Automated cherry pick of #1621 #1627 [IBM] Add kfp-tekton deployment and update IBM stacks (#1628)

* add kfp-tekton deployment and update IBM stacks * update owner file * pin ibm v1.2 manifests * Apply suggestions from code review Co-authored-by: Animesh Singh <singhan@us.ibm.com> Co-authored-by: Animesh Singh <singhan@us.ibm.com>
2020-11-10 12:24:22 -08:00 · 2020-11-10 12:24:22 -08:00 · da3fb83f86
parent 92d68285b2
commit da3fb83f86
386 changed files with 8810 additions and 242 deletions
--- a/kfdef/kfctl_ibm.v1.2.0.yaml
+++ b/kfdef/kfctl_ibm.v1.2.0.yaml
@ -26,16 +26,19 @@ spec:
        name: manifests
        path: stacks/ibm/application/add-anonymous-user-filter
    name: add-anonymous-user-filter
+  # application
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: application/v3
    name: application
+  # bootstrap
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: stacks/ibm/application/bootstrap
    name: bootstrap
+  # cert-manager
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -51,22 +54,76 @@ spec:
        name: manifests
        path: stacks/ibm/application/cert-manager
    name: cert-manager
-  # Install Kubeflow applications.
+  # Tekton
  - kustomizeConfig:
      repoRef:
        name: manifests
-        path: stacks/ibm
+        path: tektoncd/tektoncd-install/base
+    name: tektoncd-install
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: tektoncd/tektoncd-dashboard/base
+    name: tektoncd-dashboard
+  # Kubeflow components
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/admission-webhook
+    name: admission-webhook
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/profile-control-plane
    name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/metadata
+    name: metadata
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/katib
+    name: katib
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/kfp-tekton
+    name: kfp-tekton
+  # Default on IBM Cloud is Kubeflow Pipelines with Tekton. Switch the above kfp-tekton to
+  # the below applications if you want to
+  # run Kubeflow Pipelines with Argo
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/argo
+  #   name: argo
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/kfp-argo
+  #   name: kfp-argo
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/notebooks
+    name: notebooks
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/pytorch-job
+    name: pytorch-job
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/tf-job
+    name: tf-job
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: metacontroller/base
    name: metacontroller
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/spark-operator
-    name: spark-operator
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -84,11 +141,17 @@ spec:
        name: manifests
        path: stacks/ibm/application/spartakus
    name: spartakus
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/tensorboard
-    name: tensorboard
+  # Optional applications: Uncomment the following lines if you want to run Seldon or Spark on IBM Cloud.
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/seldon-core-operator
+  #   name: seldon-core-operator
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/spark-operator
+  #   name: spark-operator
  repos:
  - name: manifests
    uri: https://github.com/kubeflow/manifests/archive/v1.2-branch.tar.gz
--- a/kfdef/kfctl_ibm.yaml
+++ b/kfdef/kfctl_ibm.yaml
@ -26,16 +26,19 @@ spec:
        name: manifests
        path: stacks/ibm/application/add-anonymous-user-filter
    name: add-anonymous-user-filter
+  # application
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: application/v3
    name: application
+  # bootstrap
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: stacks/ibm/application/bootstrap
    name: bootstrap
+  # cert-manager
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -51,22 +54,76 @@ spec:
        name: manifests
        path: stacks/ibm/application/cert-manager
    name: cert-manager
-  # Install Kubeflow applications.
+  # Tekton
  - kustomizeConfig:
      repoRef:
        name: manifests
-        path: stacks/ibm
+        path: tektoncd/tektoncd-install/base
+    name: tektoncd-install
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: tektoncd/tektoncd-dashboard/base
+    name: tektoncd-dashboard
+  # Kubeflow components
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/admission-webhook
+    name: admission-webhook
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/profile-control-plane
    name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/metadata
+    name: metadata
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/katib
+    name: katib
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/kfp-tekton
+    name: kfp-tekton
+  # Default on IBM Cloud is Kubeflow Pipelines with Tekton. Switch the above kfp-tekton to
+  # the below applications if you want to
+  # run Kubeflow Pipelines with Argo
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/argo
+  #   name: argo
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/kfp-argo
+  #   name: kfp-argo
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/notebooks
+    name: notebooks
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/pytorch-job
+    name: pytorch-job
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/tf-job
+    name: tf-job
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: metacontroller/base
    name: metacontroller
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/spark-operator
-    name: spark-operator
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -84,6 +141,17 @@ spec:
        name: manifests
        path: stacks/ibm/application/spartakus
    name: spartakus
+  # Optional applications: Uncomment the following lines if you want to run Seldon or Spark on IBM Cloud.
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/seldon-core-operator
+  #   name: seldon-core-operator
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/spark-operator
+  #   name: spark-operator
  repos:
  - name: manifests
    uri: https://github.com/kubeflow/manifests/archive/master.tar.gz
--- a/kfdef/kfctl_ibm_dex_multi_user.v1.2.0.yaml
+++ b/kfdef/kfctl_ibm_dex_multi_user.v1.2.0.yaml
@ -1,98 +0,0 @@
-apiVersion: kfdef.apps.kubeflow.org/v1
-kind: KfDef
-metadata:
-  namespace: kubeflow
-spec:
-  applications:
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: namespaces/base
-    name: namespaces
-  # Install istio in a different namespace: istio-system
-  # Remove this application if istio is already installed
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/istio-1-3-1-stack
-    name: istio-stack
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/cluster-local-gateway-1-3-1
-    name: cluster-local-gateway
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: istio/istio/base
-    name: istio
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: application/v3
-    name: application
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/bootstrap
-    name: bootstrap
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/cert-manager-crds
-    name: cert-manager-crds
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/cert-manager-kube-system-resources
-    name: cert-manager-kube-system-resources
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/cert-manager
-    name: cert-manager
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/oidc-authservice
-    name: oidc-authservice
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/dex-auth
-    name: dex-auth
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: metacontroller/base
-    name: metacontroller
-  # Install kubeflow applications.
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/multi-user
-    name: kubeflow-apps
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/spark-operator
-    name: spark-operator
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: knative/installs/generic
-    name: knative
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: kfserving/installs/generic
-    name: kfserving
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/spartakus
-    name: spartakus
-  repos:
-  - name: manifests
-    uri: https://github.com/kubeflow/manifests/archive/v1.2-branch.tar.gz
-  version: v1.2-branch
--- a/kfdef/kfctl_ibm_multi_user.v1.2.0.yaml
+++ b/kfdef/kfctl_ibm_multi_user.v1.2.0.yaml
@ -4,6 +4,11 @@ metadata:
  namespace: kubeflow
 spec:
  applications:
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: namespaces/base
+    name: namespaces
  # Install istio in a different namespace: istio-system
  # Remove this application if istio is already installed
  - kustomizeConfig:
@ -19,26 +24,18 @@ spec:
  - kustomizeConfig:
      repoRef:
        name: manifests
-        path: stacks/ibm/application/istio
+        path: istio/istio/base
    name: istio
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/add-anonymous-user-filter
-    name: add-anonymous-user-filter
-  # application
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: application/v3
    name: application
-  # bootstrap
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: stacks/ibm/application/bootstrap
    name: bootstrap
-  # cert-manager
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -54,7 +51,26 @@ spec:
        name: manifests
        path: stacks/ibm/application/cert-manager
    name: cert-manager
-  # Kubeflow components
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/oidc-authservice-appid
+    name: oidc-authservice
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: metacontroller/base
+    name: metacontroller
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: tektoncd/tektoncd-install/base
+    name: tektoncd-install
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: tektoncd/tektoncd-dashboard/base
+    name: tektoncd-dashboard
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -70,11 +86,6 @@ spec:
        name: manifests
        path: stacks/ibm/application/metadata
    name: metadata
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/argo
-    name: argo
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -83,8 +94,21 @@ spec:
  - kustomizeConfig:
      repoRef:
        name: manifests
-        path: stacks/ibm/application/pipelines
-    name: pipelines
+        path: stacks/ibm/application/kfp-tekton-multi-user
+    name: kfp-tekton-multi-user
+  # Switch the above kfp-tekton to
+  # the below applications if you want to
+  # run KFP with Argo
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/argo
+  #   name: argo
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/kfp-argo-multi-user
+  #   name: kfp-argo-multi-user
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -100,22 +124,6 @@ spec:
        name: manifests
        path: stacks/ibm/application/tf-job
    name: tf-job
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/seldon-core-operator
-    name: seldon-core-operator
-  # other applications
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: metacontroller/base
-    name: metacontroller
-  - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: stacks/ibm/application/spark-operator
-    name: spark-operator
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -126,14 +134,23 @@ spec:
        name: manifests
        path: kfserving/installs/generic
    name: kfserving
-  # Spartakus is a separate applications so that kfctl can remove it
-  # to disable usage reporting
  - kustomizeConfig:
      repoRef:
        name: manifests
        path: stacks/ibm/application/spartakus
    name: spartakus
+  # Optional applications
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/seldon-core-operator
+  #   name: seldon-core-operator
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/spark-operator
+  #   name: spark-operator
  repos:
  - name: manifests
-    uri: https://github.com/kubeflow/manifests/archive/master.tar.gz
-  version: master
+    uri: https://github.com/kubeflow/manifests/archive/v1.2-branch.tar.gz
+  version: v1.2-branch
--- a/kfdef/kfctl_ibm_multi_user.yaml
+++ b/kfdef/kfctl_ibm_multi_user.yaml
@ -61,17 +61,69 @@ spec:
        name: manifests
        path: metacontroller/base
    name: metacontroller
-  # Install kubeflow applications.
