fix (#2122)

2019-09-15 08:46:17 +08:00 · 2019-09-15 08:46:17 +08:00 · d0bf18d83b
parent 3ec743a3e4
commit d0bf18d83b
7 changed files with 514 additions and 338 deletions
--- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/application.yaml
+++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/application.yaml
@ -12,7 +12,7 @@ metadata:
 spec:
  descriptor:
    type: Kubeflow Pipelines
-    version: '0.1.29'
+    version: '0.2'
    description: |-
      Machine Learning Pipeline on Kubernetes
    maintainers:
--- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/argo.yaml
+++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/argo.yaml
@ -15,6 +15,76 @@ spec:
  version: v1alpha1
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argo
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argo-role
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/exec
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - ""
    resources:
      - persistentvolumeclaims
    verbs:
      - create
      - delete
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
      - workflows/finalizers
    verbs:
      - get
      - list
      - watch
      - update
      - patch
      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argo-binding
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-role
 subjects:
  - kind: ServiceAccount
    name: argo
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: v1
 data:
  config: |
    {
@ -105,5 +175,5 @@ spec:
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
-      serviceAccountName: {{ .Values.serviceAccount.argo}}
+      serviceAccountName: argo
      terminationGracePeriodSeconds: 30
--- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/metadata.yaml
+++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/metadata.yaml
@ -36,17 +36,25 @@ spec:
      containers:
      - name: container
        image: {{ .Values.images.metadataserver }}
        imagePullPolicy: 'Always'
        env:
        {{ if .Values.managedstorage.enabled }}
        - name: DBCONFIG_USER
-            valueFrom:
+          valueFrom:
-              secretKeyRef:
+            secretKeyRef:
-                name: mysql-credential
+              name: mysql-credential
-                key: username
+              key: username
        - name: DBCONFIG_PASSWORD
-            valueFrom:
+          valueFrom:
-              secretKeyRef:
+            secretKeyRef:
-                name: mysql-credential
+              name: mysql-credential
-                key: password
+              key: password
        {{ else }}
        - name: DBCONFIG_USER
          value: 'root'
        - name: DBCONFIG_PASSWORD
          value: ''
        {{ end }}
        command: ["/bin/metadata_store_server"]
        args: ["--grpc_port=8080",
                 "--mysql_config_host=mysql",
--- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml
+++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml
@ -41,6 +41,375 @@ spec:
      storage: true
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ml-pipeline-persistenceagent
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ml-pipeline-scheduledworkflow
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ml-pipeline-ui
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ml-pipeline-viewer-crd-service-account
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ml-pipeline
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: pipeline-runner
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: ml-pipeline-persistenceagent-role
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - kubeflow.org
    resources:
      - scheduledworkflows
    verbs:
      - get
      - list
      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app: ml-pipeline-scheduledworkflow-role
  name: ml-pipeline-scheduledworkflow-role
 rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - kubeflow.org
    resources:
      - scheduledworkflows
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app: ml-pipeline-ui
  name: ml-pipeline-ui
 rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/log
    verbs:
      - create
      - get
      - list
  - apiGroups:
      - kubeflow.org
    resources:
      - viewers
    verbs:
      - create
      - get
      - list
      - watch
      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: ml-pipeline-viewer-controller-role
