner
-    name: pipelines-runner
-  - kustomizeConfig:
-      overlays:
-      - istio
-      - application
-      repoRef:
-        name: manifests
-        path: pipeline/pipelines-ui
-    name: pipelines-ui
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: pipeline/pipelines-viewer
-    name: pipelines-viewer
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: pipeline/scheduledworkflow
-    name: scheduledworkflow
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: pipeline/pipeline-visualization-service
-    name: pipeline-visualization-service
-  - kustomizeConfig:
-      overlays:
-      - application
-      - istio
-      parameters:
-      - name: admin
-        value: example@kubeflow.org
-      repoRef:
-        name: manifests
-        path: profiles
-    name: profiles
-  - kustomizeConfig:
-      overlays:
-      - application
-      repoRef:
-        name: manifests
-        path: seldon/seldon-core-operator
-    name: seldon-core-operator
   repos:
   - name: manifests
     uri: https://github.com/kubeflow/manifests/archive/master.tar.gz

kfserving/installs/generic/kustomization.yaml

@@ -2,17 +2,17 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubeflow
 resources:
-- ../kfserving-crds/base
-- ../kfserving-crds/overlays/application
-- ../kfserving-install/base/cert.yaml
-- ../kfserving-install/base/config-map.yaml
-- ../kfserving-install/base/cluster-role-binding.yaml
-- ../kfserving-install/base/cluster-role.yaml
-- ../kfserving-install/base/secret.yaml
-- ../kfserving-install/base/statefulset.yaml
-- ../kfserving-install/base/service.yaml
-- ../kfserving-install/base/webhook.yaml
-- ../kfserving-install/overlays/application
+- ../../kfserving-crds/base
+- ../../kfserving-crds/overlays/application
+- ../../kfserving-install/base/cert.yaml
+- ../../kfserving-install/base/config-map.yaml
+- ../../kfserving-install/base/cluster-role-binding.yaml
+- ../../kfserving-install/base/cluster-role.yaml
+- ../../kfserving-install/base/secret.yaml
+- ../../kfserving-install/base/statefulset.yaml
+- ../../kfserving-install/base/service.yaml
+- ../../kfserving-install/base/webhook.yaml
+- ../../kfserving-install/overlays/application
 commonLabels:
   app: kfserving
   kustomize.component: kfserving
@@ -21,9 +21,11 @@ commonLabels:
   app.kuberenets.io/name: kfserving-install
   app.kuberenets.io/managed-by: kfctl
   app.kuberenets.io/part-of: kubeflow
+generatorOptions:
+ disableNameSuffixHash: true
 configMapGenerator:
 - envs:
-  - ../kfserving-install/base/params.env
+  - ../../kfserving-install/base/params.env
   name: kfserving-config
 vars:
 - name: registry
@@ -34,7 +36,7 @@ vars:
   fieldref:
     fieldpath: data.registry
 configurations:
-- ../kfserving-install/base/params.yaml
+- ../../kfserving-install/base/params.yaml
 images:
 - name: gcr.io/kubebuilder/kube-rbac-proxy
   newName: gcr.io/kubebuilder/kube-rbac-proxy

knative/installs/generic/kustomization.yaml

@@ -2,25 +2,24 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: knative-serving
 resources:
-- ../knative-serving-crds/base
-- ../knative-serving-crds/overlays/application
-- ../knative-serving-install/base/gateway.yaml
-- ../knative-serving-install/base/cluster-role.yaml
-- ../knative-serving-install/base/cluster-role-binding.yaml
-- ../knative-serving-install/base/service-role.yaml
-- ../knative-serving-install/base/service-role-binding.yaml
-- ../knative-serving-install/base/role-binding.yaml
-- ../knative-serving-install/base/config-map.yaml
-- ../knative-serving-install/base/deployment.yaml
-- ../knative-serving-install/base/service-account.yaml
-- ../knative-serving-install/base/service.yaml
-- ../knative-serving-install/base/apiservice.yaml
-- ../knative-serving-install/base/image.yaml
-- ../knative-serving-install/base/hpa.yaml
-- ../knative-serving-install/base/webhook-configuration.yaml
-- ../knative-serving-install/overlays/application
+- ../../knative-serving-crds/base
+- ../../knative-serving-crds/overlays/application
+- ../../knative-serving-install/base/gateway.yaml
+- ../../knative-serving-install/base/cluster-role.yaml
+- ../../knative-serving-install/base/cluster-role-binding.yaml
+- ../../knative-serving-install/base/service-role.yaml
+- ../../knative-serving-install/base/service-role-binding.yaml
+- ../../knative-serving-install/base/role-binding.yaml
+- ../../knative-serving-install/base/config-map.yaml
+- ../../knative-serving-install/base/deployment.yaml
+- ../../knative-serving-install/base/service-account.yaml
+- ../../knative-serving-install/base/service.yaml
+- ../../knative-serving-install/base/apiservice.yaml
+- ../../knative-serving-install/base/image.yaml
+- ../../knative-serving-install/base/hpa.yaml
+- ../../knative-serving-install/base/webhook-configuration.yaml
+- ../../knative-serving-install/overlays/application
 commonLabels:
-  app: knative
   kustomize.component: knative
   app.kubernetes.io/component: knative-serving-install
   app.kuberenets.io/instance: knative-serving-install

pipeline/minio/installs/ibm/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- adrian555
+- animeshsingh
+- tomcli

pipeline/minio/installs/ibm/deployment-patch.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: minio
+spec:
+  template:
+    spec:
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: $(minioPvcName)

pipeline/minio/installs/ibm/kustomization.yaml

@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app.kubernetes.io/component: minio
+  app.kubernetes.io/name: minio
+resources:
+- ../../../upstream/env/platform-agnostic/minio/
+- ../../../upstream/base/argo/minio-artifact-secret.yaml # TODO: move it to minio/ folder
+- ../../overlays/application/application.yaml
+- persistent-volume-claim.yaml
+patchesStrategicMerge:
+- deployment-patch.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: pipeline-minio-parameters
+  envs:
+  - params.env
+vars:
+- name: minioPvcName
+  objref:
+    kind: ConfigMap
+    name: pipeline-minio-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.minioPvcName
+images:
+- name: minio/minio
+  newTag: RELEASE.2018-02-09T22-40-05Z
+  newName: minio/minio
+configurations:
+- params.yaml

pipeline/minio/installs/ibm/params.env

@@ -0,0 +1 @@
+minioPvcName=

pipeline/minio/installs/ibm/params.yaml

@@ -0,0 +1,5 @@
+varReference:
+- path: spec/template/spec/volumes/persistentVolumeClaim/claimName
+  kind: Deployment
+- path: metadata/name
+  kind: PersistentVolumeClaim

pipeline/minio/installs/ibm/persistent-volume-claim.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: $(minioPvcName)
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi

pipeline/mysql/installs/ibm/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- adrian555
+- animeshsingh
+- tomcli

pipeline/mysql/installs/ibm/deployment-patch.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mysql
+spec:
+  template:
+    spec:
+      volumes:
+      - name: mysql-persistent-storage
+        persistentVolumeClaim:
+          claimName: $(mysqlPvcName)