  - kustomizeConfig:
      repoRef:
        name: manifests
-        path: stacks/ibm/multi-user
+        path: tektoncd/tektoncd-install/base
+    name: tektoncd-install
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: tektoncd/tektoncd-dashboard/base
+    name: tektoncd-dashboard
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/admission-webhook
+    name: admission-webhook
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/profile-control-plane
    name: kubeflow-apps
  - kustomizeConfig:
      repoRef:
        name: manifests
-        path: stacks/ibm/application/spark-operator
-    name: spark-operator
+        path: stacks/ibm/application/metadata
+    name: metadata
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/katib
+    name: katib
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/kfp-tekton-multi-user
+    name: kfp-tekton-multi-user
+  # Switch the above kfp-tekton to
+  # the below applications if you want to
+  # run KFP with Argo
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/argo
+  #   name: argo
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/kfp-argo-multi-user
+  #   name: kfp-argo-multi-user
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/notebooks
+    name: notebooks
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/pytorch-job
+    name: pytorch-job
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/ibm/application/tf-job
+    name: tf-job
  - kustomizeConfig:
      repoRef:
        name: manifests
@ -87,6 +139,17 @@ spec:
        name: manifests
        path: stacks/ibm/application/spartakus
    name: spartakus
+  # Optional applications
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/seldon-core-operator
+  #   name: seldon-core-operator
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/ibm/application/spark-operator
+  #   name: spark-operator
  repos:
  - name: manifests
    uri: https://github.com/kubeflow/manifests/archive/master.tar.gz
--- a/pipeline/installs/tekton-multi-user/kustomization.yaml
+++ b/pipeline/installs/tekton-multi-user/kustomization.yaml
@ -0,0 +1,42 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+commonLabels:
+  app.kubernetes.io/name: kubeflow-pipelines
+  app.kubernetes.io/component: ml-pipeline
+resources:
+- ../multi-user
+- ../tekton/kfp-tekton/kfp-pipeline-config.yaml
+patchesStrategicMerge:
+- metadata-writer-clusterrole.yaml
+- ml-pipeline-apiserver-clusterrole.yaml
+- ml-pipeline-persistenceagent-clusterrole.yaml
+- ml-pipeline-ui-clusterrole.yaml
+- scheduled-workflow-clusterrole.yaml
+- ../tekton/kfp-tekton/ml-pipeline-deployment-patch.yaml
+- ../tekton/kfp-tekton/metadata-writer-deployment-patch.yaml
+configMapGenerator:
+- name: kubeflow-pipelines-profile-controller-code
+  behavior: replace
+  files:
+  - sync.py
+images:
+  - name: mysql
+    newTag: "5.6"
+  - name: minio/minio
+    newTag: RELEASE.2018-02-09T22-40-05Z
+  - name: gcr.io/ml-pipeline/api-server
+    newName: docker.io/aipipeline/api-server
+    newTag: 0.4.0
+  - name: gcr.io/ml-pipeline/persistenceagent
+    newName: docker.io/aipipeline/persistenceagent
+    newTag: 0.4.0
+  - name: gcr.io/ml-pipeline/frontend
+    newName: docker.io/aipipeline/frontend
+    newTag: 0.4.0
+  - name: gcr.io/ml-pipeline/metadata-writer
+    newName: docker.io/aipipeline/metadata-writer
+    newTag: 0.4.0
+  - name: gcr.io/ml-pipeline/scheduledworkflow
+    newName: docker.io/aipipeline/scheduledworkflow
+    newTag: 0.4.0
--- a/pipeline/installs/tekton-multi-user/metadata-writer-clusterrole.yaml
+++ b/pipeline/installs/tekton-multi-user/metadata-writer-clusterrole.yaml
@ -0,0 +1,43 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-pipelines-metadata-writer-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
--- a/pipeline/installs/tekton-multi-user/ml-pipeline-apiserver-clusterrole.yaml
+++ b/pipeline/installs/tekton-multi-user/ml-pipeline-apiserver-clusterrole.yaml
@ -0,0 +1,50 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: ml-pipeline
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+  - delete
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
--- a/pipeline/installs/tekton-multi-user/ml-pipeline-persistenceagent-clusterrole.yaml
+++ b/pipeline/installs/tekton-multi-user/ml-pipeline-persistenceagent-clusterrole.yaml
@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ml-pipeline-persistenceagent-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - get
+  - list
+  - watch
--- a/pipeline/installs/tekton-multi-user/ml-pipeline-ui-clusterrole.yaml
+++ b/pipeline/installs/tekton-multi-user/ml-pipeline-ui-clusterrole.yaml
@ -0,0 +1,51 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ml-pipeline-ui
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - "kubeflow.org"
+  resources:
+  - viewers
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+- apiGroups:
+  - "argoproj.io"
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - get
+  - list
--- a/pipeline/installs/tekton-multi-user/scheduled-workflow-clusterrole.yaml
+++ b/pipeline/installs/tekton-multi-user/scheduled-workflow-clusterrole.yaml
@ -0,0 +1,50 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ml-pipeline-scheduledworkflow-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
--- a/pipeline/installs/tekton-multi-user/sync.py
+++ b/pipeline/installs/tekton-multi-user/sync.py
@ -0,0 +1,313 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from http.server import BaseHTTPRequestHandler, HTTPServer
+import json
+import os
+import base64
+
+kfp_version = os.environ["KFP_VERSION"]
+disable_istio_sidecar = os.environ.get("DISABLE_ISTIO_SIDECAR") == "true"
+mlpipeline_minio_access_key = base64.b64encode(
+    bytes(os.environ.get("MINIO_ACCESS_KEY"), 'utf-8')).decode('utf-8')
+mlpipeline_minio_secret_key = base64.b64encode(
+    bytes(os.environ.get("MINIO_SECRET_KEY"), 'utf-8')).decode('utf-8')
+
+
+class Controller(BaseHTTPRequestHandler):
+    def sync(self, parent, children):
+        # HACK: Currently using serving.kubeflow.org/inferenceservice to identify
+        # kubeflow user namespaces.
+        # TODO: let Kubeflow profile controller add a pipeline specific label to
+        # user namespaces and use that label instead.
+        pipeline_enabled = parent.get("metadata", {}).get(
+            "labels", {}).get("serving.kubeflow.org/inferenceservice")
+
+        if not pipeline_enabled:
+            return {"status": {}, "children": []}
+
+        # Compute status based on observed state.
+        desired_status = {
+            "kubeflow-pipelines-ready": \
+                len(children["Secret.v1"]) == 1 and \
+                len(children["ConfigMap.v1"]) == 1 and \
+                len(children["Deployment.apps/v1"]) == 2 and \
+                len(children["Service.v1"]) == 2 and \
+                len(children["DestinationRule.networking.istio.io/v1alpha3"]) == 1 and \
+                len(children["ServiceRole.rbac.istio.io/v1alpha1"]) == 1 and \
+                len(children["ServiceRoleBinding.rbac.istio.io/v1alpha1"]) == 1 and \
+                "True" or "False"
+        }
+
+        # Generate the desired child object(s).
+        # parent is a namespace
+        namespace = parent.get("metadata", {}).get("name")
+        desired_resources = [
+            {
+                "apiVersion": "v1",
+                "kind": "ConfigMap",
+                "metadata": {
+                    "name": "metadata-grpc-configmap",
+                    "namespace": namespace,
+                },
+                "data": {
+                    "METADATA_GRPC_SERVICE_HOST":
+                    "metadata-grpc-service.kubeflow",
+                    "METADATA_GRPC_SERVICE_PORT": "8080",
+                },
+            },
+            # Visualization server related manifests below
+            {
+                "apiVersion": "apps/v1",
+                "kind": "Deployment",
+                "metadata": {
+                    "labels": {
+                        "app": "ml-pipeline-visualizationserver"
+                    },
+                    "name": "ml-pipeline-visualizationserver",
+                    "namespace": namespace,
+                },
+                "spec": {
+                    "selector": {
+                        "matchLabels": {
+                            "app": "ml-pipeline-visualizationserver"
+                        },
+                    },
+                    "template": {
+                        "metadata": {
+                            "labels": {
+                                "app": "ml-pipeline-visualizationserver"
+                            },
+                            "annotations": disable_istio_sidecar and {
+                                "sidecar.istio.io/inject": "false"
+                            } or {},
+                        },
+                        "spec": {
+                            "containers": [{
+                                "image":
+                                "gcr.io/ml-pipeline/visualization-server:" +
+                                kfp_version,
+                                "imagePullPolicy":
+                                "IfNotPresent",
+                                "name":
+                                "ml-pipeline-visualizationserver",
+                                "ports": [{
+                                    "containerPort": 8888
+                                }],
+                            }],
+                            "serviceAccountName":
+                            "default-editor",
+                        },
+                    },
+                },
+            },
+            {
+                "apiVersion": "networking.istio.io/v1alpha3",
+                "kind": "DestinationRule",
+                "metadata": {
+                    "name": "ml-pipeline-visualizationserver",
+                    "namespace": namespace,
+                },
+                "spec": {
+                    "host": "ml-pipeline-visualizationserver",
+                    "trafficPolicy": {
+                        "tls": {
+                            "mode": "ISTIO_MUTUAL"
+                        }
+                    }
+                }
+            },
+            {
+                "apiVersion": "rbac.istio.io/v1alpha1",
+                "kind": "ServiceRole",
+                "metadata": {
+                    "name": "ml-pipeline-visualizationserver",
+                    "namespace": namespace,
+                },
+                "spec": {
+                    "rules": [{
+                        "services": ["ml-pipeline-visualizationserver.*"]
+                    }]
+                }
+            },
+            {
+                "apiVersion": "rbac.istio.io/v1alpha1",
+                "kind": "ServiceRoleBinding",
+                "metadata": {
+                    "name": "ml-pipeline-visualizationserver",
+                    "namespace": namespace,
+                },
+                "spec": {
+                    "subjects": [{
+                        "properties": {
+                            "source.principal":
+                            "cluster.local/ns/kubeflow/sa/ml-pipeline"
+                        }
+                    }],
+                    "roleRef": {
+                        "kind": "ServiceRole",
+                        "name": "ml-pipeline-visualizationserver"
+                    }
+                }
+            },
+            {
+                "apiVersion": "v1",
+                "kind": "Service",
+                "metadata": {
+                    "name": "ml-pipeline-visualizationserver",
+                    "namespace": namespace,
+                },
+                "spec": {
+                    "ports": [{
+                        "name": "http",
+                        "port": 8888,
+                        "protocol": "TCP",
+                        "targetPort": 8888,
+                    }],
+                    "selector": {
+                        "app": "ml-pipeline-visualizationserver",
+                    },
+                },
+            },
+            # Artifact fetcher related resources below.
