upgrade notebooks + don't hardcode namespace in istio

Signed-off-by: David van der Spek <[email protected]>

kubeflow/helm/central-dashboard/templates/virtualservice.yaml

@@ -26,6 +26,6 @@ spec:
         uri: /
       route:
         - destination:
-            host: {{ include "central-dashboard.fullname" . }}.kubeflow.svc.{{ .Values.global.clusterDomain }}
+            host: {{ include "central-dashboard.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}
             port:
               number: {{ .Values.service.port }}

kubeflow/helm/katib/templates/controller/certificate.yaml

@@ -4,10 +4,10 @@ metadata:
   labels: {{- include "katib.labels" . | nindent 4 }}
   name: {{ include "katib.fullname" . }}-controller-certs
 spec:
-  commonName: {{ include "katib.fullname" . }}-controller.kubeflow.svc
+  commonName: {{ include "katib.fullname" . }}-controller.{{ .Release.Namespace }}.svc
   dnsNames:
-    - {{ include "katib.fullname" . }}-controller.kubeflow.svc
-    - {{ include "katib.fullname" . }}-controller.kubeflow.svc.cluster.local
+    - {{ include "katib.fullname" . }}-controller.{{ .Release.Namespace }}.svc
+    - {{ include "katib.fullname" . }}-controller.{{ .Release.Namespace }}.svc.cluster.local
   isCA: true
   issuerRef:
     kind: ClusterIssuer

kubeflow/helm/katib/templates/web-app/virtualservice.yaml

@@ -29,6 +29,6 @@ spec:
         uri: {{ .Values.webApp.virtualService.prefix }}/
       route:
         - destination:
-            host: {{ include "katib.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }}
+            host: {{ include "katib.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}
             port:
               number: {{ .Values.webApp.service.port }}

kubeflow/helm/notebooks/templates/controller/cluster-role.yaml

@@ -0,0 +1,50 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels: {{- include "notebooks.labels" . | nindent 4 }}
+  name: {{ include "notebooks.fullname" . }}-controller-cluster-role
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - '*'
+  - apiGroups:
+      - kubeflow.org
+    resources:
+      - notebooks
+      - notebooks/finalizers
+      - notebooks/status
+    verbs:
+      - '*'
+  - apiGroups:
+      - networking.istio.io
+    resources:
+      - virtualservices
+    verbs:
+      - '*'

kubeflow/helm/notebooks/templates/controller/configmap.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels: {{- include "notebooks.labels" . | nindent 4 }}
+  name: {{ include "notebooks.fullname" . }}-controller-config
 data:
   ISTIO_GATEWAY: {{ .Values.controller.istio.gateway | quote }}
   USE_ISTIO: {{ .Values.controller.istio.enabled | quote }}
+  CLUSTER_DOMAIN: {{ .Values.global.clusterDomain | quote }}
   ENABLE_CULLING: {{ .Values.controller.culling.enabled | quote }}
   IDLENESS_CHECK_PERIOD: {{ .Values.controller.culling.checkPeriod | quote }}
   CULL_IDLE_TIME: {{ .Values.controller.culling.idleTime | quote }}
-kind: ConfigMap
-metadata:
-  labels: {{- include "notebooks.labels" . | nindent 4 }}
-  name: {{ include "notebooks.fullname" . }}-controller-config

kubeflow/helm/notebooks/templates/controller/clusterrole.yaml → kubeflow/helm/notebooks/templates/controller/kubeflow-cluster-roles.yaml

@@ -48,53 +48,3 @@ rules:
       - get
       - list
       - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels: {{- include "notebooks.labels" . | nindent 4 }}
-  name: {{ include "notebooks.fullname" . }}-controller-cluster-role
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - statefulsets
-    verbs:
-      - '*'
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - services
-    verbs:
-      - '*'
-  - apiGroups:
-      - kubeflow.org
-    resources:
-      - notebooks
-      - notebooks/finalizers
-      - notebooks/status
-    verbs:
-      - '*'
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - virtualservices
-    verbs:
-      - '*'

kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml

@@ -4,10 +4,10 @@ metadata:
   labels: {{- include "notebooks.labels" . | nindent 4 }}
   name: {{ include "notebooks.fullname" . }}-pod-defaults-certs
 spec:
-  commonName: {{ include "notebooks.fullname" . }}-pod-defaults.kubeflow.svc
+  commonName: {{ include "notebooks.fullname" . }}-pod-defaults.{{ .Release.Namespace }}.svc
   dnsNames:
-    - {{ include "notebooks.fullname" . }}-pod-defaults.kubeflow.svc
-    - {{ include "notebooks.fullname" . }}-pod-defaults.kubeflow.svc.cluster.local
+    - {{ include "notebooks.fullname" . }}-pod-defaults.{{ .Release.Namespace }}.svc
+    - {{ include "notebooks.fullname" . }}-pod-defaults.{{ .Release.Namespace }}.svc.cluster.local
   isCA: true
   issuerRef:
     kind: ClusterIssuer

kubeflow/helm/notebooks/templates/pod-defaults/cluster-role.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels: {{- include "notebooks.labels" . | nindent 4 }}
+  name: {{ include "notebooks.fullname" . }}-pod-defaults-cluster-role
+rules:
+  - apiGroups:
+      - kubeflow.org
+    resources:
+      - poddefaults
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - create
+      - patch
+      - delete

kubeflow/helm/notebooks/templates/pod-defaults/clusterrole.yaml → kubeflow/helm/notebooks/templates/pod-defaults/kubeflow-cluster-roles.yaml

@@ -1,22 +1,3 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels: {{- include "notebooks.labels" . | nindent 4 }}
-  name: {{ include "notebooks.fullname" . }}-pod-defaults-cluster-role
-rules:
-  - apiGroups:
-      - kubeflow.org
-    resources:
-      - poddefaults
-    verbs:
-      - get
-      - watch
-      - list
-      - update
-      - create
-      - patch
-      - delete
----
 aggregationRule:
   clusterRoleSelectors:
     - matchLabels:

kubeflow/helm/notebooks/templates/web-app/cluster-role.yaml

@@ -0,0 +1,57 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels: {{- include "notebooks.labels" . | nindent 4 }}
+  name: {{ include "notebooks.fullname" . }}-web-app-cluster-role
+rules:
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  - apiGroups:
+      - kubeflow.org
+    resources:
+      - notebooks
+      - notebooks/finalizers
+      - poddefaults
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - events
+      - nodes
+    verbs:
+      - list
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - list
+      - get

kubeflow/helm/notebooks/templates/web-app/configmap.yaml

@@ -429,6 +429,7 @@ data:
   UI: default
   USERID_HEADER: {{ .Values.global.userIDHeader }}
   USERID_PREFIX: {{ .Values.global.userIDPrefix | quote }}
+  APP_SECURE_COOKIES: "true"
 kind: ConfigMap
 metadata:
   labels: {{- include "notebooks.labels" . | nindent 4 }}

kubeflow/helm/notebooks/templates/web-app/destination-rule.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: {{ include "notebooks.fullname" . }}-web-app
+  labels: {{- include "notebooks.labels" . | nindent 4 }}
+  {{- with .Values.webApp.virtualService.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  host: {{ include "notebooks.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL

kubeflow/helm/notebooks/templates/web-app/clusterrole.yaml → kubeflow/helm/notebooks/templates/web-app/kubeflow-cluster-roles.yaml

@@ -1,64 +1,5 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
-metadata:
-  labels: {{- include "notebooks.labels" . | nindent 4 }}
-  name: {{ include "notebooks.fullname" . }}-web-app-cluster-role
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-    verbs:
-      - get
-      - list
-      - create
-      - delete
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - subjectaccessreviews
-    verbs:
-      - create
-  - apiGroups:
-      - kubeflow.org
-    resources:
-      - notebooks
-      - notebooks/finalizers
-      - poddefaults
-    verbs:
-      - get
-      - list
-      - create
-      - delete
-      - patch
-      - update
-  - apiGroups:
-      - ""
-    resources:
-      - persistentvolumeclaims
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-  - apiGroups:
-      - ""
-    resources:
-      - events
-      - nodes
-    verbs:
-      - list
-  - apiGroups:
-      - storage.k8s.io
-    resources:
-      - storageclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   labels: {{- include "notebooks.labels" . | nindent 4 }}
     rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"