pipeline/mysql/installs/ibm/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app: mysql
+  app.kubernetes.io/component: mysql
+  app.kubernetes.io/name: mysql
+resources:
+- ../generic
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: pipeline-mysql-parameters
+  envs:
+  - params.env
+vars:
+- name: mysqlPvcName
+  objref:
+    kind: ConfigMap
+    name: pipeline-mysql-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.mysqlPvcName
+images:
+- name: mysql
+  newTag: '5.6'
+  newName: mysql
+configurations:
+- params.yaml
+patchesStrategicMerge:
+- deployment-patch.yaml

pipeline/mysql/installs/ibm/params.env

@@ -0,0 +1 @@
+mysqlPvcName=

pipeline/mysql/installs/ibm/params.yaml

@@ -0,0 +1,5 @@
+varReference:
+- path: spec/template/spec/volumes/persistentVolumeClaim/claimName
+  kind: Deployment
+- path: metadata/name
+  kind: PersistentVolumeClaim

stacks/ibm/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- adrian555
+- animeshsingh
+- tomcli

stacks/ibm/application/add-anonymous-user-filter/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+- ../../../../istio/add-anonymous-user-filter/base

stacks/ibm/application/bootstrap/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../../../../admission-webhook/bootstrap/overlays/application

stacks/ibm/application/cert-manager-crds/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+- ../../../../cert-manager/cert-manager-crds/base

stacks/ibm/application/cert-manager-kube-system-resources/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+- ../../../../cert-manager/cert-manager-kube-system-resources/base

stacks/ibm/application/cert-manager/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+commonLabels:
+  app.kubernetes.io/component: cert-manager
+  app.kubernetes.io/name: cert-manager
+  kustomize.component: cert-manager
+kind: Kustomization
+namespace: cert-manager
+resources:
+- ../../../../cert-manager/cert-manager/base
+- ../../../../cert-manager/cert-manager/overlays/application/application.yaml
+- ../../../../cert-manager/cert-manager/overlays/self-signed/cluster-issuer.yaml
+configurations:
+- ../../../../cert-manager/cert-manager/overlays/application/params.yaml

stacks/ibm/application/cluster-local-gateway/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+- ../../../../istio/cluster-local-gateway/base

stacks/ibm/application/istio-stack/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+- ../../../../istio/istio-crds/base
+- ../../../../istio/istio-install/base

stacks/ibm/application/istio/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../../../../istio/istio/base
+configMapGenerator:
+- name: istio-parameters
+  behavior: merge
+  envs:
+  - params.env
+configurations:
+- params.yaml

stacks/ibm/application/istio/params.env

@@ -0,0 +1 @@
+clusterRbacConfig=OFF

stacks/ibm/application/istio/params.yaml

@@ -0,0 +1,3 @@
+varReference:
+- path: spec/mode
+  kind: ClusterRbacConfig

stacks/ibm/application/jupyter-web-app/README.md

@@ -0,0 +1 @@
+Note: the approach to have the `base` in a sub-directory is to avoid the problem of current `namePrefix` incapability to skip adding to certain resources. In this case, they are `VirtualService` and `Application`. For these, we want the name to be `jupyter-web-app` instead of `jupyter-web-app-jupyter-web-app`.

stacks/ibm/application/jupyter-web-app/base/deployment_patch.yaml

@@ -0,0 +1,33 @@
+# TODO(https://github.com/kubeflow/manifests/issues/774): This is a patch
+# that pulls out from core the parts that should be in pulled into stacks.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment
+spec:
+  template:
+    spec:
+      containers:
+      - name: jupyter-web-app
+        imagePullPolicy: $(policy)
+        env:
+        - name: ROK_SECRET_NAME
+          valueFrom:
+            configMapKeyRef:
+              name: jupyter-web-app-parameters
+              key: ROK_SECRET_NAME
+        - name: UI
+          valueFrom:
+            configMapKeyRef:
+              name: jupyter-web-app-parameters
+              key: UI
+        - name: USERID_HEADER
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-config
+              key: userid-header
+        - name: USERID_PREFIX
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-config
+              key: userid-prefix

stacks/ibm/application/jupyter-web-app/base/kustomization.yaml

@@ -0,0 +1,49 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app.kubernetes.io/component: jupyter-web-app
+  app.kubernetes.io/name: jupyter-web-app
+  app: jupyter-web-app
+  kustomize.component: jupyter-web-app
+namePrefix: jupyter-web-app-
+namespace: kubeflow
+images:
+- name: gcr.io/kubeflow-images-public/jupyter-web-app
+  newName: gcr.io/kubeflow-images-public/jupyter-web-app
+  newTag: vmaster-gd9be4b9e
+resources:
+- ../../../../../jupyter/jupyter-web-app/base/cluster-role-binding.yaml
+- ../../../../../jupyter/jupyter-web-app/base/cluster-role.yaml
+- ../../../../../jupyter/jupyter-web-app/base/deployment.yaml
+- ../../../../../jupyter/jupyter-web-app/base/role-binding.yaml
+- ../../../../../jupyter/jupyter-web-app/base/role.yaml
+- ../../../../../jupyter/jupyter-web-app/base/service-account.yaml
+- ../../../../../jupyter/jupyter-web-app/base/service.yaml
+patchesStrategicMerge:
+- deployment_patch.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: jupyter-web-app-config
+  files:
+  - ../../../../../jupyter/jupyter-web-app/base/configs/spawner_ui_config.yaml
+- name: parameters
+  envs:
+  - params.env
+vars:
+- fieldref:
+    fieldPath: data.policy
+  name: policy
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: parameters
+- fieldref:
+    fieldPath: data.prefix
+  name: prefix
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: parameters
+configurations:
+- params.yaml

stacks/ibm/application/jupyter-web-app/base/params.env

@@ -0,0 +1,4 @@
+UI=default
+ROK_SECRET_NAME=secret-rok-{username}
+policy=Always
+prefix=jupyter

stacks/ibm/application/jupyter-web-app/base/params.yaml

@@ -0,0 +1,7 @@
+varReference:
+- path: spec/template/spec/containers/imagePullPolicy
+  kind: Deployment
+- path: metadata/annotations/getambassador.io\/config
+  kind: Service
+- path: spec/http/route/destination/host
+  kind: VirtualService

stacks/ibm/application/jupyter-web-app/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- base
+- ../../../../jupyter/jupyter-web-app/overlays/istio
+- ../../../../jupyter/jupyter-web-app/overlays/application

stacks/ibm/application/metadata/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+commonLabels:
+  app.kubernetes.io/component: metadata
+  app.kubernetes.io/name: metadata
+  kustomize.component: metadata
+resources:
+- ../../../../metadata/overlays/db
+- ../../../../metadata/overlays/application/application.yaml
+- ../../../../metadata/overlays/istio/virtual-service.yaml
+- ../../../../metadata/overlays/istio/virtual-service-metadata-grpc.yaml
+configurations:
+- ../../../../metadata/overlays/istio/params.yaml
+images:
+  - name: mysql
+    newTag: "5.6"
+    newName: mysql

stacks/ibm/application/notebook-controller/README.md

@@ -0,0 +1 @@
+Note: the approach to have the `base` in a sub-directory is to avoid the problem of current `namePrefix` incapability to skip adding to certain resources. In this case, they are `VirtualService` and `Application`. For these, we want the name to be `notebook-controller` instead of `notebook-controller-notebook-controller`.