+            {
+                "apiVersion": "apps/v1",
+                "kind": "Deployment",
+                "metadata": {
+                    "labels": {
+                        "app": "ml-pipeline-ui-artifact"
+                    },
+                    "name": "ml-pipeline-ui-artifact",
+                    "namespace": namespace,
+                },
+                "spec": {
+                    "selector": {
+                        "matchLabels": {
+                            "app": "ml-pipeline-ui-artifact"
+                        }
+                    },
+                    "template": {
+                        "metadata": {
+                            "labels": {
+                                "app": "ml-pipeline-ui-artifact"
+                            },
+                            "annotations": disable_istio_sidecar and {
+                                "sidecar.istio.io/inject": "false"
+                            } or {},
+                        },
+                        "spec": {
+                            "containers": [{
+                                "name":
+                                "ml-pipeline-ui-artifact",
+                                "image":
+                                "gcr.io/ml-pipeline/frontend:" + kfp_version,
+                                "imagePullPolicy":
+                                "IfNotPresent",
+                                "ports": [{
+                                    "containerPort": 3000
+                                }]
+                            }],
+                            "serviceAccountName":
+                            "default-editor"
+                        }
+                    }
+                }
+            },
+            {
+                "apiVersion": "v1",
+                "kind": "Service",
+                "metadata": {
+                    "name": "ml-pipeline-ui-artifact",
+                    "namespace": namespace,
+                    "labels": {
+                        "app": "ml-pipeline-ui-artifact"
+                    }
+                },
+                "spec": {
+                    "ports": [{
+                        "name":
+                        "http",  # name is required to let istio understand request protocol
+                        "port": 80,
+                        "protocol": "TCP",
+                        "targetPort": 3000
+                    }],
+                    "selector": {
+                        "app": "ml-pipeline-ui-artifact"
+                    }
+                }
+            },
+            {
+                "apiVersion": "tekton.dev/v1alpha1",
+                "kind": "Condition",
+                "metadata": {
+                    "name": "super-condition",
+                    "namespace": namespace,
+                },
+                "spec": {
+                    "check": {
+                        "image": "python:alpine3.6",
+                        "script": ("python -c 'import sys\ninput1=str.rstrip(sys.argv[1])\n"
+                                   "input2=str.rstrip(sys.argv[2])\ntry:\n  input1=int(input1)\n"
+                                   "  input2=int(input2)\nexcept:\n  input1=str(input1)\nsys.exit(0)"
+                                   " if (input1 $(params.operator) input2) else sys.exit(1)' "
+                                   "'$(params.operand1)' '$(params.operand2)'")
+                    },
+                    "params": [
+                        {
+                            "name": "operand1",
+                            "type": "string"
+                        },
+                        {
+                            "name": "operand2",
+                            "type": "string"
+                        },
+                        {
+                            "name": "operator",
+                            "type": "string"
+                        }
+                    ]
+                }
+            },
+        ]
+        print('Received request:', parent)
+        print('Desired resources except secrets:', desired_resources)
+        # Moved after the print argument because this is sensitive data.
+        desired_resources.append({
+            "apiVersion": "v1",
+            "kind": "Secret",
+            "metadata": {
+                "name": "mlpipeline-minio-artifact",
+                "namespace": namespace,
+            },
+            "data": {
+                "accesskey": mlpipeline_minio_access_key,
+                "secretkey": mlpipeline_minio_secret_key,
+            },
+        })
+
+        return {"status": desired_status, "children": desired_resources}
+
+    def do_POST(self):
+        # Serve the sync() function as a JSON webhook.
+        observed = json.loads(
+            self.rfile.read(int(self.headers.get("content-length"))))
+        desired = self.sync(observed["parent"], observed["children"])
+
+        self.send_response(200)
+        self.send_header("Content-type", "application/json")
+        self.end_headers()
+        self.wfile.write(bytes(json.dumps(desired), 'utf-8'))
+
+
+HTTPServer(("", 80), Controller).serve_forever()
--- a/pipeline/installs/tekton/OWNERS
+++ b/pipeline/installs/tekton/OWNERS
@ -0,0 +1,4 @@
+approvers:
+- animeshsingh
+- pvaneck
+- tomcli
--- a/pipeline/installs/tekton/kfp-tekton/catalog-condition.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/catalog-condition.yaml
@ -0,0 +1,15 @@
+apiVersion: tekton.dev/v1alpha1
+kind: Condition
+metadata:
+  name: super-condition
+spec:
+  check:
+    image: python:alpine3.6
+    script: "python -c 'import sys\ninput1=str.rstrip(sys.argv[1])\ninput2=str.rstrip(sys.argv[2])\n\
+      try:\n  input1=int(input1)\n  input2=int(input2)\nexcept:\n  input1=str(input1)\n\
+      sys.exit(0) if (input1 $(params.operator) input2) else sys.exit(1)' '$(params.operand1)'\
+      \ '$(params.operand2)'"
+  params:
+  - name: operand1
+  - name: operand2
+  - name: operator
--- a/pipeline/installs/tekton/kfp-tekton/kfp-pipeline-config.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/kfp-pipeline-config.yaml
@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kfp-tekton-config
+data:
+  artifact_bucket: "mlpipeline"
+  artifact_endpoint: "minio-service.kubeflow:9000"
+  artifact_endpoint_scheme: "http://"
+  artifact_image: "minio/mc"
+  archive_logs: "false"
+  track_artifacts: "true"
+  strip_eof: "false"
+  inject_default_script: "true"
+  artifact_script: |-
+    #!/usr/bin/env sh
+    push_artifact() {
+        tar -cvzf $1.tgz $2
+        mc cp $1.tgz storage/$ARTIFACT_BUCKET/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz
+    }
+    push_log() {
+        cat /var/log/containers/$PODNAME*$NAMESPACE*step-main*.log > step-main.log
+        push_artifact main-log step-main.log
+    }
+    strip_eof() {
+        awk 'NF' $2 | head -c -1 > $1_temp_save && cp $1_temp_save $2
+    }
+    mc config host add storage ${ARTIFACT_ENDPOINT_SCHEME}${ARTIFACT_ENDPOINT} $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
--- a/pipeline/installs/tekton/kfp-tekton/kustomization.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/kustomization.yaml
@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../generic
+- catalog-condition.yaml
+- kfp-pipeline-config.yaml
+
+patchesStrategicMerge:
+- metadata-writer-role.yaml
+- ml-pipeline-apiserver-role.yaml
+- ml-pipeline-persistenceagent-role.yaml
+- ml-pipeline-ui-role.yaml
+- pipeline-runner-role.yaml
+- scheduledworkflow-role.yaml
+- ml-pipeline-deployment-patch.yaml
+- metadata-writer-deployment-patch.yaml
--- a/pipeline/installs/tekton/kfp-tekton/metadata-writer-deployment-patch.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/metadata-writer-deployment-patch.yaml
@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: metadata-writer
+spec:
+  template:
+    spec:
+      containers:
+      - name: main
+        env:
+        - name: ARCHIVE_LOGS
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: archive_logs
--- a/pipeline/installs/tekton/kfp-tekton/metadata-writer-role.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/metadata-writer-role.yaml
@ -0,0 +1,43 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kubeflow-pipelines-metadata-writer-role
+rules:
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
--- a/pipeline/installs/tekton/kfp-tekton/ml-pipeline-apiserver-role.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/ml-pipeline-apiserver-role.yaml
@ -0,0 +1,51 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ml-pipeline
+rules:
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+  - list
+  - delete
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - patch
+  - delete
--- a/pipeline/installs/tekton/kfp-tekton/ml-pipeline-deployment-patch.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/ml-pipeline-deployment-patch.yaml
@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ml-pipeline
+spec:
+  template:
+    spec:
+      containers:
+      - name: ml-pipeline-api-server
+        env:
+        - name: ARTIFACT_BUCKET
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: artifact_bucket
+        - name: ARTIFACT_ENDPOINT
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: artifact_endpoint
+        - name: ARTIFACT_ENDPOINT_SCHEME
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: artifact_endpoint_scheme
+        - name: ARCHIVE_LOGS
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: archive_logs
+        - name: TRACK_ARTIFACTS
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: track_artifacts
+        - name: STRIP_EOF
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: strip_eof
+        - name: ARTIFACT_SCRIPT
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: artifact_script
+        - name: ARTIFACT_IMAGE
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: artifact_image
+        - name: INJECT_DEFAULT_SCRIPT
+          valueFrom:
+            configMapKeyRef:
+              name: kfp-tekton-config
+              key: inject_default_script
--- a/pipeline/installs/tekton/kfp-tekton/ml-pipeline-persistenceagent-role.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/ml-pipeline-persistenceagent-role.yaml
@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ml-pipeline-persistenceagent-role
+rules:
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - get
+  - list
+  - watch
--- a/pipeline/installs/tekton/kfp-tekton/ml-pipeline-ui-role.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/ml-pipeline-ui-role.yaml
@ -0,0 +1,51 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ml-pipeline-ui
+rules:
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - "kubeflow.org"
+  resources:
+  - viewers
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+- apiGroups:
+  - "argoproj.io"
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
--- a/pipeline/installs/tekton/kfp-tekton/pipeline-runner-role.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/pipeline-runner-role.yaml
@ -0,0 +1,92 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pipeline-runner
+rules:
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  - persistentvolumeclaims
+  verbs:
+  - '*'
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - delete
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/exec
+  - pods/log
+  - services
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  - apps
+  - extensions
+  resources:
+  - deployments
+  - replicasets
+  verbs:
+  - '*'
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - '*'
+- apiGroups:
+  - machinelearning.seldon.io
+  resources:
+  - seldondeployments
+  verbs:
+  - '*'
--- a/pipeline/installs/tekton/kfp-tekton/scheduledworkflow-role.yaml
+++ b/pipeline/installs/tekton/kfp-tekton/scheduledworkflow-role.yaml
@ -0,0 +1,51 @@
+  
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ml-pipeline-scheduledworkflow-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - tekton.dev
+  resources:
+  - pipelineruns
+  - taskruns
+  - conditions
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
--- a/pipeline/installs/tekton/kustomization.yaml
+++ b/pipeline/installs/tekton/kustomization.yaml
@ -0,0 +1,39 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+  - ../../upstream/env/platform-agnostic/minio
+  - ../../upstream/env/platform-agnostic/mysql
+  - kfp-tekton
+
+# Identifier for application manager to apply ownerReference.
