diff --git a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/application.yaml b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/application.yaml index 2486429c7f..c1978b441b 100644 --- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/application.yaml +++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/application.yaml @@ -12,7 +12,7 @@ metadata: spec: descriptor: type: Kubeflow Pipelines - version: '0.1.29' + version: '0.2' description: |- Machine Learning Pipeline on Kubernetes maintainers: diff --git a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/argo.yaml b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/argo.yaml index 54deca5200..fa7a294a4c 100644 --- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/argo.yaml +++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/argo.yaml @@ -15,6 +15,76 @@ spec: version: v1alpha1 --- apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo + labels: + app.kubernetes.io/name: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role + labels: + app.kubernetes.io/name: {{ .Release.Name }} +rules: + - apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-binding + labels: + app.kubernetes.io/name: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-role +subjects: + - kind: ServiceAccount + name: argo + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 data: config: | { @@ -105,5 +175,5 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: {{ .Values.serviceAccount.argo}} + serviceAccountName: argo terminationGracePeriodSeconds: 30 diff --git a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/metadata.yaml b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/metadata.yaml index 6b8671ddf9..c735c01e6e 100644 --- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/metadata.yaml +++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/metadata.yaml @@ -36,17 +36,25 @@ spec: containers: - name: container image: {{ .Values.images.metadataserver }} + imagePullPolicy: 'Always' env: + {{ if .Values.managedstorage.enabled }} - name: DBCONFIG_USER - valueFrom: - secretKeyRef: - name: mysql-credential - key: username + valueFrom: + secretKeyRef: + name: mysql-credential + key: username - name: DBCONFIG_PASSWORD - valueFrom: - secretKeyRef: - name: mysql-credential - key: password + valueFrom: + secretKeyRef: + name: mysql-credential + key: password + {{ else }} + - name: DBCONFIG_USER + value: 'root' + - name: DBCONFIG_PASSWORD + value: '' + {{ end }} command: ["/bin/metadata_store_server"] args: ["--grpc_port=8080", "--mysql_config_host=mysql", diff --git a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml index cdba0ba851..7e1ac1977b 100644 --- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml +++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml @@ -41,6 +41,375 @@ spec: storage: true --- apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-persistenceagent + labels: + app.kubernetes.io/name: {{ .Release.Name }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-scheduledworkflow + labels: + app.kubernetes.io/name: {{ .Release.Name }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-ui + labels: + app.kubernetes.io/name: {{ .Release.Name }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-viewer-crd-service-account + labels: + app.kubernetes.io/name: {{ .Release.Name }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline + labels: + app.kubernetes.io/name: {{ .Release.Name }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pipeline-runner + labels: + app.kubernetes.io/name: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ml-pipeline-persistenceagent-role + labels: + app.kubernetes.io/name: {{ .Release.Name }} +rules: + - apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app: ml-pipeline-scheduledworkflow-role + name: ml-pipeline-scheduledworkflow-role +rules: + - apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app: ml-pipeline-ui + name: ml-pipeline-ui +rules: + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - create + - get + - list + - apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - list + - watch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ml-pipeline-viewer-controller-role + labels: + app.kubernetes.io/name: {{ .Release.Name }} +rules: + - apiGroups: + - '*' + resources: + - deployments + - services + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app: ml-pipeline + name: ml-pipeline +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - delete + - apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pipeline-runner + labels: + app.kubernetes.io/name: {{ .Release.Name }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - persistentvolumes + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - delete + - get + - apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - "" + resources: + - pods + - pods/exec + - pods/log + - services + verbs: + - '*' + - apiGroups: + - "" + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - '*' + - apiGroups: + - kubeflow.org + resources: + - '*' + verbs: + - '*' + - apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ml-pipeline-persistenceagent-binding + labels: + app.kubernetes.io/name: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline-persistenceagent-role +subjects: + - kind: ServiceAccount + name: ml-pipeline-persistenceagent + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ml-pipeline-scheduledworkflow-binding + labels: + app.kubernetes.io/name: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline-scheduledworkflow-role +subjects: + - kind: ServiceAccount + name: ml-pipeline-scheduledworkflow + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app: ml-pipeline-ui + name: ml-pipeline-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline-ui +subjects: + - kind: ServiceAccount + name: ml-pipeline-ui + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app: ml-pipeline + name: ml-pipeline +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline +subjects: + - kind: ServiceAccount + name: ml-pipeline + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pipeline-runner-binding + labels: + app.kubernetes.io/name: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pipeline-runner +subjects: + - kind: ServiceAccount + name: pipeline-runner + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ml-pipeline-viewer-crd-binding + labels: + app.kubernetes.io/name: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline-viewer-controller-role +subjects: + - kind: ServiceAccount + name: ml-pipeline-viewer-crd-service-account + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 kind: Service metadata: labels: @@ -114,7 +483,7 @@ spec: image: {{ .Values.images.persistenceagent }} imagePullPolicy: IfNotPresent name: ml-pipeline-persistenceagent - serviceAccountName: {{ .Values.serviceAccount.mlPipelinePersistenceAgent}} + serviceAccountName: ml-pipeline-persistenceagent --- apiVersion: apps/v1beta2 kind: Deployment @@ -141,7 +510,7 @@ spec: image: {{ .Values.images.scheduledworkflow }} imagePullPolicy: IfNotPresent name: ml-pipeline-scheduledworkflow - serviceAccountName: {{ .Values.serviceAccount.mlPipelineScheduledWorkflow}} + serviceAccountName: ml-pipeline-scheduledworkflow --- apiVersion: apps/v1beta2 kind: Deployment @@ -170,7 +539,7 @@ spec: name: ml-pipeline-ui ports: - containerPort: 3000 - serviceAccountName: {{ .Values.serviceAccount.mlPipelineUI}} + serviceAccountName: ml-pipeline-ui --- apiVersion: apps/v1beta2 kind: Deployment @@ -199,7 +568,7 @@ spec: image: {{ .Values.images.viewercrd }} imagePullPolicy: Always name: ml-pipeline-viewer-crd - serviceAccountName: {{ .Values.serviceAccount.mlPipelineViewerCrd}} + serviceAccountName: ml-pipeline-viewer-crd-service-account --- apiVersion: apps/v1beta2 kind: Deployment @@ -251,7 +620,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: DEFAULTPIPELINERUNNERSERVICEACCOUNT - value: '{{ .Values.serviceAccount.pipelineRunner }}' + value: 'pipeline-runner' # Following environment variables are only needed when using Cloud SQL and GCS. {{ if .Values.managedstorage.enabled }} - name: OBJECTSTORECONFIG_BUCKETNAME @@ -283,4 +652,4 @@ spec: ports: - containerPort: 8888 - containerPort: 8887 - serviceAccountName: {{ .Values.serviceAccount.mlPipeline}} + serviceAccountName: ml-pipeline diff --git a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/proxy.yaml b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/proxy.yaml index b5f6f79b9e..7e3cf17970 100644 --- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/proxy.yaml +++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/proxy.yaml @@ -1,3 +1,41 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: proxy-agent-runner + labels: + app.kubernetes.io/name: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: proxy-agent-runner + app.kubernetes.io/name: {{ .Release.Name }} + name: proxy-agent-runner +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app: proxy-agent-runner + name: proxy-agent-runner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: proxy-agent-runner +subjects: + - kind: ServiceAccount + name: proxy-agent-runner + namespace: {{ .Release.Namespace }} +--- apiVersion: apps/v1beta2 kind: Deployment metadata: @@ -20,4 +58,4 @@ spec: - image: {{ .Values.images.proxyagent }} imagePullPolicy: IfNotPresent name: proxy-agent - serviceAccountName: {{ .Values.serviceAccount.proxyAgentRunner}} + serviceAccountName: proxy-agent-runner diff --git a/manifests/gcp_marketplace/chart/kubeflow-pipelines/values.yaml b/manifests/gcp_marketplace/chart/kubeflow-pipelines/values.yaml index 69864ad829..5f0224aa79 100644 --- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/values.yaml +++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/values.yaml @@ -17,16 +17,6 @@ images: gcpSecretName: "user-gcp-sa" serviceAccountCredential: null -serviceAccount: - argo: null - mlPipeline: null - mlPipelinePersistenceAgent: null - mlPipelineScheduledWorkflow: null - mlPipelineUI: null - mlPipelineViewerCrd: null - pipelineRunner: null - proxyAgentRunner: null - managedstorage: enabled: false cloudsqlInstanceConnectionName: null diff --git a/manifests/gcp_marketplace/schema.yaml b/manifests/gcp_marketplace/schema.yaml