stacks/ibm/application/notebook-controller/base/deployment_patch.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        env:
+          - name: USE_ISTIO
+            valueFrom:
+              configMapKeyRef:
+                name: notebook-controller-config
+                key: USE_ISTIO
+          - name: ISTIO_GATEWAY
+            valueFrom:
+              configMapKeyRef:
+                name: notebook-controller-config
+                key: ISTIO_GATEWAY
+        

stacks/ibm/application/notebook-controller/base/kustomization.yaml

@@ -0,0 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: notebook-controller-
+namespace: kubeflow
+commonLabels:
+  app: notebook-controller
+  app.kubernetes.io/component: notebook-controller
+  app.kubernetes.io/name: notebook-controller
+  kustomize.component: notebook-controller
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- literals:
+  - USE_ISTIO=true
+  - ISTIO_GATEWAY=kubeflow/kubeflow-gateway
+  name: config
+images:
+- name: gcr.io/kubeflow-images-public/notebook-controller
+  newName: gcr.io/kubeflow-images-public/notebook-controller
+  newTag: vmaster-gf39279c0
+patchesStrategicMerge:
+- deployment_patch.yaml
+resources:
+- ../../../../../jupyter/notebook-controller/base/cluster-role-binding.yaml
+- ../../../../../jupyter/notebook-controller/base/cluster-role.yaml
+- ../../../../../jupyter/notebook-controller/base/crd.yaml
+- ../../../../../jupyter/notebook-controller/base/deployment.yaml
+- ../../../../../jupyter/notebook-controller/base/service-account.yaml
+- ../../../../../jupyter/notebook-controller/base/service.yaml

stacks/ibm/application/notebook-controller/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app.kubernetes.io/component: notebook-controller
+  app.kubernetes.io/name: notebook-controller
+resources:
+- base
+- ../../../../jupyter/notebook-controller/overlays/application/application.yaml

stacks/ibm/application/pipelines-ui/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+commonLabels:
+    app.kubernetes.io/component: pipelines-ui
+    app.kubernetes.io/name: pipelines-ui
+resources:
+  - ../../../../pipeline/pipelines-ui/overlays/istio
+  - ../../../../pipeline/pipelines-ui/overlays/application/application.yaml

stacks/ibm/application/profiles/base/deployment_patch.yaml

@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment
+spec:
+  template:
+    spec:
+      containers:
+      - command:
+        - /manager 
+        - -userid-header 
+        - $(USERID_HEADER) 
+        - -userid-prefix 
+        - $(USERID_PREFIX) 
+        - -workload-identity 
+        - $(WORKLOAD_IDENTITY)
+        args: []
+        name: manager
+        env:
+        - name: USERID_HEADER
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-config
+              key: userid-header
+        - name: USERID_PREFIX
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-config
+              key: userid-prefix
+        - name: WORKLOAD_IDENTITY
+          valueFrom:
+            configMapKeyRef:
+              name: profiles-config
+              key: gcp-sa
+      - command:
+        - /access-management 
+        - -cluster-admin 
+        - $(CLUSTER_ADMIN) 
+        - -userid-prefix 
+        - $(USERID_PREFIX)
+        args: []
+        name: kfam
+        env:
+        - name: USERID_HEADER
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-config
+              key: userid-header
+        - name: USERID_PREFIX
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-config
+              key: userid-prefix
+        - name: CLUSTER_ADMIN
+          valueFrom:
+            configMapKeyRef:
+              name: profiles-config
+              key: admin

stacks/ibm/application/profiles/base/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: profiles-
+commonLabels:
+  kustomize.component: profiles
+images:
+- name: gcr.io/kubeflow-images-public/kfam
+  newName: gcr.io/kubeflow-images-public/kfam
+  newTag: vmaster-gf3e09203
+- name: gcr.io/kubeflow-images-public/profile-controller
+  newName: gcr.io/kubeflow-images-public/profile-controller
+  newTag: vmaster-g34aa47c2
+resources:
+- ../../../../../profiles/base/cluster-role-binding.yaml
+- ../../../../../profiles/base/crd.yaml
+- ../../../../../profiles/base/deployment.yaml
+- ../../../../../profiles/base/service.yaml
+- ../../../../../profiles/base/service-account.yaml
+patchesStrategicMerge:
+- deployment_patch.yaml
+configMapGenerator:
+# We need the name to be unique without the suffix because the original name is what
+# gets used with patches
+- name: profiles-config
+  literals:
+  - admin=
+  - gcp-sa=

stacks/ibm/application/profiles/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app.kubernetes.io/component: profiles
+  app.kubernetes.io/name: profiles
+resources:
+- base
+- ../../../../profiles/overlays/istio/virtual-service.yaml
+- ../../../../profiles/overlays/application/application.yaml

stacks/ibm/application/spark-operator/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../../../../spark/spark-operator/overlays/application

stacks/ibm/application/spartakus/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../../../../common/spartakus/overlays/application
+configMapGenerator:
+- name: spartakus-config
+  behavior: merge
+  literals:
+  - usageId=<randomly-generated-id>

stacks/ibm/application/tensorboard/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../../../../tensorboard/overlays/istio
+configMapGenerator:
+- name: parameters
+  behavior: merge
+  literals:
+  - namespace=kubeflow

stacks/ibm/config/params.env

@@ -0,0 +1,3 @@
+clusterDomain=cluster.local
+userid-header=kubeflow-userid
+userid-prefix=

stacks/ibm/kustomization.yaml

@@ -0,0 +1,70 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+  - ../../admission-webhook/webhook/v3
+  - ../../common/centraldashboard/overlays/stacks
+  - ../../kubeflow-roles/base
+  - application/jupyter-web-app
+  - application/notebook-controller
+  - application/profiles
+  - ../../argo/base_v3
+  - ../../pipeline/api-service/overlays/application
+  - ../../pipeline/minio/installs/ibm
+  - ../../pipeline/mysql/installs/ibm
+  - ../../pipeline/persistent-agent/overlays/application
+  - ../../pipeline/pipelines-runner/overlays/application
+  - application/pipelines-ui
+  - ../../pipeline/pipelines-viewer/overlays/application
+  - ../../pipeline/scheduledworkflow/overlays/application
+  - ../../pipeline/pipeline-visualization-service/overlays/application
+  - ../../pytorch-job/pytorch-job-crds/overlays/application
+  - ../../pytorch-job/pytorch-operator/overlays/application
+  - ../../tf-training/tf-job-crds/overlays/application
+  - ../../tf-training/tf-job-operator/overlays/application
+  - ../../katib/installs/katib-standalone-ibm
+  - ../../seldon/seldon-core-operator/overlays/application
+configMapGenerator:
+- name: pipeline-mysql-parameters
+  behavior: merge
+  literals:
+  - mysqlPvcName=mysql-pv-claim
+- name: pipeline-minio-parameters
+  behavior: merge
+  literals:
+  - minioPvcName=minio-pv-claim
+- name: workflow-controller-parameters
+  behavior: merge
+  literals:
+  - containerRuntimeExecutor=pns
+- name: profiles-config
+  behavior: merge
+  literals:
+  - admin=example@kubeflow.org
+- name: kubeflow-config
+  envs:
+  - ./config/params.env
+vars:
+# We need to define vars at the top level otherwise we will get
+# conflicts. 
+- fieldref:
+    fieldPath: data.clusterDomain
+  name: clusterDomain
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kubeflow-config
+- fieldref:
+    fieldPath: metadata.namespace
+  name: namespace
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kubeflow-config
+- fieldref:
+    fieldpath: metadata.namespace
+  name: katib-ui-namespace
+  objref:
+    kind: Service
+    name: katib-ui
+    apiVersion: v1