+# The ownerReference ensures the resources get garbage collected
+# when application is deleted.
+commonLabels:
+  app.kubernetes.io/name: kubeflow-pipelines
+  app.kubernetes.io/component: ml-pipeline
+
+# !!! If you want to customize the namespace,
+# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml
+namespace: kubeflow
+
+images:
+  - name: mysql
+    newTag: "5.6"
+  - name: minio/minio
+    newTag: RELEASE.2018-02-09T22-40-05Z
+  - name: gcr.io/ml-pipeline/api-server
+    newName: docker.io/aipipeline/api-server
+    newTag: 0.4.0
+  - name: gcr.io/ml-pipeline/persistenceagent
+    newName: docker.io/aipipeline/persistenceagent
+    newTag: 0.4.0
+  - name: gcr.io/ml-pipeline/frontend
+    newName: docker.io/aipipeline/frontend
+    newTag: 0.4.0
+  - name: gcr.io/ml-pipeline/metadata-writer
+    newName: docker.io/aipipeline/metadata-writer
+    newTag: 0.4.0
+  - name: gcr.io/ml-pipeline/scheduledworkflow
+    newName: docker.io/aipipeline/scheduledworkflow
+    newTag: 0.4.0
--- a/pipeline/minio/installs/ibm/deployment-patch.yaml
+++ b/pipeline/minio/installs/ibm/deployment-patch.yaml
@ -2,6 +2,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: minio
+  annotations:
+    sidecar.istio.io/inject: "false"
 spec:
  template:
    spec:
--- a/stacks/ibm/application/kfp-argo-multi-user/kustomization.yaml
+++ b/stacks/ibm/application/kfp-argo-multi-user/kustomization.yaml
@ -0,0 +1,36 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+  - ../../../../pipeline/minio/installs/ibm
+  - ../../../../pipeline/mysql/installs/ibm
+  - ../../../../pipeline/installs/multi-user
+configMapGenerator:
+- name: pipeline-mysql-parameters
+  behavior: merge
+  literals:
+  - mysqlPvcName=mysql-pv-claim
+- name: pipeline-minio-parameters
+  behavior: merge
+  literals:
+  - minioPvcName=minio-pv-claim
+- name: kubeflow-config
+  envs:
+  - ../../config/params.env
+vars:
+# We need to define vars at the top level otherwise we will get
+# conflicts.
+- fieldref:
+    fieldPath: data.clusterDomain
+  name: clusterDomain
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kubeflow-config
+- fieldref:
+    fieldPath: metadata.namespace
+  name: namespace
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kubeflow-config
--- a/stacks/ibm/application/pipelines/kustomization.yaml
+++ b/stacks/ibm/application/pipelines/kustomization.yaml
@ -19,7 +19,7 @@ configMapGenerator:
  - ../../config/params.env
 vars:
 # We need to define vars at the top level otherwise we will get
-# conflicts. 
+# conflicts.
 - fieldref:
    fieldPath: data.clusterDomain
  name: clusterDomain
@ -34,4 +34,3 @@ vars:
    apiVersion: v1
    kind: ConfigMap
    name: kubeflow-config
-    
--- a/stacks/ibm/application/kfp-tekton-multi-user/kustomization.yaml
+++ b/stacks/ibm/application/kfp-tekton-multi-user/kustomization.yaml
@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+  - ../../../../pipeline/minio/installs/ibm
+  - ../../../../pipeline/mysql/installs/ibm
+  - ../../../../pipeline/installs/tekton-multi-user
+configMapGenerator:
+- name: pipeline-mysql-parameters
+  behavior: merge
+  literals:
+  - mysqlPvcName=mysql-pv-claim
+- name: pipeline-minio-parameters
+  behavior: merge
+  literals:
+  - minioPvcName=minio-pv-claim
+- name: kubeflow-config
+  envs:
+  - ../../config/params.env
+vars:
+- fieldref:
+    fieldPath: data.clusterDomain
+  name: clusterDomain
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kubeflow-config
+- fieldref:
+    fieldPath: metadata.namespace
+  name: namespace
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kubeflow-config
--- a/stacks/ibm/application/kfp-tekton/kustomization.yaml
+++ b/stacks/ibm/application/kfp-tekton/kustomization.yaml
@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+  - ../../../../pipeline/installs/tekton
+configMapGenerator:
+- name: kubeflow-config
+  envs:
+  - ../../config/params.env
+vars:
+- fieldref:
+    fieldPath: data.clusterDomain
+  name: clusterDomain
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kubeflow-config
+- fieldref:
+    fieldPath: metadata.namespace
+  name: namespace
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kubeflow-config
--- a/stacks/ibm/config/params.env
+++ b/stacks/ibm/config/params.env
@ -1,3 +1,5 @@
 clusterDomain=cluster.local
 userid-header=kubeflow-userid
 userid-prefix=
+cluster-name=
+istio-namespace=istio-system
--- a/tests/stacks/ibm/application/admission-webhook/test_data/expected/~g_v1_configmap_kubeflow-config-bk4bc7m928.yaml
+++ b/tests/stacks/ibm/application/admission-webhook/test_data/expected/~g_v1_configmap_kubeflow-config-bk4bc7m928.yaml
@ -1,9 +1,11 @@
 apiVersion: v1
 data:
+  cluster-name: ""
  clusterDomain: cluster.local
+  istio-namespace: istio-system
  userid-header: kubeflow-userid
  userid-prefix: ""
 kind: ConfigMap
 metadata:
-  name: kubeflow-config-d7dttg89h2
+  name: kubeflow-config-bk4bc7m928
  namespace: kubeflow
--- a/tests/stacks/ibm/application/katib/test_data/expected/~g_v1_configmap_kubeflow-config-d7dttg89h2.yaml
+++ b/tests/stacks/ibm/application/katib/test_data/expected/~g_v1_configmap_kubeflow-config-d7dttg89h2.yaml
@ -1,9 +1,11 @@
 apiVersion: v1
 data:
+  cluster-name: ""
  clusterDomain: cluster.local
+  istio-namespace: istio-system
  userid-header: kubeflow-userid
  userid-prefix: ""
 kind: ConfigMap
 metadata:
-  name: kubeflow-config-d7dttg89h2
+  name: kubeflow-config-bk4bc7m928
  namespace: kubeflow
--- a/tests/stacks/ibm/application/notebooks/test_data/expected/~g_v1_configmap_kubeflow-config-d7dttg89h2.yaml
+++ b/tests/stacks/ibm/application/notebooks/test_data/expected/~g_v1_configmap_kubeflow-config-d7dttg89h2.yaml
@ -1,9 +1,11 @@
 apiVersion: v1
 data:
+  cluster-name: ""
  clusterDomain: cluster.local
+  istio-namespace: istio-system
  userid-header: kubeflow-userid
  userid-prefix: ""
 kind: ConfigMap
 metadata:
-  name: kubeflow-config-d7dttg89h2
+  name: kubeflow-config-bk4bc7m928
  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/kustomize_test.go
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/kustomize_test.go
@ -0,0 +1,15 @@
+package kfp_argo_multi_user
+
+import (
+	"github.com/kubeflow/manifests/tests"
+	"testing"
+)
+
+func TestKustomize(t *testing.T) {
+	testCase := &tests.KustomizeTestCase{
+		Package:  "../../../../../stacks/ibm/application/kfp-argo-multi-user",
+		Expected: "test_data/expected",
+	}
+
+	tests.RunTestCase(t, testCase)
+}
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apiextensions.k8s.io_v1beta1_customresourcedefinition_scheduledworkflows.kubeflow.org.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apiextensions.k8s.io_v1beta1_customresourcedefinition_scheduledworkflows.kubeflow.org.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apiextensions.k8s.io_v1beta1_customresourcedefinition_viewers.kubeflow.org.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apiextensions.k8s.io_v1beta1_customresourcedefinition_viewers.kubeflow.org.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/app.k8s.io_v1beta1_application_kubeflow-pipelines.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/app.k8s.io_v1beta1_application_kubeflow-pipelines.yaml
@ -0,0 +1,52 @@
+apiVersion: app.k8s.io/v1beta1
+kind: Application
+metadata:
+  annotations:
+    kubernetes-engine.cloud.google.com/icon: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADMAAAAyCAYAAADx/eOPAAALuUlEQVRogd2afWxd9XnHP99bK4pS3yhiGUIRiiJUVVVqbq8ppdR20ibqpuIMtDRkUYERp29J57gMZVuxsrZiK7oZXVv5re1AiOuoG+N1DMkuytprsGPEVMouxqQZJVHEWIdQlGVxZlmZdb/747zcc869jpMO+seOdPz7nd/L83tev89zzjX8Bq795Rq9o17zXp+Tey+Ijkyboela29DRWkhffyT733pH/Z3este9F2cC6N0kNjxtjD+FdRD8UF9X7u97y7UbQFPAivC0BdllS381slun3s3z3xVhhqeds90tqR/oMB7u68z19ZZra0E/l1if3WOziPx3skrDPTr+bvDxfxImEIJbgX6gGBJ7EfHJX/ySReDHwO9KYAenyWCMFKw21GSeslwa2Z17+TcuzPBRr7B8m6Df5oOJqdPAR/u6cm/2lmv3At+IT3GiXZqbcaxSLsfRoTsvn7XL2jE87ZXGnwf+VGiDY86ETM1wU1+XjvSW/RlgTJADQ2QaCZKWcX1/aDIcjE8i3SdzZLjn0lm8pJXD02417BM+gLmq2Rqjr/d16Vu95dp6wc8Ra5O8NrPIcoZCvIR1H+KZkd2qLcfnRYUZOuorJO+3uQt0RerolGYZR7r5+C9ZATwPviGyQprd6Liszy3bnwVKwGMjPbnFyxJmeNpX2T4gaR/QmmSpyYZTho/2depMb9k/kNh3KawuJ1bWauHzUcyXRpZAv5Zmg7aHBLcmNN9ECAFeAO3s69KZ3nLtDuF9dnBs0IT9JO24rbPb0JfP2syCZpFfE5q1mRWcvlgMNcwMTRq9z/+OWXdx4AGjvX1deqC37DbwPwOrMgsufol5mWMWs1ivEbjTrOCtLNNb+udygqsNbUBtopR/NkuuwTJ6Hxsw67KSuvH5MPDA/nJttfGTdUFCMUlp/ALwOtIs9muBxpnFnBzuSQf21oP/BbXclVvumWuTaDN8WNBm2GizJkxPM0CDMA2WGZ72bbb/Njue2TRj9Il/PcG87SeBz4ZTNaSTsmctHcO8SqDp14d7dCFLZ2v/3OpQ023Ah4n65kohvETUCdcsfmuilD+bpNdgGZvOODuHqYGIVGCec9g7+7o031v2jaBTiD0ysxbHRnZrPktzyz1zK7f0z10nh5pWwLRhvZro1KqznVJhNB8UyDeSsU4zAOiIXV1OuEqQ2AR79nflXgcY6dGLwIvR8q39cy1b+uc2Emo6dI824BpMSxz8iVhy4m/2WiYHdV5UmOHp2mpwm52ESCdwRn+9v0tPAWzpn9sAFAQbMdc60PaHsFZEWd9uxk4z8G3seykECfObTEd2KmuZG4CWyLXkYLMwtiYt+hMsTUdAEZQzjs9apv66SHJRk73ZjBQ+iRu29s+1VEr5OImmXs4MHUahVoLWgK23wbv6OrU4OulcuHYehWsVHhpXwpE2FNRayTszX2cwDpQEzTB+QvrJHCXUaigk+c++aXZiE98YmUVgV19X7u3ypH/fgfUA5h2usY2jNjmWoGVn50nvC9T2NviA5OPBGPW91OlG+0Xa1WJhhqadk3WjpKCilQIQFP19XZocnfIHgIeFWyNh6goXyX6gdNWfU8aJ5tNjEheAHZVS/ruGj0s8k6VPhh6ms6kwgoLl1aGuCEuSpwXfHZ2qrTJ+HHkNCpOjmbdFcEcGUIhUSj/H65rPO6j+766U8i/QXV0z8cqJc4btwF8AtWgtMb1wj+j41Df/s1EYQwdEDiqM3hDes9quGY3IKoYOvCrU7HlCoZtEWapPkzEpsU8uq8b36a6uBqaBv5l45URLpZT/pmGH8LnkvlAdAOt1oeXqRsuYTjlEMJiXvWN/Z+5szfqioKcOKo7qr/nAEesKiOyv2A/q88rOx8+8bPhK5dUTAA8jbUT6MuKnbKteNVHKP23xCeD1LC0F2TWOmzoAKEiWxmC+sr8rN1OerF2HGaqXFcZhDWaYj11S4ZxcXxVqyKqPZOeNTwM7Jkr5BeDPQJ8NFQaoC/gZ26rXT5TyxxAfRx6P94d0gU0pYYama+tsbwix/AHM4fKUrwAeB68kRJ5AZsWWieGTjLipsVCgrKCwKHF7pZQ/RXf104j76i4ZMmquxkzRXb2zUsqfxdxsfCiA70hRjZbpCDHmJcRdeZPDHkVck0Ul5PeHZ81DgHxKtglXaHCxVN9fr5TyR9hW3QA8Amqp5526SyKtBEbZVv1eZeZkbqKU7xfsFJwPqRW29s+11oUxnUhnkHf2dWoB+R5Jv5dNaGHh1wog8d/ZAI+0GgVpFPTp4AfJT2Hup7u6EvMk0tpkboutEz0HMPzHyD+mu3pFpZR/Aug0Pgm0RLkvFzLWYfjDvs7cqfKUt2LuXTLhue5mdWhVDJdEzxDDcRKawceN9lRePVkDfgBcR/LKVqNpz/s08DO6q4VKKT8j8zHgJ1HyzA1P11YZjfV1arw85auBR4RalDB5lEjDKi0CgPPphKZ0QiNRwUQeg88B2ydKreew9yH1NCxe/r4GaZpt1Vsrh/JnDDcBLwPkbLVgf6s86RXYj4KvtJKJM8KsGLkSlsmUL6mSg1RJY1xD7KmU8sfprnYgBqJsGVsiEfupsca7FfMo26p/OfHKiVqllB8HyPV16VxfV66G/G1QBwY5xvCgTT7X3/MTaBbFVr0fJvqw2ASZ+yul/FN0V68CHsesiDl3UopM3CwhDZDD/Dnwj3S/sjoYAMqTtc1YX02jVqYOiuuqsAKIkqZCfFIz/IrfFY8gDrKt2gI8irSuwQezyTeNaOl+6qYb+fpYGKEXJE9GSTObK5ItrheaLHE5/XRKcHul+kYN8x2kzWlLNNuVtUqibzKW5CBjxUoszO7NWrS1E/xWvMeJjck2WQHEKJeMD+qH4gWCSvg00m3AVxv5TMRKsp9Cs0Q/Ka/1BOZQNBSXMz2b9Q5oO9JCKgkqg2aKofl8uvTPeE1w3t5KKf8y26pFxINhLRa5R9JV6huT/aZuFu7Ds+A9jBdj+VIvZz2b9BL2Xi5yJQEgUFqinI9SZBDx358o5Q/HiRGtquOEmxJu6DcbC/afQWxnvHg+Odrwm2bP5txh5OEYjOM3vaiu8qqHJw1mPmK/Xs7HJf0LRncDMF5cAL6NWUxDrX/duwbczljxjSzvTX+gtXU3MBlrRCltrsxBTgorACKrRGf5bczOiVLrhUL74B2F9oHVjBd/iLwTWEhr+CIWaLYumDjIWLHha+aSwvRs1iJmJ9Kb9ZJRETS3ACsMC8i1ZNwgXZDYWTmU/1WhfeAW8Cjo+UL7wDrGik8jfid0kYz/Z2ODepv+GPIY+FAznpcUJhAo9w5mh81CFtEsWieCTzwXkogmfKBSyh8ttA98EDPqoPouYqYLxYEPMVY8itmEeTM+KEaqZhVAkiPPIL6QDPhLFiYQSC9J7M3mGlF/24zWSvwIM1xoH2gF/sFiTcSPxQakqUJxsIPx4jGCr0AzCUYTbROJ7DPAdsbSAX9ZwgDs3qTDiMGUOxF/1DgfekLVsPf0sw8DPARsDNwy8iYBXov4p0L7wC2MF99CfBJ4rqmbJbO/qYE+x1jx5HK8Xtp/aFgHDM/FX+RM9FFjHjjj4NV3HvlPsP4g+SqQgm6zCuvJQnHgi4wVz2JuAj8RnLGEVaCf8Y8cuRQ2L0mYEBB2Gb8ZHKD4NQBx+0Qpf7LQPrAVVGqiiWTpCcEn4QcLxcF7C7+aXMDahT1YX5IS5DHE/ZfC4yULEwr0DtIOWwuuvwZ8rVLKP1soDqzHPGJoyRao9b4SXiQQ30A8eO1/PJ8D7gK+BtQSJcQM8AXGlg747LUkmi91lad8J3CuZ5OeBii0D64ET2FdH1N0omWJvgLPkvwM8LmZf7lrnm3VO4CHsM4DH2P8I8vGSfK67P9q8v9wWPAcQLH4PbBHbK6Pq+3M9+Ml+6FL2dyC+WmhOLiWseKPMDeDd12uIPBrWCZ5Xds++AHsAwGlBKnoB5747c2J+aSJEuvRL8CDv/2Zz+cqh/LL/gPD//vrfwFjcI5oX6jDBwAAAABJRU5ErkJggg==