index e717ddc270..14036fe9a2 100644 --- a/manifests/gcp_marketplace/schema.yaml +++ b/manifests/gcp_marketplace/schema.yaml @@ -1,7 +1,7 @@ x-google-marketplace: schemaVersion: v2 applicationApiVersion: v1beta1 - publishedVersion: '0.1.29' + publishedVersion: '0.2' publishedVersionMetadata: releaseNote: >- Initial release. @@ -81,6 +81,15 @@ x-google-marketplace: - apiGroups: ['apiextensions.k8s.io'] resources: ['customresourcedefinitions'] verbs: ['*'] + clusterConstraints: + resources: + - replicas: 3 + requests: + cpu: 2 + memory: 4Gi + affinity: + simpleNodeAffinity: + type: REQUIRE_ONE_NODE_PER_REPLICA properties: name: @@ -92,7 +101,7 @@ properties: x-google-marketplace: type: NAMESPACE serviceAccountCredential: - title: Service Account credentials used to call other GCP services, such as CloudSQL. + title: Service Account credentials used to call other GCP services. description: |- To be able to call other GCP services, we need to be authenticated. This field is used to store the content of the service account @@ -103,7 +112,7 @@ properties: type: STRING managedstorage.enabled: type: boolean - title: Enable managed storage + title: Use managed storage description: Use Cloud SQL and GCS for storing the data default: false managedstorage.cloudsqlInstanceConnectionName: @@ -119,314 +128,6 @@ properties: type: string title: database name prefix - serviceAccount.proxyAgentRunner: - type: string - title: ProxyAgentRunnerServiceAccount - x-google-marketplace: - type: SERVICE_ACCOUNT - serviceAccount: - roles: - - type: Role - rulesType: CUSTOM - rules: - - apiGroups: [''] - resources: ['configmaps'] - verbs: ['*'] - serviceAccount.mlPipelinePersistenceAgent: - type: string - title: mlPipelinePersistenceAgent - x-google-marketplace: - type: SERVICE_ACCOUNT - serviceAccount: - roles: - - type: Role - rulesType: CUSTOM - rules: - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - get - - list - - watch - - apiGroups: - - kubeflow.org - resources: - - scheduledworkflows - verbs: - - get - - list - - watch - serviceAccount.mlPipelineScheduledWorkflow: - type: string - title: mlPipelineScheduledWorkflow - x-google-marketplace: - type: SERVICE_ACCOUNT - serviceAccount: - roles: - - type: Role - rulesType: CUSTOM - rules: - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - - apiGroups: - - kubeflow.org - resources: - - scheduledworkflows - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - serviceAccount.mlPipelineUI: - type: string - title: mlPipelineUI - x-google-marketplace: - type: SERVICE_ACCOUNT - serviceAccount: - roles: - - type: Role - rulesType: CUSTOM - rules: - - apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - create - - get - - list - - apiGroups: - - kubeflow.org - resources: - - viewers - verbs: - - create - - get - - list - - watch - - delete - serviceAccount.mlPipelineViewerCrd: - type: string - title: mlPipelineViewerCrd - x-google-marketplace: - type: SERVICE_ACCOUNT - serviceAccount: - roles: - - type: Role - rulesType: CUSTOM - rules: - - apiGroups: - - '*' - resources: - - deployments - - services - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - - apiGroups: - - kubeflow.org - resources: - - viewers - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - serviceAccount.mlPipeline: - type: string - title: mlPipeline - x-google-marketplace: - type: SERVICE_ACCOUNT - serviceAccount: - roles: - - type: Role - rulesType: CUSTOM - rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - delete - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - - apiGroups: - - kubeflow.org - resources: - - scheduledworkflows - verbs: - - create - - get - - list - - update - - patch - - delete - serviceAccount.pipelineRunner: - type: string - title: pipelineRunner - x-google-marketplace: - type: SERVICE_ACCOUNT - serviceAccount: - roles: - - type: Role - rulesType: CUSTOM - rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - watch - - list - - apiGroups: - - "" - resources: - - persistentvolumes - - persistentvolumeclaims - verbs: - - '*' - - apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - create - - delete - - get - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - get - - list - - watch - - update - - patch - - apiGroups: - - "" - resources: - - pods - - pods/exec - - pods/log - - services - verbs: - - '*' - - apiGroups: - - "" - - apps - - extensions - resources: - - deployments - - replicasets - verbs: - - '*' - - apiGroups: - - kubeflow.org - resources: - - '*' - verbs: - - '*' - - apiGroups: - - batch - resources: - - jobs - verbs: - - '*' - serviceAccount.argo: - type: string - title: argo - x-google-marketplace: - type: SERVICE_ACCOUNT - serviceAccount: - roles: - - type: Role - rulesType: CUSTOM - rules: - - apiGroups: - - "" - resources: - - pods - - pods/exec - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - watch - - list - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - delete - - apiGroups: - - argoproj.io - resources: - - workflows - - workflows/finalizers - verbs: - - get - - list - - watch - - update - - patch - - delete - required: - name - namespace