tests/stacks/ibm/application/add-anonymous-user-filter/kustomize_test.go

@@ -0,0 +1,15 @@
+package add_anonymous_user_filter
+
+import (
+	"github.com/kubeflow/manifests/tests"
+	"testing"
+)
+
+func TestKustomize(t *testing.T) {
+	testCase := &tests.KustomizeTestCase{
+		Package:  "../../../../../stacks/ibm/application/add-anonymous-user-filter",
+		Expected: "test_data/expected",
+	}
+
+	tests.RunTestCase(t, testCase)
+}

tests/stacks/ibm/application/add-anonymous-user-filter/test_data/expected/networking.istio.io_v1alpha3_envoyfilter_add-user-filter.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: add-user-filter
+  namespace: istio-system
+spec:
+  filters:
+  - filterConfig:
+      inlineCode: |
+        function envoy_on_request(request_handle)
+            request_handle:headers():add("kubeflow-userid","anonymous@kubeflow.org")
+        end
+    filterName: envoy.lua
+    filterType: HTTP
+    insertPosition:
+      index: FIRST
+    listenerMatch:
+      listenerType: GATEWAY
+  workloadLabels:
+    app: istio-ingressgateway

tests/stacks/ibm/application/bootstrap/kustomize_test.go

@@ -0,0 +1,15 @@
+package bootstrap
+
+import (
+	"github.com/kubeflow/manifests/tests"
+	"testing"
+)
+
+func TestKustomize(t *testing.T) {
+	testCase := &tests.KustomizeTestCase{
+		Package:  "../../../../../stacks/ibm/application/bootstrap",
+		Expected: "test_data/expected",
+	}
+
+	tests.RunTestCase(t, testCase)
+}

tests/stacks/ibm/application/bootstrap/test_data/expected/app.k8s.io_v1beta1_application_bootstrap.yaml

@@ -0,0 +1,37 @@
+apiVersion: app.k8s.io/v1beta1
+kind: Application
+metadata:
+  labels:
+    app.kubernetes.io/component: bootstrap
+    app.kubernetes.io/name: bootstrap
+  name: bootstrap
+  namespace: kubeflow
+spec:
+  addOwnerRef: true
+  componentKinds:
+  - group: core
+    kind: ConfigMap
+  - group: apps
+    kind: StatefulSet
+  - group: core
+    kind: ServiceAccount
+  descriptor:
+    description: Bootstraps the admission-webhook controller
+    keywords:
+    - admission-webhook
+    - kubeflow
+    links:
+    - description: About
+      url: https://github.com/kubeflow/kubeflow/tree/master/components/admission-webhook
+    maintainers: []
+    owners: []
+    type: bootstrap
+    version: v1beta1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: bootstrap
+      app.kubernetes.io/instance: bootstrap-v0.7.0
+      app.kubernetes.io/managed-by: kfctl
+      app.kubernetes.io/name: bootstrap
+      app.kubernetes.io/part-of: kubeflow
+      app.kubernetes.io/version: v0.7.0

tests/stacks/ibm/application/bootstrap/test_data/expected/apps_v1_statefulset_admission-webhook-bootstrap-stateful-set.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app.kubernetes.io/component: bootstrap
+    app.kubernetes.io/name: bootstrap
+    kustomize.component: admission-webhook-bootstrap
+  name: admission-webhook-bootstrap-stateful-set
+  namespace: kubeflow
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: bootstrap
+      app.kubernetes.io/name: bootstrap
+      kustomize.component: admission-webhook-bootstrap
+  serviceName: service
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+      labels:
+        app.kubernetes.io/component: bootstrap
+        app.kubernetes.io/name: bootstrap
+        kustomize.component: admission-webhook-bootstrap
+    spec:
+      containers:
+      - command:
+        - sh
+        - /var/webhook-config/create_ca.sh
+        image: gcr.io/kubeflow-images-public/ingress-setup:latest
+        name: bootstrap
+        volumeMounts:
+        - mountPath: /var/webhook-config/
+          name: admission-webhook-config
+      restartPolicy: Always
+      serviceAccountName: admission-webhook-bootstrap-service-account
+      volumes:
+      - configMap:
+          name: admission-webhook-bootstrap-config-map
+        name: admission-webhook-config
+  volumeClaimTemplates: []

tests/stacks/ibm/application/bootstrap/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_admission-webhook-bootstrap-cluster-role.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: bootstrap
+    app.kubernetes.io/name: bootstrap
+    kustomize.component: admission-webhook-bootstrap
+  name: admission-webhook-bootstrap-cluster-role
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - delete

tests/stacks/ibm/application/bootstrap/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_admission-webhook-bootstrap-cluster-role-binding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: bootstrap
+    app.kubernetes.io/name: bootstrap
+    kustomize.component: admission-webhook-bootstrap
+  name: admission-webhook-bootstrap-cluster-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admission-webhook-bootstrap-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: admission-webhook-bootstrap-service-account
+  namespace: kubeflow

tests/stacks/ibm/application/bootstrap/test_data/expected/~g_v1_configmap_admission-webhook-bootstrap-config-map.yaml