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: kubeflow-pipelines
+  namespace: kubeflow
+spec:
+  addOwnerRef: true
+  componentKinds:
+  - group: networking.istio.io/v1alpha3
+    kind: DestinationRule
+  - group: rbac.istio.io/v1alpha1
+    kind: ServiceRoleBinding
+  - group: rbac.istio.io/v1alpha1
+    kind: ServiceRole
+  - group: metacontroller.k8s.io/v1alpha1
+    kind: CompositeController
+  - group: v1
+    kind: ServiceAccount
+  - group: rbac.authorization.k8s.io/v1
+    kind: Role
+  - group: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+  - group: v1
+    kind: Service
+  - group: v1
+    kind: PersistentVolumeClaim
+  - group: v1
+    kind: ConfigMap
+  - group: v1
+    kind: Secret
+  - group: apps/v1
+    kind: Deployment
+  - group: networking.istio.io/v1alpha3
+    kind: VirtualService
+  descriptor:
+    description: Reusable end-to-end ML workflow
+    links:
+    - description: Kubeflow Pipelines Documentation
+      url: https://www.kubeflow.org/docs/pipelines/
+    maintainers:
+    - name: Kubeflow Pipelines
+      url: https://github.com/kubeflow/pipelines
+    type: Kubeflow Pipelines
+    version: 1.0.4
+  selector:
+    matchLabels:
+      app.kubernetes.io/application: kubeflow-pipelines
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/app.k8s.io_v1beta1_application_minio.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/app.k8s.io_v1beta1_application_minio.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/app.k8s.io_v1beta1_application_mysql.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/app.k8s.io_v1beta1_application_mysql.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_cache-deployer-deployment.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_cache-deployer-deployment.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_cache-server.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_cache-server.yaml
@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cache-server
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: cache-server
+  namespace: kubeflow
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cache-server
+      app.kubernetes.io/component: ml-pipeline
+      app.kubernetes.io/name: kubeflow-pipelines
+  template:
+    metadata:
+      labels:
+        app: cache-server
+        app.kubernetes.io/component: ml-pipeline
+        app.kubernetes.io/name: kubeflow-pipelines
+    spec:
+      containers:
+      - args:
+        - --db_driver=$(DBCONFIG_DRIVER)
+        - --db_host=$(DBCONFIG_HOST_NAME)
+        - --db_port=$(DBCONFIG_PORT)
+        - --db_name=$(DBCONFIG_DB_NAME)
+        - --db_user=$(DBCONFIG_USER)
+        - --db_password=$(DBCONFIG_PASSWORD)
+        - --namespace_to_watch=$(NAMESPACE_TO_WATCH)
+        env:
+        - name: DBCONFIG_DRIVER
+          value: mysql
+        - name: DBCONFIG_DB_NAME
+          valueFrom:
+            configMapKeyRef:
+              key: cacheDb
+              name: pipeline-install-config-2829cc67f8
+        - name: DBCONFIG_HOST_NAME
+          valueFrom:
+            configMapKeyRef:
+              key: dbHost
+              name: pipeline-install-config-2829cc67f8
+        - name: DBCONFIG_PORT
+          valueFrom:
+            configMapKeyRef:
+              key: dbPort
+              name: pipeline-install-config-2829cc67f8
+        - name: DBCONFIG_USER
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: mysql-secret-fd5gktm75t
+        - name: DBCONFIG_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: mysql-secret-fd5gktm75t
+        - name: NAMESPACE_TO_WATCH
+          value: ""
+        image: gcr.io/ml-pipeline/cache-server:1.0.4
+        imagePullPolicy: Always
+        name: server
+        ports:
+        - containerPort: 8443
+          name: webhook-api
+        volumeMounts:
+        - mountPath: /etc/webhook/certs
+          name: webhook-tls-certs
+          readOnly: true
+      serviceAccountName: kubeflow-pipelines-cache
+      volumes:
+      - name: webhook-tls-certs
+        secret:
+          secretName: webhook-server-tls
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_kubeflow-pipelines-profile-controller.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_kubeflow-pipelines-profile-controller.yaml
@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: kubeflow-pipelines-profile-controller
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: kubeflow-pipelines-profile-controller
+  namespace: kubeflow
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kubeflow-pipelines-profile-controller
+      app.kubernetes.io/component: ml-pipeline
+      app.kubernetes.io/name: kubeflow-pipelines
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+      labels:
+        app: kubeflow-pipelines-profile-controller
+        app.kubernetes.io/component: ml-pipeline
+        app.kubernetes.io/name: kubeflow-pipelines
+    spec:
+      containers:
+      - command:
+        - python
+        - /hooks/sync.py
+        env:
+        - name: KFP_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: appVersion
+              name: pipeline-upstream-install-config-d7hkh24mdg
+        - name: MINIO_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              key: accesskey
+              name: mlpipeline-minio-artifact
+        - name: MINIO_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: secretkey
+              name: mlpipeline-minio-artifact
+        envFrom:
+        - configMapRef:
+            name: kubeflow-pipelines-profile-controller-env-mgh6th2gff
+        image: python:3.7
+        name: profile-controller
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - mountPath: /hooks
+          name: hooks
+      volumes:
+      - configMap:
+          name: kubeflow-pipelines-profile-controller-code-gd97t2m5f5
+        name: hooks
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_metadata-writer.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_metadata-writer.yaml
@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: metadata-writer
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: metadata-writer
+  namespace: kubeflow
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: metadata-writer
+      app.kubernetes.io/component: ml-pipeline
+      app.kubernetes.io/name: kubeflow-pipelines
+  template:
+    metadata:
+      labels:
+        app: metadata-writer
+        app.kubernetes.io/component: ml-pipeline
+        app.kubernetes.io/name: kubeflow-pipelines
+    spec:
+      containers:
+      - env:
+        - name: NAMESPACE_TO_WATCH
+          value: ""
+        image: gcr.io/ml-pipeline/metadata-writer:1.0.4
+        name: main
+      serviceAccountName: kubeflow-pipelines-metadata-writer
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_minio.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_minio.yaml
@ -1,6 +1,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
  labels:
    app: minio
    app.kubernetes.io/component: minio
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-persistenceagent.yaml
@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ml-pipeline-persistenceagent
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-persistenceagent
+  namespace: kubeflow
+spec:
+  selector:
+    matchLabels:
+      app: ml-pipeline-persistenceagent
+      app.kubernetes.io/component: ml-pipeline
+      app.kubernetes.io/name: kubeflow-pipelines
+  template:
+    metadata:
+      labels:
+        app: ml-pipeline-persistenceagent
+        app.kubernetes.io/component: ml-pipeline
+        app.kubernetes.io/name: kubeflow-pipelines
+    spec:
+      containers:
+      - env:
+        - name: NAMESPACE
+          value: ""
+        - name: TTL_SECONDS_AFTER_WORKFLOW_FINISH
+          value: "86400"
+        image: gcr.io/ml-pipeline/persistenceagent:1.0.4
+        imagePullPolicy: IfNotPresent
+        name: ml-pipeline-persistenceagent
+      serviceAccountName: ml-pipeline-persistenceagent
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-scheduledworkflow.yaml
@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ml-pipeline-scheduledworkflow
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-scheduledworkflow
+  namespace: kubeflow
+spec:
+  selector:
+    matchLabels:
+      app: ml-pipeline-scheduledworkflow
+      app.kubernetes.io/component: ml-pipeline
+      app.kubernetes.io/name: kubeflow-pipelines
+  template:
+    metadata:
+      labels:
+        app: ml-pipeline-scheduledworkflow
+        app.kubernetes.io/component: ml-pipeline