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 rules:
  - apiGroups:
      - '*'
    resources:
      - deployments
      - services
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - kubeflow.org
    resources:
      - viewers
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app: ml-pipeline
  name: ml-pipeline
 rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - list
      - delete
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - kubeflow.org
    resources:
      - scheduledworkflows
    verbs:
      - create
      - get
      - list
      - update
      - patch
      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: pipeline-runner
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - ""
    resources:
      - persistentvolumes
      - persistentvolumeclaims
    verbs:
      - '*'
  - apiGroups:
      - snapshot.storage.k8s.io
    resources:
      - volumesnapshots
    verbs:
      - create
      - delete
      - get
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - get
      - list
      - watch
      - update
      - patch
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/exec
      - pods/log
      - services
    verbs:
      - '*'
  - apiGroups:
      - ""
      - apps
      - extensions
    resources:
      - deployments
      - replicasets
    verbs:
      - '*'
  - apiGroups:
      - kubeflow.org
    resources:
      - '*'
    verbs:
      - '*'
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: ml-pipeline-persistenceagent-binding
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ml-pipeline-persistenceagent-role
 subjects:
  - kind: ServiceAccount
    name: ml-pipeline-persistenceagent
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: ml-pipeline-scheduledworkflow-binding
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ml-pipeline-scheduledworkflow-role
 subjects:
  - kind: ServiceAccount
    name: ml-pipeline-scheduledworkflow
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app: ml-pipeline-ui
  name: ml-pipeline-ui
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ml-pipeline-ui
 subjects:
  - kind: ServiceAccount
    name: ml-pipeline-ui
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app: ml-pipeline
  name: ml-pipeline
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ml-pipeline
 subjects:
  - kind: ServiceAccount
    name: ml-pipeline
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: pipeline-runner-binding
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pipeline-runner
 subjects:
  - kind: ServiceAccount
    name: pipeline-runner
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: ml-pipeline-viewer-crd-binding
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ml-pipeline-viewer-controller-role
 subjects:
  - kind: ServiceAccount
    name: ml-pipeline-viewer-crd-service-account
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
@ -114,7 +483,7 @@ spec:
          image: {{ .Values.images.persistenceagent }}
          imagePullPolicy: IfNotPresent
          name: ml-pipeline-persistenceagent
-      serviceAccountName: {{ .Values.serviceAccount.mlPipelinePersistenceAgent}}
+      serviceAccountName: ml-pipeline-persistenceagent
 ---
 apiVersion: apps/v1beta2
 kind: Deployment
@ -141,7 +510,7 @@ spec:
          image: {{ .Values.images.scheduledworkflow }}
          imagePullPolicy: IfNotPresent
          name: ml-pipeline-scheduledworkflow
-      serviceAccountName: {{ .Values.serviceAccount.mlPipelineScheduledWorkflow}}
+      serviceAccountName: ml-pipeline-scheduledworkflow
 ---
 apiVersion: apps/v1beta2
 kind: Deployment
@ -170,7 +539,7 @@ spec:
          name: ml-pipeline-ui
          ports:
            - containerPort: 3000
-      serviceAccountName: {{ .Values.serviceAccount.mlPipelineUI}}
+      serviceAccountName: ml-pipeline-ui
 ---
 apiVersion: apps/v1beta2
 kind: Deployment
@ -199,7 +568,7 @@ spec:
          image: {{ .Values.images.viewercrd }}
          imagePullPolicy: Always
          name: ml-pipeline-viewer-crd
-      serviceAccountName: {{ .Values.serviceAccount.mlPipelineViewerCrd}}
+      serviceAccountName: ml-pipeline-viewer-crd-service-account
 ---
 apiVersion: apps/v1beta2
 kind: Deployment
@ -251,7 +620,7 @@ spec:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: DEFAULTPIPELINERUNNERSERVICEACCOUNT
-              value: '{{ .Values.serviceAccount.pipelineRunner }}'
+              value: 'pipeline-runner'
