Migrate istio and dex to V3 (#1426)

* Migrate Istio and Dex to V3

* Roll back AWS change

dex-auth/dex-authenticator/base_v3/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: auth
+resources:
+- ../base/namespace.yaml
+- ../base/config-map.yaml
+- ../base/deployment.yaml
+- ../base/service.yaml
+configMapGenerator:
+- name: dex-authn-config
+  envs:
+  - ../base/params.env
+vars:
+- name: issuer
+  objref:
+    kind: ConfigMap
+    name: dex-authn-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.issuer
+- name: client_id
+  objref:
+    kind: ConfigMap
+    name: dex-authn-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.client_id
+- name: application_secret
+  objref:
+    kind: ConfigMap
+    name: dex-authn-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.application_secret
+- name: cluster_name
+  objref:
+    kind: ConfigMap
+    name: dex-authn-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.cluster_name
+- name: k8s_master_uri
+  objref:
+    kind: ConfigMap
+    name: dex-authn-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.k8s_master_uri
+- name: client_redirect_uri
+  objref:
+    kind: ConfigMap
+    name: dex-authn-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.client_redirect_uri
+- name: client_listen_addr
+  objref:
+    kind: ConfigMap
+    name: dex-authn-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.client_listen_addr
+configurations:
+- ../base/params.yaml
+images:
+- name: mintel/dex-k8s-authenticator
+  newName: mintel/dex-k8s-authenticator
+  newTag: 1.2.0

dex-auth/dex-crds/base_v3/kustomization.yaml

@@ -0,0 +1,85 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: auth
+resources:
+- ../base/namespace.yaml
+- ../base/config-map.yaml
+- ../base/crds.yaml
+- ../base/deployment.yaml
+- ../base/service.yaml
+configMapGenerator:
+- name: dex-config
+  envs:
+  - ../base/params.env
+generatorOptions:
+  disableNameSuffixHash: true
+vars:
+- name: dex_domain
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.dex_domain
+- name: issuer
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.issuer
+- name: static_email
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.static_email
+- name: static_password_hash
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.static_password_hash
+- name: static_username
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.static_username
+- name: static_user_id
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.static_user_id
+- name: client_id
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.client_id
+- name: oidc_redirect_uris
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.oidc_redirect_uris
+- name: application_secret
+  objref:
+    kind: ConfigMap
+    name: dex-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.application_secret
+configurations:
+- ../base/params.yaml
+images:
+- name: quay.io/dexidp/dex
+  newName: quay.io/dexidp/dex
+  newTag: v2.22.0

dex-auth/keycloak-gatekeeper/base_v3/kustomization.yaml

@@ -0,0 +1,71 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: auth
+resources:
+- ../base/config-map.yaml
+- ../base/namespace.yaml
+- ../base/deployment.yaml
+- ../base/service.yaml
+- ../base/virtualservice.yaml
+configMapGenerator:
+- name: keycloak-gatekeeper-config
+  envs:
+  - ../base/params.env
+generatorOptions:
+  disableNameSuffixHash: true
+vars:
+- name: client_id
+  objref:
+    kind: ConfigMap
+    name: keycloak-gatekeeper-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.client_id
+- name: client_secret
+  objref:
+    kind: ConfigMap
+    name: keycloak-gatekeeper-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.client_secret
+- name: secure_cookie
+  objref:
+    kind: ConfigMap
+    name: keycloak-gatekeeper-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.secure_cookie
+- name: discovery_url
+  objref:
+    kind: ConfigMap
+    name: keycloak-gatekeeper-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.discovery_url
+- name: upstream_url
+  objref:
+    kind: ConfigMap
+    name: keycloak-gatekeeper-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.upstream_url
+- name: redirection_url
+  objref:
+    kind: ConfigMap
+    name: keycloak-gatekeeper-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.redirection_url
+- name: encryption_key
+  objref:
+    kind: ConfigMap
+    name: keycloak-gatekeeper-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.encryption_key
+configurations:
+- ../base/params.yaml
+images:
+- name: keycloak/keycloak-gatekeeper
+  newName: keycloak/keycloak-gatekeeper
+  newTag: 5.0.0

istio-1-3-1/cluster-local-gateway-1-3-1/base_v3/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: cluster-local-gateway-config
+  envs:
+  - ../base/params.env
+resources:
+- ../base/namespace.yaml
+- ../base/cluster-role-binding.yaml
+- ../base/cluster-role.yaml
+- ../base/deployment.yaml
+- ../base/horizontal-pod-autoscaler.yaml
+- ../base/pod-disruption-budget.yaml
+- ../base/service-account.yaml
+- ../base/service.yaml
+vars:
+- name: namespace
+  objref:
+    kind: ConfigMap
+    name: cluster-local-gateway-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.namespace
+commonLabels:
+  kustomize.component: cluster-local-gateway
+configurations:
+- ../base/params.yaml