+        app.kubernetes.io/name: kubeflow-pipelines
+    spec:
+      containers:
+      - env:
+        - name: NAMESPACE
+          value: ""
+        image: gcr.io/ml-pipeline/scheduledworkflow:1.0.4
+        imagePullPolicy: IfNotPresent
+        name: ml-pipeline-scheduledworkflow
+      serviceAccountName: ml-pipeline-scheduledworkflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-ui.yaml
@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ml-pipeline-ui
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-ui
+  namespace: kubeflow
+spec:
+  selector:
+    matchLabels:
+      app: ml-pipeline-ui
+      app.kubernetes.io/component: ml-pipeline
+      app.kubernetes.io/name: kubeflow-pipelines
+  template:
+    metadata:
+      labels:
+        app: ml-pipeline-ui
+        app.kubernetes.io/component: ml-pipeline
+        app.kubernetes.io/name: kubeflow-pipelines
+    spec:
+      containers:
+      - env:
+        - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH
+          value: /etc/config/viewer-pod-template.json
+        - name: DEPLOYMENT
+          value: KUBEFLOW
+        - name: ARTIFACTS_SERVICE_PROXY_NAME
+          value: ml-pipeline-ui-artifact
+        - name: ARTIFACTS_SERVICE_PROXY_PORT
+          value: "80"
+        - name: ARTIFACTS_SERVICE_PROXY_ENABLED
+          value: "true"
+        - name: ENABLE_AUTHZ
+          value: "true"
+        - name: KUBEFLOW_USERID_HEADER
+          valueFrom:
+            configMapKeyRef:
+              key: userid-header
+              name: kubeflow-config-bk4bc7m928
+        - name: KUBEFLOW_USERID_PREFIX
+          valueFrom:
+            configMapKeyRef:
+              key: userid-prefix
+              name: kubeflow-config-bk4bc7m928
+        - name: MINIO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MINIO_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              key: accesskey
+              name: mlpipeline-minio-artifact
+        - name: MINIO_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: secretkey
+              name: mlpipeline-minio-artifact
+        - name: ALLOW_CUSTOM_VISUALIZATIONS
+          value: "true"
+        image: gcr.io/ml-pipeline/frontend:1.0.4
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          exec:
+            command:
+            - wget
+            - -q
+            - -S
+            - -O
+            - '-'
+            - http://localhost:3000/apis/v1beta1/healthz
+          initialDelaySeconds: 3
+          periodSeconds: 5
+          timeoutSeconds: 2
+        name: ml-pipeline-ui
+        ports:
+        - containerPort: 3000
+        readinessProbe:
+          exec:
+            command:
+            - wget
+            - -q
+            - -S
+            - -O
+            - '-'
+            - http://localhost:3000/apis/v1beta1/healthz
+          initialDelaySeconds: 3
+          periodSeconds: 5
+          timeoutSeconds: 2
+        volumeMounts:
+        - mountPath: /etc/config
+          name: config-volume
+          readOnly: true
+      serviceAccountName: ml-pipeline-ui
+      volumes:
+      - configMap:
+          name: ml-pipeline-ui-configmap
+        name: config-volume
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-viewer-crd.yaml
@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ml-pipeline-viewer-crd
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-viewer-crd
+  namespace: kubeflow
+spec:
+  selector:
+    matchLabels:
+      app: ml-pipeline-viewer-crd
+      app.kubernetes.io/component: ml-pipeline
+      app.kubernetes.io/name: kubeflow-pipelines
+  template:
+    metadata:
+      labels:
+        app: ml-pipeline-viewer-crd
+        app.kubernetes.io/component: ml-pipeline
+        app.kubernetes.io/name: kubeflow-pipelines
+    spec:
+      containers:
+      - env:
+        - name: NAMESPACE
+          value: ""
+          valueFrom: null
+        - name: MAX_NUM_VIEWERS
+          value: "50"
+        - name: MINIO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: gcr.io/ml-pipeline/viewer-crd-controller:1.0.4
+        imagePullPolicy: Always
+        name: ml-pipeline-viewer-crd
+      serviceAccountName: ml-pipeline-viewer-crd-service-account
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-visualizationserver.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline-visualizationserver.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_ml-pipeline.yaml
@ -0,0 +1,116 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ml-pipeline
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline
+  namespace: kubeflow
+spec:
+  selector:
+    matchLabels:
+      app: ml-pipeline
+      app.kubernetes.io/component: ml-pipeline
+      app.kubernetes.io/name: kubeflow-pipelines
+  template:
+    metadata:
+      labels:
+        app: ml-pipeline
+        app.kubernetes.io/component: ml-pipeline
+        app.kubernetes.io/name: kubeflow-pipelines
+    spec:
+      containers:
+      - env:
+        - name: KUBEFLOW_USERID_HEADER
+          valueFrom:
+            configMapKeyRef:
+              key: userid-header
+              name: kubeflow-config-bk4bc7m928
+        - name: KUBEFLOW_USERID_PREFIX
+          valueFrom:
+            configMapKeyRef:
+              key: userid-prefix
+              name: kubeflow-config-bk4bc7m928
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: OBJECTSTORECONFIG_SECURE
+          value: "false"
+        - name: OBJECTSTORECONFIG_BUCKETNAME
+          valueFrom:
+            configMapKeyRef:
+              key: bucketName
+              name: pipeline-install-config-2829cc67f8
+        - name: DBCONFIG_USER
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: mysql-secret-fd5gktm75t
+        - name: DBCONFIG_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: mysql-secret-fd5gktm75t
+        - name: DBCONFIG_DBNAME
+          valueFrom:
+            configMapKeyRef:
+              key: pipelineDb
+              name: pipeline-install-config-2829cc67f8
+        - name: DBCONFIG_HOST
+          valueFrom:
+            configMapKeyRef:
+              key: dbHost
+              name: pipeline-install-config-2829cc67f8
+        - name: DBCONFIG_PORT
+          valueFrom:
+            configMapKeyRef:
+              key: dbPort
+              name: pipeline-install-config-2829cc67f8
+        - name: OBJECTSTORECONFIG_ACCESSKEY
+          valueFrom:
+            secretKeyRef:
+              key: accesskey
+              name: mlpipeline-minio-artifact
+        - name: OBJECTSTORECONFIG_SECRETACCESSKEY
+          valueFrom:
+            secretKeyRef:
+              key: secretkey
+              name: mlpipeline-minio-artifact
+        envFrom:
+        - configMapRef:
+            name: pipeline-api-server-config-f4t72426kt
+        image: gcr.io/ml-pipeline/api-server:1.0.4
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          exec:
+            command:
+            - wget
+            - -q
+            - -S
+            - -O
+            - '-'
+            - http://localhost:8888/apis/v1beta1/healthz
+          initialDelaySeconds: 3
+          periodSeconds: 5
+          timeoutSeconds: 2
+        name: ml-pipeline-api-server
+        ports:
+        - containerPort: 8888
+          name: http
+        - containerPort: 8887
+          name: grpc
+        readinessProbe:
+          exec:
+            command:
+            - wget
+            - -q
+            - -S
+            - -O
+            - '-'
+            - http://localhost:8888/apis/v1beta1/healthz
+          initialDelaySeconds: 3
+          periodSeconds: 5
+          timeoutSeconds: 2
+      serviceAccountName: ml-pipeline
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_mysql.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/apps_v1_deployment_mysql.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/metacontroller.k8s.io_v1alpha1_compositecontroller_kubeflow-pipelines-profile-controller.yaml
@ -0,0 +1,48 @@
+apiVersion: metacontroller.k8s.io/v1alpha1
+kind: CompositeController
+metadata:
+  labels:
+    app: kubeflow-pipelines-profile-controller
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: kubeflow-pipelines-profile-controller
+  namespace: kubeflow
+spec:
+  childResources:
+  - apiVersion: v1
+    resource: secrets
+    updateStrategy:
+      method: OnDelete
+  - apiVersion: v1
+    resource: configmaps
+    updateStrategy:
+      method: OnDelete
+  - apiVersion: apps/v1
+    resource: deployments
+    updateStrategy:
+      method: InPlace
+  - apiVersion: v1
+    resource: services
+    updateStrategy:
+      method: InPlace
+  - apiVersion: networking.istio.io/v1alpha3
+    resource: destinationrules
+    updateStrategy:
+      method: InPlace
+  - apiVersion: rbac.istio.io/v1alpha1
+    resource: serviceroles
+    updateStrategy:
+      method: InPlace
+  - apiVersion: rbac.istio.io/v1alpha1
+    resource: servicerolebindings
+    updateStrategy:
+      method: InPlace
+  generateSelector: true
+  hooks:
+    sync:
+      webhook:
+        url: http://kubeflow-pipelines-profile-controller/sync
+  parentResource:
+    apiVersion: v1
+    resource: namespaces
+  resyncPeriodSeconds: 10
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-mysql.yaml
@ -0,0 +1,13 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-mysql
+  namespace: kubeflow
+spec:
+  host: mysql.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-ui.yaml
@ -0,0 +1,13 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-ui
+  namespace: kubeflow
+spec:
+  host: ml-pipeline-ui.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline-visualizationserver.yaml
@ -0,0 +1,13 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-visualizationserver
+  namespace: kubeflow
+spec:
+  host: ml-pipeline-visualizationserver.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_destinationrule_ml-pipeline.yaml
@ -0,0 +1,13 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline
+  namespace: kubeflow
+spec:
