diff --git a/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml b/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml index a16fdfb78..d64b5215f 100644 --- a/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml +++ b/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: kubeflow/{{ include "katib.fullname" . }}-controller-certs + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "katib.fullname" . }}-controller-certs name: katib.kubeflow.org labels: {{- include "katib.labels" . | nindent 4 }} webhooks: diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrole.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/clusterrole.yaml deleted file mode 100644 index c47586ce4..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrole.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - name: {{ include "pipelines.fullname" . }}-cache-deployer-cluster-role -rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - verbs: - - create - - delete - - get - - update - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - apiGroups: - - certificates.k8s.io - resourceNames: - - kubernetes.io/* - resources: - - signers - verbs: - - approve diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml deleted file mode 100644 index 3b337c022..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - name: {{ include "pipelines.fullname" . }}-cache-deployer-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "pipelines.fullname" . }}-cache-deployer-cluster-role -subjects: - - kind: ServiceAccount - name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml deleted file mode 100644 index 5cb259f7a..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "pipelines.fullname" . }}-cache-deployer - labels: - {{- include "pipelines.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "pipelines.cacheDeployerSelectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "pipelines.cacheDeployerSelectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }}-cache-deployer - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.cache.deployer.image.repository }}:{{ .Values.cache.deployer.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.cache.deployer.image.pullPolicy }} - env: - - name: NAMESPACE_TO_WATCH - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml deleted file mode 100644 index 2cd93a8bc..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - name: {{ include "pipelines.fullname" . }}-cache-deployer-role -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - patch - - list diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml deleted file mode 100644 index e0addcb35..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - name: {{ include "pipelines.fullname" . }}-cache-deployer-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "pipelines.fullname" . }}-cache-deployer-role -subjects: - - kind: ServiceAccount - name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml deleted file mode 100644 index 5b4d5236e..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - labels: - {{- include "pipelines.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/pipelines/templates/cache/server/certificate.yaml b/kubeflow/helm/pipelines/templates/cache/server/certificate.yaml new file mode 100644 index 000000000..548897893 --- /dev/null +++ b/kubeflow/helm/pipelines/templates/cache/server/certificate.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "pipelines.fullname" . }}-cache-certs + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + commonName: kfp-cache-cert + dnsNames: + - {{ include "pipelines.fullname" . }}-cache-server + - {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }} + - {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }}.svc + isCA: true + issuerRef: + kind: ClusterIssuer + name: kubeflow-self-signing-issuer + secretName: {{ include "pipelines.fullname" . }}-cache-server-tls diff --git a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml index 29aa6b065..38d2cda73 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml @@ -42,7 +42,9 @@ spec: - --db_user=$(DBCONFIG_USER) - --db_password=$(DBCONFIG_PASSWORD) - --namespace_to_watch=$(NAMESPACE_TO_WATCH) - - --listen_ports=$(WEBHOOK_PORT) + - --listen_port=$(WEBHOOK_PORT) + - --tls_cert_filename=tls.crt + - --tls_key_filename=tls.key env: - name: NAMESPACE_TO_WATCH value: "" @@ -67,7 +69,7 @@ spec: key: cacheNodeRestrictions name: pipeline-install-config - name: DBCONFIG_DRIVER - value: mysql + value: mysql # TODO: make configurable - name: DBCONFIG_DB_NAME valueFrom: configMapKeyRef: @@ -107,7 +109,7 @@ spec: readOnly: true volumes: - secret: - secretName: webhook-server-tls + secretName: {{ include "pipelines.fullname" . }}-cache-server-tls name: webhook-tls-certs {{- with .Values.nodeSelector }} nodeSelector: diff --git a/kubeflow/helm/pipelines/templates/cache/server/mutatingwebhookconfiguration.yaml b/kubeflow/helm/pipelines/templates/cache/server/mutatingwebhookconfiguration.yaml new file mode 100644 index 000000000..3b571942b --- /dev/null +++ b/kubeflow/helm/pipelines/templates/cache/server/mutatingwebhookconfiguration.yaml @@ -0,0 +1,32 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "pipelines.fullname" . }}-cache-cert + labels: + {{- include "pipelines.labels" . | nindent 4 }} + name: cache-webhook.pipelines.kubeflow.org +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: {{ include "pipelines.fullname" . }}-cache-server + namespace: {{ .Release.Namespace }} + path: /mutate + failurePolicy: Ignore + name: {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }}.svc + objectSelector: + matchLabels: + pipelines.kubeflow.org/cache_enabled: "true" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + timeoutSeconds: 5