            # Following environment variables are only needed when using Cloud SQL and GCS.
            {{ if .Values.managedstorage.enabled }}
            - name: OBJECTSTORECONFIG_BUCKETNAME
@ -283,4 +652,4 @@ spec:
          ports:
            - containerPort: 8888
            - containerPort: 8887
-      serviceAccountName: {{ .Values.serviceAccount.mlPipeline}}
+      serviceAccountName: ml-pipeline
--- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/proxy.yaml
+++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/proxy.yaml
@ -1,3 +1,41 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: proxy-agent-runner
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app: proxy-agent-runner
    app.kubernetes.io/name: {{ .Release.Name }}
  name: proxy-agent-runner
 rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app: proxy-agent-runner
  name: proxy-agent-runner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: proxy-agent-runner
 subjects:
  - kind: ServiceAccount
    name: proxy-agent-runner
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: apps/v1beta2
 kind: Deployment
 metadata:
@ -20,4 +58,4 @@ spec:
        - image: {{ .Values.images.proxyagent }}
          imagePullPolicy: IfNotPresent
          name: proxy-agent
-      serviceAccountName: {{ .Values.serviceAccount.proxyAgentRunner}}
+      serviceAccountName: proxy-agent-runner 
--- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/values.yaml
+++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/values.yaml
@ -17,16 +17,6 @@ images:
 gcpSecretName: "user-gcp-sa"
 serviceAccountCredential: null
 serviceAccount:
  argo: null
  mlPipeline: null
  mlPipelinePersistenceAgent: null
  mlPipelineScheduledWorkflow: null
  mlPipelineUI: null
  mlPipelineViewerCrd: null
  pipelineRunner: null
  proxyAgentRunner: null
 managedstorage:
  enabled: false
  cloudsqlInstanceConnectionName: null
--- a/manifests/gcp_marketplace/schema.yaml
+++ b/manifests/gcp_marketplace/schema.yaml
@ -1,7 +1,7 @@
 x-google-marketplace:
  schemaVersion: v2
  applicationApiVersion: v1beta1
-  publishedVersion: '0.1.29'
+  publishedVersion: '0.2'
  publishedVersionMetadata:
    releaseNote: >-
      Initial release.
@ -81,6 +81,15 @@ x-google-marketplace:
          - apiGroups: ['apiextensions.k8s.io']
            resources: ['customresourcedefinitions']
            verbs: ['*']
  clusterConstraints:
    resources:
    - replicas: 3
      requests:
        cpu: 2
        memory: 4Gi
      affinity:
        simpleNodeAffinity:
          type: REQUIRE_ONE_NODE_PER_REPLICA
 properties:
  name:
@ -92,7 +101,7 @@ properties:
    x-google-marketplace:
      type: NAMESPACE
  serviceAccountCredential:
-    title: Service Account credentials used to call other GCP services, such as CloudSQL.
+    title: Service Account credentials used to call other GCP services.
    description: |-
      To be able to call other GCP services, we need to be
      authenticated. This field is used to store the content of the service account
@ -103,7 +112,7 @@ properties:
      type: STRING
  managedstorage.enabled:
    type: boolean
-    title: Enable managed storage
+    title: Use managed storage
    description: Use Cloud SQL and GCS for storing the data
    default: false
  managedstorage.cloudsqlInstanceConnectionName:
@ -119,314 +128,6 @@ properties:
    type: string
    title: database name prefix
  serviceAccount.proxyAgentRunner:
    type: string
    title: ProxyAgentRunnerServiceAccount
    x-google-marketplace:
      type: SERVICE_ACCOUNT
      serviceAccount:
        roles:
          - type: Role
            rulesType: CUSTOM
            rules:
              - apiGroups: ['']
                resources: ['configmaps']
                verbs: ['*']
  serviceAccount.mlPipelinePersistenceAgent:
    type: string
    title: mlPipelinePersistenceAgent
    x-google-marketplace:
      type: SERVICE_ACCOUNT
      serviceAccount:
        roles:
          - type: Role
            rulesType: CUSTOM
            rules:
              - apiGroups:
                  - argoproj.io
                resources:
                  - workflows
                verbs:
                  - get
                  - list
                  - watch
              - apiGroups:
                  - kubeflow.org
                resources:
                  - scheduledworkflows
                verbs:
                  - get
                  - list
                  - watch
  serviceAccount.mlPipelineScheduledWorkflow:
    type: string
    title: mlPipelineScheduledWorkflow
    x-google-marketplace:
      type: SERVICE_ACCOUNT
      serviceAccount:
        roles:
          - type: Role
            rulesType: CUSTOM
            rules:
              - apiGroups:
                  - argoproj.io
                resources:
                  - workflows
                verbs:
                  - create
                  - get
                  - list
                  - watch
                  - update
                  - patch
                  - delete
              - apiGroups:
                  - kubeflow.org
                resources:
                  - scheduledworkflows
                verbs:
                  - create
                  - get
                  - list
                  - watch
                  - update
                  - patch
                  - delete
  serviceAccount.mlPipelineUI:
    type: string
    title: mlPipelineUI
    x-google-marketplace:
      type: SERVICE_ACCOUNT
      serviceAccount:
        roles:
          - type: Role
            rulesType: CUSTOM
            rules:
              - apiGroups:
                  - ""
                resources:
                  - pods
                  - pods/log