+  host: ml-pipeline.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_virtualservice_ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/networking.istio.io_v1alpha3_virtualservice_ml-pipeline-ui.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-deployer-clusterrole.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-deployer-clusterrole.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-cache-role.yaml
@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: kubeflow-pipelines-cache-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pipelines-metadata-writer-role.yaml
@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: kubeflow-pipelines-metadata-writer-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-persistenceagent-role.yaml
@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-persistenceagent-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - get
+  - list
+  - watch
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-scheduledworkflow-role.yaml
@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-scheduledworkflow-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-ui.yaml
@ -0,0 +1,46 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: ml-pipeline-ui
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-ui
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - viewers
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrole_ml-pipeline-viewer-controller-role.yaml
@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-viewer-controller-role
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - deployments
+  - services
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - viewers
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-binding.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: kubeflow-pipelines-cache-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeflow-pipelines-cache-role
+subjects:
+- kind: ServiceAccount
+  name: kubeflow-pipelines-cache
+  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-deployer-clusterrolebinding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-cache-deployer-clusterrolebinding.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_kubeflow-pipelines-metadata-writer-binding.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: kubeflow-pipelines-metadata-writer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeflow-pipelines-metadata-writer-role
+subjects:
+- kind: ServiceAccount
+  name: kubeflow-pipelines-metadata-writer
+  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-persistenceagent-binding.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-persistenceagent-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ml-pipeline-persistenceagent-role
+subjects:
+- kind: ServiceAccount
+  name: ml-pipeline-persistenceagent
+  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-scheduledworkflow-binding.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-scheduledworkflow-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ml-pipeline-scheduledworkflow-role
+subjects:
+- kind: ServiceAccount
+  name: ml-pipeline-scheduledworkflow
+  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-ui.yaml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: ml-pipeline-ui
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-ui
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ml-pipeline-ui
+subjects:
+- kind: ServiceAccount
+  name: ml-pipeline-ui
+  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_clusterrolebinding_ml-pipeline-viewer-crd-binding.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-viewer-crd-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ml-pipeline-viewer-controller-role
+subjects:
+- kind: ServiceAccount
+  name: ml-pipeline-viewer-crd-service-account
+  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_kubeflow-pipelines-cache-deployer-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_kubeflow-pipelines-cache-deployer-role.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_kubeflow-pipelines-cache-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_kubeflow-pipelines-cache-role.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_kubeflow-pipelines-metadata-writer-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_kubeflow-pipelines-metadata-writer-role.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline-persistenceagent-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline-persistenceagent-role.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline-scheduledworkflow-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline-scheduledworkflow-role.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline-ui.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline-viewer-controller-role.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline-viewer-controller-role.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_ml-pipeline.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_pipeline-runner.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_role_pipeline-runner.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_kubeflow-pipelines-cache-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_kubeflow-pipelines-cache-binding.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_kubeflow-pipelines-cache-deployer-rolebinding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_kubeflow-pipelines-cache-deployer-rolebinding.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_kubeflow-pipelines-metadata-writer-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_kubeflow-pipelines-metadata-writer-binding.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline-persistenceagent-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline-persistenceagent-binding.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline-scheduledworkflow-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline-scheduledworkflow-binding.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline-ui.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline-viewer-crd-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline-viewer-crd-binding.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_ml-pipeline.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_pipeline-runner-binding.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1_rolebinding_pipeline-runner-binding.yaml
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrole_ml-pipeline.yaml
@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - delete
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_ml-pipeline.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ml-pipeline
+subjects:
+- kind: ServiceAccount
+  name: ml-pipeline
+  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerole_cache-server.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.istio.io/v1alpha1
+kind: ServiceRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: cache-server
+  namespace: kubeflow
+spec:
+  rules:
+  - services:
+    - cache-server.kubeflow.svc.cluster.local
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-services.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.istio.io/v1alpha1
+kind: ServiceRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-services
+  namespace: kubeflow
+spec:
+  rules:
+  - services:
+    - ml-pipeline.kubeflow.svc.cluster.local
+    - ml-pipeline-ui.kubeflow.svc.cluster.local
+    - ml-pipeline-visualizationserver.kubeflow.svc.cluster.local
+    - mysql.kubeflow.svc.cluster.local
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerole_ml-pipeline-ui.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.istio.io/v1alpha1
+kind: ServiceRole
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: ml-pipeline-ui
+  namespace: kubeflow
+spec:
+  rules:
+  - services:
+    - ml-pipeline-ui.kubeflow.svc.cluster.local
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-cache-server-admission-webhook.yaml
@ -0,0 +1,14 @@
+apiVersion: rbac.istio.io/v1alpha1
+kind: ServiceRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: bind-cache-server-admission-webhook
+  namespace: kubeflow
+spec:
+  roleRef:
+    kind: ServiceRole
+    name: cache-server
+  subjects:
+  - user: '*'
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-gateway-ml-pipeline-ui.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.istio.io/v1alpha1
+kind: ServiceRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: bind-gateway-ml-pipeline-ui
+  namespace: kubeflow
+spec:
+  roleRef:
+    kind: ServiceRole
+    name: ml-pipeline-ui
+  subjects:
+  - properties:
+      source.namespace: istio-system
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/rbac.istio.io_v1alpha1_servicerolebinding_bind-ml-pipeline-internal.yaml
@ -0,0 +1,25 @@
+apiVersion: rbac.istio.io/v1alpha1
+kind: ServiceRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: bind-ml-pipeline-internal
+  namespace: kubeflow
+spec:
+  roleRef:
+    kind: ServiceRole
+    name: ml-pipeline-services
+  subjects:
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-ui
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/~g_v1_configmap_kubeflow-config-bk4bc7m928.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/~g_v1_configmap_kubeflow-config-bk4bc7m928.yaml
@ -1,9 +1,11 @@
 apiVersion: v1
 data:
+  cluster-name: ""
  clusterDomain: cluster.local
+  istio-namespace: istio-system
  userid-header: kubeflow-userid
  userid-prefix: ""
 kind: ConfigMap
 metadata:
-  name: kubeflow-config-d7dttg89h2
+  name: kubeflow-config-bk4bc7m928
  namespace: kubeflow
--- a/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-gd97t2m5f5.yaml
+++ b/tests/stacks/ibm/application/kfp-argo-multi-user/test_data/expected/~g_v1_configmap_kubeflow-pipelines-profile-controller-code-gd97t2m5f5.yaml
@ -0,0 +1,292 @@
+apiVersion: v1
+data:
+  sync.py: |
+    # Copyright 2020 Google LLC
+    #
+    # Licensed under the Apache License, Version 2.0 (the "License");
+    # you may not use this file except in compliance with the License.