@@ -0,0 +1,139 @@
+apiVersion: v1
+data:
+  create_ca.sh: |
+    #!/bin/bash
+
+    set -e
+
+    usage() {
+        cat <<EOF
+    Generate certificate suitable for use with an sidecar-injector webhook service.
+    This script uses k8s' CertificateSigningRequest API to a generate a
+    certificate signed by k8s CA suitable for use with sidecar-injector webhook
+    services. This requires permissions to create and approve CSR. See
+    https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
+    detailed explantion and additional instructions.
+    The server key/cert k8s CA cert are stored in a k8s secret.
+    usage: ${0} [OPTIONS]
+    The following flags are required.
+           --service          Service name of webhook.
+           --namespace        Namespace where webhook service and secret reside.
+           --secret           Secret name for CA certificate and server certificate/key pair.
+    EOF
+        exit 1
+    }
+
+    while [[ $# -gt 0 ]]; do
+        case ${1} in
+            --service)
+                service="$2"
+                shift
+                ;;
+            --secret)
+                secret="$2"
+                shift
+                ;;
+            --namespace)
+                namespace="$2"
+                shift
+                ;;
+            *)
+                usage
+                ;;
+        esac
+        shift
+    done
+
+    [ -z ${service} ] && service=admission-webhook-service
+    [ -z ${secret} ] && secret=webhook-certs
+    [ -z ${namespace} ] && namespace=kubeflow
+    [ -z ${namespace} ] && namespace=default
+
+    webhookDeploymentName=admission-webhook-deployment
+    mutatingWebhookConfigName=admission-webhook-mutating-webhook-configuration
+    echo ${service}
+    echo ${namespace}
+    echo ${secret}
+    echo ${webhookDeploymentName}
+    echo ${mutatingWebhookconfigName}
+    if [ ! -x "$(command -v openssl)" ]; then
+        echo "openssl not found"
+        exit 1
+    fi
+    csrName=${service}.${namespace}
+    tmpdir=$(mktemp -d)
+    echo "creating certs in tmpdir ${tmpdir} "
+
+    # x509 outputs a self signed certificate instead of certificate request, later used as self signed root CA
+    openssl req -x509 -newkey rsa:2048 -keyout ${tmpdir}/self_ca.key -out ${tmpdir}/self_ca.crt -days 365 -nodes -subj /C=/ST=/L=/O=/OU=/CN=test-certificate-authority
+
+    cat <<EOF >> ${tmpdir}/csr.conf
+    [req]
+    req_extensions = v3_req
+    distinguished_name = req_distinguished_name
+    [req_distinguished_name]
+    [ v3_req ]
+    basicConstraints = CA:FALSE
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+    extendedKeyUsage = serverAuth
+    subjectAltName = @alt_names
+    [alt_names]
+    DNS.1 = ${service}
+    DNS.2 = ${service}.${namespace}
+    DNS.3 = ${service}.${namespace}.svc
+    EOF
+
+    openssl genrsa -out ${tmpdir}/server-key.pem 2048
+    openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
+
+    # Self sign
+    openssl x509 -req -days 365 -in ${tmpdir}/server.csr -CA ${tmpdir}/self_ca.crt -CAkey ${tmpdir}/self_ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem
+
+    # create the secret with CA cert and server cert/key
+    kubectl create secret generic ${secret} \
+            --from-file=key.pem=${tmpdir}/server-key.pem \
+            --from-file=cert.pem=${tmpdir}/server-cert.pem \
+            --dry-run -o yaml |
+        kubectl -n ${namespace} apply -f -
+
+    # Webhook pod needs to be restarted so that the service reload the secret
+    # http://github.com/kueflow/kubeflow/issues/3227
+    webhookPod=$(kubectl get pods -n ${namespace} |grep ${webhookDeploymentName} |awk '{print $1;}')
+    # ignore error if webhook pod does not exist
+    kubectl delete pod ${webhookPod} 2>/dev/null || true
+    echo "webhook ${webhookPod} is restarted to utilize the new secret"
+
+    cat ${tmpdir}/self_ca.crt
+
+    # -a means base64 encode
+    caBundle=$(cat ${tmpdir}/self_ca.crt | openssl enc -a -A)
+    echo ${caBundle}
+
+    patchString='[{"op": "replace", "path": "/webhooks/0/clientConfig/caBundle", "value":"{{CA_BUNDLE}}"}]'
+    patchString=$(echo ${patchString} | sed "s|{{CA_BUNDLE}}|${caBundle}|g")
+    echo ${patchString}
+
+    checkWebhookConfig() {
+      currentBundle=$(kubectl get mutatingwebhookconfigurations -n ${namespace} ${mutatingWebhookConfigName} -o jsonpath='{.webhooks[0].clientConfig.caBundle}')
+      [[ "$currentBundle" == "$caBundle" ]]
+    }
+
+    while true; do
+      if ! checkWebhookConfig; then
+        echo "patching ca bundle for webhook configuration..."
+        kubectl patch mutatingwebhookconfiguration ${mutatingWebhookConfigName} \
+            --type='json' -p="${patchString}"
+      fi
+      sleep 10
+    done
+  namespace: kubeflow
+  webhookNamePrefix: admission-webhook-
+kind: ConfigMap
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: bootstrap
+    app.kubernetes.io/name: bootstrap
+    kustomize.component: admission-webhook-bootstrap
+  name: admission-webhook-bootstrap-config-map
+  namespace: kubeflow

tests/stacks/ibm/application/bootstrap/test_data/expected/~g_v1_serviceaccount_admission-webhook-bootstrap-service-account.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: bootstrap
+    app.kubernetes.io/name: bootstrap
+    kustomize.component: admission-webhook-bootstrap
+  name: admission-webhook-bootstrap-service-account
+  namespace: kubeflow

tests/stacks/ibm/application/cert-manager-crds/kustomize_test.go

@@ -0,0 +1,15 @@
+package cert_manager_crds
+
+import (
+	"github.com/kubeflow/manifests/tests"
+	"testing"
+)
+
+func TestKustomize(t *testing.T) {
+	testCase := &tests.KustomizeTestCase{
+		Package:  "../../../../../stacks/ibm/application/cert-manager-crds",
+		Expected: "test_data/expected",
+	}
+
+	tests.RunTestCase(t, testCase)
+}

tests/stacks/ibm/application/cert-manager-crds/test_data/expected/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml

@@ -0,0 +1,181 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: certificaterequests.cert-manager.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.conditions[?(@.type=="Ready")].status
+    name: Ready
+    type: string
+  - JSONPath: .spec.issuerRef.name
+    name: Issuer
+    priority: 1
+    type: string
+  - JSONPath: .status.conditions[?(@.type=="Ready")].message
+    name: Status
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: cert-manager.io
+  names:
+    kind: CertificateRequest
+    listKind: CertificateRequestList
+    plural: certificaterequests
+    shortNames:
+    - cr
+    - crs
+    singular: certificaterequest
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: CertificateRequest is a type to represent a Certificate Signing
+        Request
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: CertificateRequestSpec defines the desired state of CertificateRequest
+          properties:
+            csr:
+              description: Byte slice containing the PEM encoded CertificateSigningRequest
+              format: byte
+              type: string
+            duration:
+              description: Requested certificate default Duration
+              type: string
+            isCA:
+              description: IsCA will mark the resulting certificate as valid for signing.
+                This implies that the 'cert sign' usage is set
+              type: boolean
+            issuerRef:
+              description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
+                the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                with the given name in the same namespace as the CertificateRequest
+                will be used.  If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+                with the provided name will be used. The 'name' field in this stanza
+                is required at all times. The group field refers to the API group
+                of the issuer which defaults to 'cert-manager.io' if empty.
+              properties:
+                group:
+                  type: string
+                kind:
+                  type: string
+                name:
+                  type: string
+              required:
+              - name
+              type: object
+            usages:
+              description: Usages is the set of x509 actions that are enabled for
+                a given key. Defaults are ('digital signature', 'key encipherment')
+                if empty
+              items:
+                description: 'KeyUsage specifies valid usage contexts for keys. See:
+                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
+                enum:
+                - signing
+                - digital signature
+                - content commitment
+                - key encipherment
+                - key agreement
+                - data encipherment
+                - cert sign
+                - crl sign
+                - encipher only
+                - decipher only
+                - any
+                - server auth
+                - client auth
+                - code signing
+                - email protection
+                - s/mime
+                - ipsec end system
+                - ipsec tunnel
+                - ipsec user
+                - timestamping
+                - ocsp signing
+                - microsoft sgc
+                - netscape sgc
+                type: string
+              type: array
+          required:
+          - issuerRef
+          type: object
+        status:
+          description: CertificateStatus defines the observed state of CertificateRequest
+            and resulting signed certificate.
+          properties:
+            ca:
+              description: Byte slice containing the PEM encoded certificate authority
+                of the signed certificate.
+              format: byte
+              type: string
+            certificate:
+              description: Byte slice containing a PEM encoded signed certificate
+                resulting from the given certificate signing request.
+              format: byte
+              type: string
+            conditions:
+              items:
+                description: CertificateRequestCondition contains condition information
+                  for a CertificateRequest.
+                properties:
+                  lastTransitionTime:
+                    description: LastTransitionTime is the timestamp corresponding
+                      to the last status change of this condition.
+                    format: date-time
+                    type: string
+                  message:
+                    description: Message is a human readable description of the details
+                      of the last transition, complementing reason.
+                    type: string
+                  reason:
+                    description: Reason is a brief machine readable explanation for
+                      the condition's last transition.
+                    type: string
+                  status:
+                    description: Status of the condition, one of ('True', 'False',
+                      'Unknown').
+                    enum:
+                    - "True"
+                    - "False"
+                    - Unknown
+                    type: string
+                  type:
+                    description: Type of the condition, currently ('Ready').
+                    type: string
+                required:
+                - status
+                - type
+                type: object
+              type: array
+            failureTime:
+              description: FailureTime stores the time that this CertificateRequest
+                failed. This is used to influence garbage collection and back-off.
+              format: date-time
+              type: string
+          type: object
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true

tests/stacks/ibm/application/cert-manager-crds/test_data/expected/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml

@@ -0,0 +1,235 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: certificates.cert-manager.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.conditions[?(@.type=="Ready")].status
+    name: Ready
+    type: string
+  - JSONPath: .spec.secretName
+    name: Secret
+    type: string
+  - JSONPath: .spec.issuerRef.name
+    name: Issuer
+    priority: 1
+    type: string
+  - JSONPath: .status.conditions[?(@.type=="Ready")].message
+    name: Status
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: cert-manager.io
+  names:
+    kind: Certificate
+    listKind: CertificateList
+    plural: certificates
+    shortNames:
+    - cert
+    - certs
+    singular: certificate
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: Certificate is a type to represent a Certificate from ACME
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: CertificateSpec defines the desired state of Certificate. A
+            valid Certificate requires at least one of a CommonName, DNSName, or URISAN
+            to be valid.
+          properties:
+            commonName:
+              description: CommonName is a common name to be used on the Certificate.
+                The CommonName should have a length of 64 characters or fewer to avoid
+                generating invalid CSRs.
+              type: string
+            dnsNames:
+              description: DNSNames is a list of subject alt names to be used on the
+                Certificate.
+              items:
+                type: string
+              type: array
+            duration:
+              description: Certificate default Duration
+              type: string
+            ipAddresses:
+              description: IPAddresses is a list of IP addresses to be used on the
+                Certificate
+              items:
+                type: string
+              type: array
+            isCA:
+              description: IsCA will mark this Certificate as valid for signing. This
+                implies that the 'cert sign' usage is set
+              type: boolean
+            issuerRef:
+              description: IssuerRef is a reference to the issuer for this certificate.
+                If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                with the given name in the same namespace as the Certificate will
+                be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+                with the provided name will be used. The 'name' field in this stanza
+                is required at all times.
+              properties:
+                group:
+                  type: string
+                kind:
+                  type: string
+                name:
+                  type: string
+              required:
+              - name
+              type: object
+            keyAlgorithm:
+              description: KeyAlgorithm is the private key algorithm of the corresponding
+                private key for this certificate. If provided, allowed values are
+                either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is
+                not provided, key size of 256 will be used for "ecdsa" key algorithm
+                and key size of 2048 will be used for "rsa" key algorithm.
+              enum:
+              - rsa
+              - ecdsa
+              type: string
+            keyEncoding:
+              description: KeyEncoding is the private key cryptography standards (PKCS)
+                for this certificate's private key to be encoded in. If provided,
+                allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
+                respectively. If KeyEncoding is not specified, then PKCS#1 will be
+                used by default.
+              enum:
+              - pkcs1
+              - pkcs8
+              type: string
+            keySize:
+              description: KeySize is the key bit size of the corresponding private
+                key for this certificate. If provided, value must be between 2048
+                and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
+                and value must be one of (256, 384, 521) when KeyAlgorithm is set
+                to "ecdsa".
+              type: integer
+            organization:
+              description: Organization is the organization to be used on the Certificate
+              items:
+                type: string
+              type: array
+            renewBefore:
+              description: Certificate renew before expiration duration
+              type: string
+            secretName:
+              description: SecretName is the name of the secret resource to store
+                this secret in
+              type: string
+            uriSANs:
+              description: URISANs is a list of URI Subject Alternative Names to be
+                set on this Certificate.
+              items:
+                type: string
+              type: array
+            usages:
+              description: Usages is the set of x509 actions that are enabled for
+                a given key. Defaults are ('digital signature', 'key encipherment')
+                if empty
+              items:
+                description: 'KeyUsage specifies valid usage contexts for keys. See:
+                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
+                enum:
+                - signing
+                - digital signature
+                - content commitment
+                - key encipherment
+                - key agreement
+                - data encipherment
+                - cert sign
+                - crl sign
+                - encipher only
+                - decipher only
+                - any
+                - server auth
+                - client auth
+                - code signing
+                - email protection
+                - s/mime
+                - ipsec end system
+                - ipsec tunnel
+                - ipsec user
+                - timestamping
+                - ocsp signing
+                - microsoft sgc
+                - netscape sgc
+                type: string
+              type: array
+          required:
+          - issuerRef
+          - secretName
+          type: object
+        status:
+          description: CertificateStatus defines the observed state of Certificate
+          properties:
+            conditions:
+              items:
+                description: CertificateCondition contains condition information for
+                  an Certificate.
+                properties:
+                  lastTransitionTime:
+                    description: LastTransitionTime is the timestamp corresponding
+                      to the last status change of this condition.
+                    format: date-time
+                    type: string
+                  message:
+                    description: Message is a human readable description of the details
+                      of the last transition, complementing reason.
+                    type: string
+                  reason:
+                    description: Reason is a brief machine readable explanation for
+                      the condition's last transition.
+                    type: string
+                  status:
+                    description: Status of the condition, one of ('True', 'False',
+                      'Unknown').
+                    enum:
+                    - "True"
+                    - "False"
+                    - Unknown
+                    type: string
+                  type:
+                    description: Type of the condition, currently ('Ready').
+                    type: string
+                required:
+                - status
+                - type
+                type: object
+              type: array
+            lastFailureTime:
+              format: date-time
+              type: string
+            notAfter:
+              description: The expiration time of the certificate stored in the secret
+                named by this resource in spec.secretName.
+              format: date-time
+              type: string
+          type: object
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true

tests/stacks/ibm/application/cert-manager-crds/test_data/expected/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml

@@ -0,0 +1,200 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: orders.acme.cert-manager.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.state
+    name: State
+    type: string
+  - JSONPath: .spec.issuerRef.name
+    name: Issuer
+    priority: 1
+    type: string
+  - JSONPath: .status.reason
+    name: Reason
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: acme.cert-manager.io
+  names:
+    kind: Order
+    listKind: OrderList
+    plural: orders
+    singular: order
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: Order is a type to represent an Order with an ACME server
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            commonName:
+              description: CommonName is the common name as specified on the DER encoded
+                CSR. If CommonName is not specified, the first DNSName specified will
+                be used as the CommonName. At least one of CommonName or a DNSNames
+                must be set. This field must match the corresponding field on the
+                DER encoded CSR.
+              type: string
+            csr:
+              description: Certificate signing request bytes in DER encoding. This
+                will be used when finalizing the order. This field must be set on
+                the order.
+              format: byte
+              type: string
+            dnsNames:
+              description: DNSNames is a list of DNS names that should be included
+                as part of the Order validation process. If CommonName is not specified,
+                the first DNSName specified will be used as the CommonName. At least
+                one of CommonName or a DNSNames must be set. This field must match
+                the corresponding field on the DER encoded CSR.
+              items:
+                type: string
+              type: array
+            issuerRef:
+              description: IssuerRef references a properly configured ACME-type Issuer
+                which should be used to create this Order. If the Issuer does not
+                exist, processing will be retried. If the Issuer is not an 'ACME'
+                Issuer, an error will be returned and the Order will be marked as
+                failed.
+              properties:
+                group:
+                  type: string
+                kind:
+                  type: string
+                name:
+                  type: string
+              required:
+              - name
+              type: object
+          required:
+          - csr
+          - issuerRef
+          type: object
+        status:
+          properties:
+            authorizations:
+              description: Authorizations contains data returned from the ACME server
+                on what authoriations must be completed in order to validate the DNS
+                names specified on the Order.
+              items:
+                description: ACMEAuthorization contains data returned from the ACME
+                  server on an authorization that must be completed in order validate
+                  a DNS name on an ACME Order resource.
+                properties:
+                  challenges:
+                    description: Challenges specifies the challenge types offered
+                      by the ACME server. One of these challenge types will be selected
+                      when validating the DNS name and an appropriate Challenge resource
+                      will be created to perform the ACME challenge process.
+                    items:
+                      description: Challenge specifies a challenge offered by the
+                        ACME server for an Order. An appropriate Challenge resource
+                        can be created to perform the ACME challenge process.
+                      properties:
+                        token:
+                          description: Token is the token that must be presented for
+                            this challenge. This is used to compute the 'key' that
+                            must also be presented.
+                          type: string
+                        type:
+                          description: Type is the type of challenge being offered,
+                            e.g. http-01, dns-01
+                          type: string
+                        url:
+                          description: URL is the URL of this challenge. It can be
+                            used to retrieve additional metadata about the Challenge
+                            from the ACME server.
+                          type: string
+                      required:
+                      - token
+                      - type
+                      - url
+                      type: object
+                    type: array
+                  identifier:
+                    description: Identifier is the DNS name to be validated as part
+                      of this authorization
+                    type: string
+                  url:
+                    description: URL is the URL of the Authorization that must be
+                      completed
+                    type: string
+                  wildcard:
+                    description: Wildcard will be true if this authorization is for
+                      a wildcard DNS name. If this is true, the identifier will be
+                      the *non-wildcard* version of the DNS name. For example, if
+                      '*.example.com' is the DNS name being validated, this field
+                      will be 'true' and the 'identifier' field will be 'example.com'.
+                    type: boolean
+                required:
+                - url
+                type: object
+              type: array
+            certificate:
+              description: Certificate is a copy of the PEM encoded certificate for
+                this Order. This field will be populated after the order has been
+                successfully finalized with the ACME server, and the order has transitioned
+                to the 'valid' state.
+              format: byte
+              type: string
+            failureTime:
+              description: FailureTime stores the time that this order failed. This
+                is used to influence garbage collection and back-off.
+              format: date-time
+              type: string
+            finalizeURL:
+              description: FinalizeURL of the Order. This is used to obtain certificates
+                for this order once it has been completed.
+              type: string
+            reason:
+              description: Reason optionally provides more information about a why
+                the order is in the current state.
+              type: string
+            state:
+              description: State contains the current state of this Order resource.
+                States 'success' and 'expired' are 'final'
+              enum:
+              - valid
+              - ready
+              - pending
+              - processing
+              - invalid
+              - expired
+              - errored
+              type: string
+            url:
+              description: URL of the Order. This will initially be empty when the
+                resource is first created. The Order controller will populate this
+                field when the Order is first processed. This field will be immutable
+                after it is initially set.
+              type: string
+          type: object
+      required:
+      - metadata
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true

tests/stacks/ibm/application/cert-manager-kube-system-resources/kustomize_test.go

@@ -0,0 +1,15 @@
+package cert_manager_kube_system_resources
+
+import (
+	"github.com/kubeflow/manifests/tests"
+	"testing"
+)
+
+func TestKustomize(t *testing.T) {
+	testCase := &tests.KustomizeTestCase{
+		Package:  "../../../../../stacks/ibm/application/cert-manager-kube-system-resources",
+		Expected: "test_data/expected",
+	}
+
+	tests.RunTestCase(t, testCase)
+}

tests/stacks/ibm/application/cert-manager-kube-system-resources/test_data/expected/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  labels:
+    app: cainjector
+    kustomize.component: cert-manager
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - create
+  - update
+  - patch

tests/stacks/ibm/application/cert-manager-kube-system-resources/test_data/expected/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  labels:
+    app: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager:leaderelection
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - create
+  - update
+  - patch

tests/stacks/ibm/application/cert-manager-kube-system-resources/test_data/expected/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  labels:
+    app: cainjector
+    kustomize.component: cert-manager
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-cainjector:leaderelection
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-cainjector
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager-kube-system-resources/test_data/expected/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  labels:
+    app: webhook
+    kustomize.component: cert-manager
+  name: cert-manager-webhook:webhook-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager-kube-system-resources/test_data/expected/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager:leaderelection
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager:leaderelection
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager-kube-system-resources/test_data/expected/~g_v1_configmap_cert-manager-kube-params-parameters.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  certManagerNamespace: cert-manager
+kind: ConfigMap
+metadata:
+  labels:
+    kustomize.component: cert-manager
+  name: cert-manager-kube-params-parameters
+  namespace: kube-system

tests/stacks/ibm/application/cert-manager/kustomize_test.go

@@ -0,0 +1,15 @@
+package cert_manager
+
+import (
+	"github.com/kubeflow/manifests/tests"
+	"testing"
+)
+
+func TestKustomize(t *testing.T) {
+	testCase := &tests.KustomizeTestCase{
+		Package:  "../../../../../stacks/ibm/application/cert-manager",
+		Expected: "test_data/expected",
+	}
+
+	tests.RunTestCase(t, testCase)
+}

tests/stacks/ibm/application/cert-manager/test_data/expected/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_cert-manager-webhook.yaml

@@ -0,0 +1,35 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-apiserver-ca: "true"
+  labels:
+    app: webhook
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-webhook
+webhooks:
+- clientConfig:
+    caBundle: ""
+    service:
+      name: kubernetes
+      namespace: default
+      path: /apis/webhook.cert-manager.io/v1beta1/mutations
+  failurePolicy: Fail
+  name: webhook.cert-manager.io
+  rules:
+  - apiGroups:
+    - cert-manager.io
+    apiVersions:
+    - v1alpha2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - certificates
+    - issuers
+    - clusterissuers
+    - orders
+    - challenges
+    - certificaterequests

tests/stacks/ibm/application/cert-manager/test_data/expected/admissionregistration.k8s.io_v1beta1_validatingwebhookconfiguration_cert-manager-webhook.yaml

@@ -0,0 +1,34 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-apiserver-ca: "true"
+  labels:
+    app: webhook
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-webhook
+webhooks:
+- clientConfig:
+    caBundle: ""
+    service:
+      name: kubernetes
+      namespace: default
+      path: /apis/webhook.cert-manager.io/v1beta1/validations
+  failurePolicy: Fail
+  name: webhook.certmanager.k8s.io
+  rules:
+  - apiGroups:
+    - cert-manager.io
+    apiVersions:
+    - v1alpha2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - certificates
+    - issuers
+    - clusterissuers
+    - certificaterequests
+  sideEffects: None

tests/stacks/ibm/application/cert-manager/test_data/expected/apiregistration.k8s.io_v1beta1_apiservice_v1beta1.webhook.cert-manager.io.yaml