istio-1-3-1/istio-install-1-3-1/base_v3/kustomization.yaml

@@ -0,0 +1,59 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: istio-install-config
+  envs:
+  - ../base/params.env
+images:
+- name: docker.io/prom/prometheus
+  newTag: v2.8.0
+- name: gcr.io/istio-release/citadel
+  newTag: release-1.3-latest-daily
+- name: gcr.io/istio-release/galley
+  newTag: release-1.3-latest-daily
+- name: gcr.io/istio-release/kubectl
+  newTag: release-1.3-latest-daily
+- name: gcr.io/istio-release/mixer
+  newTag: release-1.3-latest-daily
+- name: gcr.io/istio-release/node-agent-k8s
+  newTag: release-1.3-latest-daily
+- name: gcr.io/istio-release/pilot
+  newTag: release-1.3-latest-daily
+- name: gcr.io/istio-release/proxyv2
+  newTag: release-1.3-latest-daily
+- name: gcr.io/istio-release/sidecar_injector
+  newTag: release-1.3-latest-daily
+resources:
+- ../base/namespace.yaml
+- ../base/attribute-manifest.yaml
+- ../base/config-map.yaml
+- ../base/cluster-role.yaml
+- ../base/cluster-role-binding.yaml
+- ../base/daemon-set.yaml
+- ../base/deployment.yaml
+- ../base/handler.yaml
+- ../base/horizontal-pod-autoscaler.yaml
+- ../base/instance.yaml
+- ../base/job.yaml
+- ../base/mutating-webhook-configuration.yaml
+- ../base/pod-disruption-budget.yaml
+- ../base/role.yaml
+- ../base/role-binding.yaml
+- ../base/rule.yaml
+- ../base/service.yaml
+- ../base/service-account.yaml
+- ../base/service-role.yaml
+- ../base/service-role-binding.yaml
+vars:
+- name: namespace
+  objref:
+    kind: ConfigMap
+    name: istio-install-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.namespace
+configurations:
+- ../base/params.yaml

istio/cluster-local-gateway/base_v3/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: cluster-local-gateway-config
+  envs:
+  - ../base/params.env
+resources:
+- ../base/namespace.yaml
+- ../base/cluster-role-binding.yaml
+- ../base/cluster-role.yaml
+- ../base/deployment.yaml
+- ../base/horizontal-pod-autoscaler.yaml
+- ../base/pod-disruption-budget.yaml
+- ../base/service-account.yaml
+- ../base/service.yaml
+vars:
+- name: namespace
+  objref:
+    kind: ConfigMap
+    name: cluster-local-gateway-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.namespace
+commonLabels:
+  kustomize.component: cluster-local-gateway
+configurations:
+- ../base/params.yaml

istio/ingressgateway-self-signed-cert/base_v3/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+- ../base/certificate.yaml
+configMapGenerator:
+- name: ingressgateway-self-signed-cert-config
+  envs:
+  - ../base/params.env
+generatorOptions:
+  disableNameSuffixHash: true
+vars:
+- name: domain
+  objref:
+    kind: ConfigMap
+    name: ingressgateway-self-signed-cert-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.domain
+configurations:
+- ../base/params.yaml

istio/istio/base_v3/kustomization.yaml

@@ -0,0 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../base/kf-istio-resources.yaml
+- ../base/cluster-roles.yaml
+namespace: kubeflow
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: istio-config
+  envs:
+  - ../base/params.env
+vars:
+- name: clusterRbacConfig
+  objref:
+    kind: ConfigMap
+    name: istio-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.clusterRbacConfig
+- name: gatewaySelector
+  objref:
+    kind: ConfigMap
+    name: istio-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.gatewaySelector
+configurations:
+- ../base/params.yaml

istio/oidc-authservice/base_v3/kustomization.yaml

@@ -0,0 +1,85 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../base/service.yaml
+- ../base/statefulset.yaml
+- ../base/envoy-filter.yaml
+- ../base/pvc.yaml
+- ../overlays/application/application.yaml
+namespace: istio-system
+configMapGenerator:
+- name: oidc-authservice-config
+  envs:
+  - ../base/params.env
+generatorOptions:
+  disableNameSuffixHash: true
+vars:
+- name: client_id
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.client_id
+- name: oidc_provider
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.oidc_provider
+- name: oidc_redirect_uri
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.oidc_redirect_uri
+- name: oidc_auth_url
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.oidc_auth_url
+- name: application_secret
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.application_secret
+- name: skip_auth_uri
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.skip_auth_uri
+- name: userid-header
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.userid-header
+- name: userid-prefix
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.userid-prefix
+- name: namespace
+  objref:
+    kind: ConfigMap
+    name: oidc-authservice-config
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.namespace
+configurations:
+- ../base/params.yaml
+images:
+- name: gcr.io/arrikto/kubeflow/oidc-authservice
+  newName: gcr.io/arrikto/kubeflow/oidc-authservice
+  newTag: 28c59ef