+    # You may obtain a copy of the License at
+    #
+    #      http://www.apache.org/licenses/LICENSE-2.0
+    #
+    # Unless required by applicable law or agreed to in writing, software
+    # distributed under the License is distributed on an "AS IS" BASIS,
+    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    # See the License for the specific language governing permissions and
+    # limitations under the License.
+
+    from http.server import BaseHTTPRequestHandler, HTTPServer
+    import json
+    import os
+    import base64
+
+    kfp_version = os.environ["KFP_VERSION"]
+    disable_istio_sidecar = os.environ.get("DISABLE_ISTIO_SIDECAR") == "true"
+    mlpipeline_minio_access_key = base64.b64encode(
+        bytes(os.environ.get("MINIO_ACCESS_KEY"), 'utf-8')).decode('utf-8')
+    mlpipeline_minio_secret_key = base64.b64encode(
+        bytes(os.environ.get("MINIO_SECRET_KEY"), 'utf-8')).decode('utf-8')
+
+
+    class Controller(BaseHTTPRequestHandler):
+        def sync(self, parent, children):
+            # HACK: Currently using serving.kubeflow.org/inferenceservice to identify
+            # kubeflow user namespaces.
+            # TODO: let Kubeflow profile controller add a pipeline specific label to
+            # user namespaces and use that label instead.
+            pipeline_enabled = parent.get("metadata", {}).get(
+                "labels", {}).get("serving.kubeflow.org/inferenceservice")
+
+            if not pipeline_enabled:
+                return {"status": {}, "children": []}
+
+            # Compute status based on observed state.
+            desired_status = {
+                "kubeflow-pipelines-ready": \
+                    len(children["Secret.v1"]) == 1 and \
+                    len(children["ConfigMap.v1"]) == 1 and \
+                    len(children["Deployment.apps/v1"]) == 2 and \
+                    len(children["Service.v1"]) == 2 and \
+                    len(children["DestinationRule.networking.istio.io/v1alpha3"]) == 1 and \
+                    len(children["ServiceRole.rbac.istio.io/v1alpha1"]) == 1 and \
+                    len(children["ServiceRoleBinding.rbac.istio.io/v1alpha1"]) == 1 and \
+                    "True" or "False"
+            }
+
+            # Generate the desired child object(s).
+            # parent is a namespace
+            namespace = parent.get("metadata", {}).get("name")
+            desired_resources = [
+                {
+                    "apiVersion": "v1",
+                    "kind": "ConfigMap",
+                    "metadata": {
+                        "name": "metadata-grpc-configmap",
+                        "namespace": namespace,
+                    },
+                    "data": {
+                        "METADATA_GRPC_SERVICE_HOST":
+                        "metadata-grpc-service.kubeflow",
+                        "METADATA_GRPC_SERVICE_PORT": "8080",
+                    },
+                },
+                # Visualization server related manifests below
+                {
+                    "apiVersion": "apps/v1",
+                    "kind": "Deployment",
+                    "metadata": {
+                        "labels": {
+                            "app": "ml-pipeline-visualizationserver"
+                        },
+                        "name": "ml-pipeline-visualizationserver",
+                        "namespace": namespace,
+                    },
+                    "spec": {
+                        "selector": {
+                            "matchLabels": {
+                                "app": "ml-pipeline-visualizationserver"
+                            },
+                        },
+                        "template": {
+                            "metadata": {
+                                "labels": {
+                                    "app": "ml-pipeline-visualizationserver"
+                                },
+                                "annotations": disable_istio_sidecar and {
+                                    "sidecar.istio.io/inject": "false"
+                                } or {},
+                            },
+                            "spec": {
+                                "containers": [{
+                                    "image":
+                                    "gcr.io/ml-pipeline/visualization-server:" +
+                                    kfp_version,
+                                    "imagePullPolicy":
+                                    "IfNotPresent",
+                                    "name":
+                                    "ml-pipeline-visualizationserver",
+                                    "ports": [{
+                                        "containerPort": 8888
+                                    }],
+                                }],
+                                "serviceAccountName":
+                                "default-editor",
+                            },
+                        },
+                    },
+                },
+                {
+                    "apiVersion": "networking.istio.io/v1alpha3",
+                    "kind": "DestinationRule",
+                    "metadata": {
+                        "name": "ml-pipeline-visualizationserver",
+                        "namespace": namespace,
+                    },
+                    "spec": {
+                        "host": "ml-pipeline-visualizationserver",
+                        "trafficPolicy": {
+                            "tls": {
+                                "mode": "ISTIO_MUTUAL"
+                            }
+                        }
+                    }
+                },
+                {
+                    "apiVersion": "rbac.istio.io/v1alpha1",
+                    "kind": "ServiceRole",
+                    "metadata": {
+                        "name": "ml-pipeline-visualizationserver",
+                        "namespace": namespace,
+                    },
+                    "spec": {
+                        "rules": [{
+                            "services": ["ml-pipeline-visualizationserver.*"]
+                        }]
+                    }
+                },
+                {
+                    "apiVersion": "rbac.istio.io/v1alpha1",
+                    "kind": "ServiceRoleBinding",
+                    "metadata": {
+                        "name": "ml-pipeline-visualizationserver",
+                        "namespace": namespace,
+                    },
+                    "spec": {
+                        "subjects": [{
+                            "properties": {
+                                "source.principal":
+                                "cluster.local/ns/kubeflow/sa/ml-pipeline"
+                            }
+                        }],
+                        "roleRef": {
+                            "kind": "ServiceRole",
+                            "name": "ml-pipeline-visualizationserver"
+                        }
+                    }
+                },
+                {
+                    "apiVersion": "v1",
+                    "kind": "Service",
+                    "metadata": {
+                        "name": "ml-pipeline-visualizationserver",
+                        "namespace": namespace,
+                    },
+                    "spec": {
+                        "ports": [{
+                            "name": "http",
+                            "port": 8888,
+                            "protocol": "TCP",
+                            "targetPort": 8888,
+                        }],
+                        "selector": {
+                            "app": "ml-pipeline-visualizationserver",
+                        },
+                    },
+                },
+                # Artifact fetcher related resources below.
+                {
+                    "apiVersion": "apps/v1",
+                    "kind": "Deployment",
+                    "metadata": {
+                        "labels": {
+                            "app": "ml-pipeline-ui-artifact"
+                        },
+                        "name": "ml-pipeline-ui-artifact",
+                        "namespace": namespace,
+                    },
+                    "spec": {
+                        "selector": {
+                            "matchLabels": {
+                                "app": "ml-pipeline-ui-artifact"
+                            }
+                        },
+                        "template": {
+                            "metadata": {
+                                "labels": {
+                                    "app": "ml-pipeline-ui-artifact"
+                                },
+                                "annotations": disable_istio_sidecar and {
+                                    "sidecar.istio.io/inject": "false"
+                                } or {},
+                            },
+                            "spec": {
+                                "containers": [{
+                                    "name":
+                                    "ml-pipeline-ui-artifact",
+                                    "image":
+                                    "gcr.io/ml-pipeline/frontend:" + kfp_version,
+                                    "imagePullPolicy":
+                                    "IfNotPresent",
+                                    "ports": [{
+                                        "containerPort": 3000
+                                    }]
+                                }],
+                                "serviceAccountName":
+                                "default-editor"
+                            }
+                        }
+                    }
+                },
+                {
+                    "apiVersion": "v1",
+                    "kind": "Service",
+                    "metadata": {
+                        "name": "ml-pipeline-ui-artifact",
+                        "namespace": namespace,
+                        "labels": {
+                            "app": "ml-pipeline-ui-artifact"
+                        }
+                    },
+                    "spec": {
+                        "ports": [{
+                            "name":
+                            "http",  # name is required to let istio understand request protocol
+                            "port": 80,
+                            "protocol": "TCP",
+                            "targetPort": 3000
+                        }],
+                        "selector": {
+                            "app": "ml-pipeline-ui-artifact"
+                        }
+                    }
+                },
+            ]
+            print('Received request:', parent)
+            print('Desired resources except secrets:', desired_resources)
+            # Moved after the print argument because this is sensitive data.
+            desired_resources.append({
+                "apiVersion": "v1",
+                "kind": "Secret",
+                "metadata": {
+                    "name": "mlpipeline-minio-artifact",
+                    "namespace": namespace,
+                },
+                "data": {
+                    "accesskey": mlpipeline_minio_access_key,
+                    "secretkey": mlpipeline_minio_secret_key,
+                },
+            })
+
+            return {"status": desired_status, "children": desired_resources}
+
+        def do_POST(self):
+            # Serve the sync() function as a JSON webhook.
+            observed = json.loads(
+                self.rfile.read(int(self.headers.get("content-length"))))
+            desired = self.sync(observed["parent"], observed["children"])
+
+            self.send_response(200)
+            self.send_header("Content-type", "application/json")
+            self.end_headers()
+            self.wfile.write(bytes(json.dumps(desired), 'utf-8'))
+
+
+    HTTPServer(("", 80), Controller).serve_forever()
+kind: ConfigMap
+metadata:
+  labels:
+    app: kubeflow-pipelines-profile-controller
+    app.kubernetes.io/component: ml-pipeline
+    app.kubernetes.io/name: kubeflow-pipelines
+  name: kubeflow-pipelines-profile-controller-code-gd97t2m5f5
+  namespace: kubeflow
--- a/Show More
+++ b/Show More