@@ -0,0 +1,19 @@
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
+  labels:
+    app: webhook
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: v1beta1.webhook.cert-manager.io
+spec:
+  group: webhook.cert-manager.io
+  groupPriorityMinimum: 1000
+  service:
+    name: cert-manager-webhook
+    namespace: cert-manager
+  version: v1beta1
+  versionPriority: 15

tests/stacks/ibm/application/cert-manager/test_data/expected/app.k8s.io_v1beta1_application_cert-manager.yaml

@@ -0,0 +1,40 @@
+apiVersion: app.k8s.io/v1beta1
+kind: Application
+metadata:
+  labels:
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  componentKinds:
+  - group: rbac
+    kind: ClusterRole
+  - group: rbac
+    kind: ClusterRoleBinding
+  - group: core
+    kind: Namespace
+  - group: core
+    kind: Service
+  - group: apps
+    kind: Deployment
+  - group: core
+    kind: ServiceAccount
+  descriptor:
+    description: Automatically provision and manage TLS certificates in Kubernetes
+      https://jetstack.io.
+    keywords:
+    - cert-manager
+    links:
+    - description: About
+      url: https://github.com/jetstack/cert-manager
+    type: ""
+    version: v0.10.0
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: cert-manager
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/managed-by: kfctl
+      app.kubernetes.io/name: cert-manager
+      app.kubernetes.io/part-of: kubeflow

tests/stacks/ibm/application/cert-manager/test_data/expected/apps_v1_deployment_cert-manager-cainjector.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-cainjector
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cainjector
+      app.kubernetes.io/component: cert-manager
+      app.kubernetes.io/name: cert-manager
+      kustomize.component: cert-manager
+  template:
+    metadata:
+      annotations: null
+      labels:
+        app: cainjector
+        app.kubernetes.io/component: cert-manager
+        app.kubernetes.io/name: cert-manager
+        kustomize.component: cert-manager
+    spec:
+      containers:
+      - args:
+        - --v=2
+        - --leader-election-namespace=kube-system
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: quay.io/jetstack/cert-manager-cainjector:v0.11.0
+        imagePullPolicy: IfNotPresent
+        name: cainjector
+        resources: {}
+      serviceAccountName: cert-manager-cainjector

tests/stacks/ibm/application/cert-manager/test_data/expected/apps_v1_deployment_cert-manager-webhook.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-webhook
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webhook
+      app.kubernetes.io/component: cert-manager
+      app.kubernetes.io/name: cert-manager
+      kustomize.component: cert-manager
+  template:
+    metadata:
+      annotations: null
+      labels:
+        app: webhook
+        app.kubernetes.io/component: cert-manager
+        app.kubernetes.io/name: cert-manager
+        kustomize.component: cert-manager
+    spec:
+      containers:
+      - args:
+        - --v=2
+        - --secure-port=6443
+        - --tls-cert-file=/certs/tls.crt
+        - --tls-private-key-file=/certs/tls.key
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: quay.io/jetstack/cert-manager-webhook:v0.11.0
+        imagePullPolicy: IfNotPresent
+        name: cert-manager
+        resources: {}
+        volumeMounts:
+        - mountPath: /certs
+          name: certs
+      serviceAccountName: cert-manager-webhook
+      volumes:
+      - name: certs
+        secret:
+          secretName: cert-manager-webhook-tls

tests/stacks/ibm/application/cert-manager/test_data/expected/apps_v1_deployment_cert-manager.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cert-manager
+      app.kubernetes.io/component: cert-manager
+      app.kubernetes.io/name: cert-manager
+      kustomize.component: cert-manager
+  template:
+    metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "9402"
+        prometheus.io/scrape: "true"
+      labels:
+        app: cert-manager
+        app.kubernetes.io/component: cert-manager
+        app.kubernetes.io/name: cert-manager
+        kustomize.component: cert-manager
+    spec:
+      containers:
+      - args:
+        - --v=2
+        - --cluster-resource-namespace=$(POD_NAMESPACE)
+        - --leader-election-namespace=kube-system
+        - --webhook-namespace=$(POD_NAMESPACE)
+        - --webhook-ca-secret=cert-manager-webhook-ca
+        - --webhook-serving-secret=cert-manager-webhook-tls
+        - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: quay.io/jetstack/cert-manager-controller:v0.11.0
+        imagePullPolicy: IfNotPresent
+        name: cert-manager
+        ports:
+        - containerPort: 9402
+        resources:
+          requests:
+            cpu: 10m
+            memory: 32Mi
+      serviceAccountName: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml

@@ -0,0 +1,11 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  labels:
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: kubeflow-self-signing-issuer
+  namespace: cert-manager
+spec:
+  selfSigned: {}

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_cert-manager-edit.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: cert-manager-edit
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_cert-manager-view.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: cert-manager-view
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_cert-manager-webhook:webhook-requester.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-webhook:webhook-requester
+rules:
+- apiGroups:
+  - admission.cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  - clusterissuers
+  verbs:
+  - create

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_cert-manager-cainjector.yaml

@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-cainjector
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - get
+  - create
+  - update
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+  - update

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_cert-manager-controller-certificates.yaml

@@ -0,0 +1,64 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-certificates
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificates/status
+  - certificaterequests
+  - certificaterequests/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_cert-manager-controller-challenges.yaml

@@ -0,0 +1,86 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-challenges
+rules:
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  - challenges/status
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+- apiGroups:
+  - extensions
+  - networking.k8s.io/v1
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_cert-manager-controller-clusterissuers.yaml

@@ -0,0 +1,43 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-clusterissuers
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - clusterissuers/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_cert-manager-controller-ingress-shim.yaml

@@ -0,0 +1,51 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-ingress-shim
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  verbs:
+  - create
+  - update
+  - delete
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io/v1
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io/v1
+  resources:
+  - ingresses/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_cert-manager-controller-issuers.yaml

@@ -0,0 +1,43 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-issuers
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  - issuers/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_cert-manager-controller-orders.yaml

@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-orders
+rules:
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  - orders/status
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  - challenges
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cert-manager-cainjector.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-cainjector
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-cainjector
+subjects:
+- kind: ServiceAccount
+  name: cert-manager-cainjector
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cert-manager-controller-certificates.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-certificates
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-certificates
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cert-manager-controller-challenges.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-challenges
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-challenges
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cert-manager-controller-clusterissuers.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-clusterissuers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-clusterissuers
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cert-manager-controller-ingress-shim.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-ingress-shim
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-ingress-shim
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cert-manager-controller-issuers.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-issuers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-issuers
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cert-manager-controller-orders.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-controller-orders
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-orders
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cert-manager-webhook:auth-delegator.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-webhook:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/~g_v1_configmap_cert-manager-parameters.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  namespace: cert-manager
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-parameters
+  namespace: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/~g_v1_namespace_cert-manager.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager

tests/stacks/ibm/application/cert-manager/test_data/expected/~g_v1_service_cert-manager-webhook.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager-webhook
+  namespace: cert-manager
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: 6443
+  selector:
+    app: webhook
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  type: ClusterIP

tests/stacks/ibm/application/cert-manager/test_data/expected/~g_v1_service_cert-manager.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  ports:
+  - port: 9402
+    protocol: TCP
+    targetPort: 9402
+  selector:
+    app: cert-manager
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+  type: ClusterIP