                verbs:
                  - create
                  - get
                  - list
              - apiGroups:
                  - kubeflow.org
                resources:
                  - viewers
                verbs:
                  - create
                  - get
                  - list
                  - watch
                  - delete
  serviceAccount.mlPipelineViewerCrd:
    type: string
    title: mlPipelineViewerCrd
    x-google-marketplace:
      type: SERVICE_ACCOUNT
      serviceAccount:
        roles:
          - type: Role
            rulesType: CUSTOM
            rules:
              - apiGroups:
                  - '*'
                resources:
                  - deployments
                  - services
                verbs:
                  - create
                  - get
                  - list
                  - watch
                  - update
                  - patch
                  - delete
              - apiGroups:
                  - kubeflow.org
                resources:
                  - viewers
                verbs:
                  - create
                  - get
                  - list
                  - watch
                  - update
                  - patch
                  - delete
  serviceAccount.mlPipeline:
    type: string
    title: mlPipeline
    x-google-marketplace:
      type: SERVICE_ACCOUNT
      serviceAccount:
        roles:
          - type: Role
            rulesType: CUSTOM
            rules:
              - apiGroups:
                  - ""
                resources:
                  - pods
                verbs:
                  - get
                  - list
                  - delete
              - apiGroups:
                  - argoproj.io
                resources:
                  - workflows
                verbs:
                  - create
                  - get
                  - list
                  - watch
                  - update
                  - patch
                  - delete
              - apiGroups:
                  - kubeflow.org
                resources:
                  - scheduledworkflows
                verbs:
                  - create
                  - get
                  - list
                  - update
                  - patch
                  - delete
  serviceAccount.pipelineRunner:
    type: string
    title: pipelineRunner
    x-google-marketplace:
      type: SERVICE_ACCOUNT
      serviceAccount:
        roles:
          - type: Role
            rulesType: CUSTOM
            rules:
              - apiGroups:
                  - ""
                resources:
                  - secrets
                verbs:
                  - get
              - apiGroups:
                  - ""
                resources:
                  - configmaps
                verbs:
                  - get
                  - watch
                  - list
              - apiGroups:
                  - ""
                resources:
                  - persistentvolumes
                  - persistentvolumeclaims
                verbs:
                  - '*'
              - apiGroups:
                  - snapshot.storage.k8s.io
                resources:
                  - volumesnapshots
                verbs:
                  - create
                  - delete
                  - get
              - apiGroups:
                  - argoproj.io
                resources:
                  - workflows
                verbs:
                  - get
                  - list
                  - watch
                  - update
                  - patch
              - apiGroups:
                  - ""
                resources:
                  - pods
                  - pods/exec
                  - pods/log
                  - services
                verbs:
                  - '*'
              - apiGroups:
                  - ""
                  - apps
                  - extensions
                resources:
                  - deployments
                  - replicasets
                verbs:
                  - '*'
              - apiGroups:
                  - kubeflow.org
                resources:
                  - '*'
                verbs:
                  - '*'
              - apiGroups:
                  - batch
                resources:
                  - jobs
                verbs:
                  - '*'
  serviceAccount.argo:
    type: string
    title: argo
    x-google-marketplace:
      type: SERVICE_ACCOUNT
      serviceAccount:
        roles:
          - type: Role
            rulesType: CUSTOM
            rules:
              - apiGroups:
                  - ""
                resources:
                  - pods
                  - pods/exec
                verbs:
                  - create
                  - get
                  - list
                  - watch
                  - update
                  - patch
                  - delete
              - apiGroups:
                  - ""
                resources:
                  - configmaps
                verbs:
                  - get
                  - watch
                  - list
              - apiGroups:
                  - ""
                resources:
                  - persistentvolumeclaims
                verbs:
                  - create
                  - delete
              - apiGroups:
                  - argoproj.io
                resources:
                  - workflows
                  - workflows/finalizers
                verbs:
                  - get
                  - list
                  - watch
                  - update
                  - patch
                  - delete
 required:
  - name
  - namespace