diff --git a/manifests/v1beta1/installs/katib-cert-manager/certificate.yaml b/manifests/v1beta1/installs/katib-cert-manager/certificate.yaml index cdd7b41b520..8132867e3a6 100644 --- a/manifests/v1beta1/installs/katib-cert-manager/certificate.yaml +++ b/manifests/v1beta1/installs/katib-cert-manager/certificate.yaml @@ -5,10 +5,10 @@ metadata: name: katib-webhook-cert spec: isCA: true - commonName: $(KATIB_SERVICE_NAME).$(KATIB_NAMESPACE).svc + commonName: KATIB_SERVICE_NAME_PLACEHOLDER.KATIB_NAMESPACE_PLACEHOLDER.svc dnsNames: - - $(KATIB_SERVICE_NAME).$(KATIB_NAMESPACE).svc - - $(KATIB_SERVICE_NAME).$(KATIB_NAMESPACE).svc.cluster.local + - KATIB_SERVICE_NAME_PLACEHOLDER.KATIB_NAMESPACE_PLACEHOLDER.svc + - KATIB_SERVICE_NAME_PLACEHOLDER.KATIB_NAMESPACE_PLACEHOLDER.svc.cluster.local issuerRef: kind: Issuer name: katib-selfsigned-issuer diff --git a/manifests/v1beta1/installs/katib-cert-manager/kustomization.yaml b/manifests/v1beta1/installs/katib-cert-manager/kustomization.yaml index 42a9b78fa03..d9afb07ca3a 100644 --- a/manifests/v1beta1/installs/katib-cert-manager/kustomization.yaml +++ b/manifests/v1beta1/installs/katib-cert-manager/kustomization.yaml @@ -1,69 +1,158 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow resources: - # Namespace. - - ../../components/namespace - # Katib controller. - - ../../components/controller/ - # Katib CRDs. - - ../../components/crd/ - # Katib DB manager. - - ../../components/db-manager/ - # Katib DB mysql. - - ../../components/mysql/ - # Katib UI. - - ../../components/ui/ - # Katib webhooks. - - ../../components/webhook/ - # Cert-manager certificate for webhooks - - certificate.yaml +# Namespace. +- ../../components/namespace +# Katib controller. +- ../../components/controller/ +# Katib CRDs. +- ../../components/crd/ +# Katib DB manager. +- ../../components/db-manager/ +# Katib DB mysql. +- ../../components/mysql/ +# Katib UI. +- ../../components/ui/ + # Katib webhooks. +- ../../components/webhook/ +# Cert-manager certificate for webhooks +- certificate.yaml images: - - name: ghcr.io/kubeflow/katib/katib-controller - newName: ghcr.io/kubeflow/katib/katib-controller - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-db-manager - newName: ghcr.io/kubeflow/katib/katib-db-manager - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-ui - newName: ghcr.io/kubeflow/katib/katib-ui - newTag: latest +- name: ghcr.io/kubeflow/katib/katib-controller + newName: ghcr.io/kubeflow/katib/katib-controller + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-db-manager + newName: ghcr.io/kubeflow/katib/katib-db-manager + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-ui + newName: ghcr.io/kubeflow/katib/katib-ui + newTag: latest -patchesStrategicMerge: - - patches/katib-cert-injection.yaml -vars: - - fieldref: - fieldPath: metadata.namespace - name: KATIB_NAMESPACE - objref: - apiVersion: v1 - kind: Service - name: katib-controller - - fieldref: - fieldPath: metadata.name - name: KATIB_SERVICE_NAME - objref: - apiVersion: v1 - kind: Service - name: katib-controller - - name: KATIB_CERT_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: katib-webhook-cert - fieldref: - fieldpath: metadata.name configurations: - - params.yaml +- params.yaml configMapGenerator: - - name: katib-config - behavior: create - files: - - katib-config.yaml +- behavior: create + files: + - katib-config.yaml + name: katib-config + options: + disableNameSuffixHash: true +patches: +- path: patches/katib-cert-injection.yaml +replacements: +- source: + fieldPath: metadata.namespace + kind: Service + name: katib-controller + version: v1 + targets: + - fieldPaths: + - spec.commonName + options: + delimiter: . + index: 1 + select: + group: cert-manager.io + kind: Certificate + name: katib-webhook-cert + version: v1 + - fieldPaths: + - spec.dnsNames.0 + options: + delimiter: . + index: 1 + select: + group: cert-manager.io + kind: Certificate + name: katib-webhook-cert + version: v1 + - fieldPaths: + - spec.dnsNames.1 + options: + delimiter: . + index: 1 + select: + group: cert-manager.io + kind: Certificate + name: katib-webhook-cert + version: v1 + - fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + create: true + select: + group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + version: v1 + - fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] options: - disableNameSuffixHash: true + delimiter: / + create: true + select: + group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + version: v1 +- source: + fieldPath: metadata.name + kind: Service + name: katib-controller + version: v1 + targets: + - fieldPaths: + - spec.commonName + options: + delimiter: . + select: + group: cert-manager.io + kind: Certificate + name: katib-webhook-cert + version: v1 + - fieldPaths: + - spec.dnsNames.0 + options: + delimiter: . + select: + group: cert-manager.io + kind: Certificate + name: katib-webhook-cert + version: v1 + - fieldPaths: + - spec.dnsNames.1 + options: + delimiter: . + select: + group: cert-manager.io + kind: Certificate + name: katib-webhook-cert + version: v1 +- source: + fieldPath: metadata.name + kind: Certificate + name: katib-webhook-cert + targets: + - fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + create: true + select: + group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + version: v1 + - fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + create: true + select: + group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + version: v1 diff --git a/manifests/v1beta1/installs/katib-cert-manager/patches/katib-cert-injection.yaml b/manifests/v1beta1/installs/katib-cert-manager/patches/katib-cert-injection.yaml index ec259194e07..e5b03ce8afc 100644 --- a/manifests/v1beta1/installs/katib-cert-manager/patches/katib-cert-injection.yaml +++ b/manifests/v1beta1/installs/katib-cert-manager/patches/katib-cert-injection.yaml @@ -4,11 +4,11 @@ kind: ValidatingWebhookConfiguration metadata: name: katib.kubeflow.org annotations: - cert-manager.io/inject-ca-from: $(KATIB_NAMESPACE)/$(KATIB_CERT_NAME) + cert-manager.io/inject-ca-from: KATIB_NAMESPACE_PLACEHOLDER/KATIB_CERT_NAME_PLACEHOLDER --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: katib.kubeflow.org annotations: - cert-manager.io/inject-ca-from: $(KATIB_NAMESPACE)/$(KATIB_CERT_NAME) + cert-manager.io/inject-ca-from: KATIB_NAMESPACE_PLACEHOLDER/KATIB_CERT_NAME_PLACEHOLDER diff --git a/manifests/v1beta1/installs/katib-external-db/kustomization.yaml b/manifests/v1beta1/installs/katib-external-db/kustomization.yaml index cf8282cc6d5..cc7c7a579f0 100644 --- a/manifests/v1beta1/installs/katib-external-db/kustomization.yaml +++ b/manifests/v1beta1/installs/katib-external-db/kustomization.yaml @@ -1,45 +1,44 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow resources: - # Namespace. - - ../../components/namespace/ - # Katib controller. - - ../../components/controller/ - # Katib CRDs. - - ../../components/crd/ - # Katib DB manager. - - ../../components/db-manager/ - # Katib UI. - - ../../components/ui/ - # Katib webhooks. - - ../../components/webhook/ +# Namespace. +- ../../components/namespace/ +# Katib controller. +- ../../components/controller/ +# Katib CRDs. +- ../../components/crd/ +# Katib DB manager. +- ../../components/db-manager/ +# Katib UI. +- ../../components/ui/ +# Katib webhooks. +- ../../components/webhook/ images: - - name: ghcr.io/kubeflow/katib/katib-controller - newName: ghcr.io/kubeflow/katib/katib-controller - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-db-manager - newName: ghcr.io/kubeflow/katib/katib-db-manager - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-ui - newName: ghcr.io/kubeflow/katib/katib-ui - newTag: latest -patchesStrategicMerge: - - patches/db-manager.yaml +- name: ghcr.io/kubeflow/katib/katib-controller + newName: ghcr.io/kubeflow/katib/katib-controller + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-db-manager + newName: ghcr.io/kubeflow/katib/katib-db-manager + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-ui + newName: ghcr.io/kubeflow/katib/katib-ui + newTag: latest # Modify katib-mysql-secrets with parameters for the DB. -secretGenerator: - - name: katib-mysql-secrets - envs: - - secrets.env # Secret for webhooks certs. - - name: katib-webhook-cert - options: - disableNameSuffixHash: true +secretGenerator: +- envs: + - secrets.env + name: katib-mysql-secrets +- name: katib-webhook-cert + options: + disableNameSuffixHash: true configMapGenerator: - - name: katib-config - behavior: create - files: - - katib-config.yaml - options: - disableNameSuffixHash: true +- behavior: create + files: + - katib-config.yaml + name: katib-config + options: + disableNameSuffixHash: true +patches: +- path: patches/db-manager.yaml diff --git a/manifests/v1beta1/installs/katib-leader-election/kustomization.yaml b/manifests/v1beta1/installs/katib-leader-election/kustomization.yaml index 64b8a1554b3..a8c7d3dd516 100644 --- a/manifests/v1beta1/installs/katib-leader-election/kustomization.yaml +++ b/manifests/v1beta1/installs/katib-leader-election/kustomization.yaml @@ -1,18 +1,17 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow -resources: - - ../katib-standalone # rbac for leader-election - - leader-election-rbac.yaml +resources: +- ../katib-standalone +- leader-election-rbac.yaml replicas: - - name: katib-controller - count: 2 +- count: 2 + name: katib-controller configMapGenerator: - - name: katib-config - behavior: replace - files: - - katib-config.yaml - options: - disableNameSuffixHash: true +- behavior: replace + files: + - katib-config.yaml + name: katib-config + options: + disableNameSuffixHash: true diff --git a/manifests/v1beta1/installs/katib-openshift/kustomization.yaml b/manifests/v1beta1/installs/katib-openshift/kustomization.yaml index 01cbd7f0655..48d08538572 100644 --- a/manifests/v1beta1/installs/katib-openshift/kustomization.yaml +++ b/manifests/v1beta1/installs/katib-openshift/kustomization.yaml @@ -8,65 +8,62 @@ # To achieve this, run: # # `kustomize build ./manifests/v1beta1/installs/katib-openshift | oc apply -f - -l type!=local` ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow resources: - # Namespace. - - ../../components/namespace/ - # Katib controller. - - ../../components/controller/ - # Katib CRDs. - - ../../components/crd/ - # Katib DB manager. - - ../../components/db-manager/ - # Katib DB mysql. - - ../../components/mysql/ - # Katib UI. - - ../../components/ui/ - # Katib webhooks. - - ../../components/webhook/ +# Namespace. +- ../../components/namespace/ +# Katib controller. +- ../../components/controller/ +# Katib CRDs. +- ../../components/crd/ +# Katib DB manager. +- ../../components/db-manager/ +# Katib DB mysql. +- ../../components/mysql/ +# Katib UI. +- ../../components/ui/ +# Katib webhooks. +- ../../components/webhook/ images: - - name: ghcr.io/kubeflow/katib/katib-controller - newName: ghcr.io/kubeflow/katib/katib-controller - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-db-manager - newName: ghcr.io/kubeflow/katib/katib-db-manager - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-ui - newName: ghcr.io/kubeflow/katib/katib-ui - newTag: latest - -patchesJson6902: - # Annotate Service to delegate TLS-secret generation to OpenShift service controller - # https://docs.openshift.com/container-platform/4.6/security/certificates/service-serving-certificate.html#add-service-certificate_service-serving-certificate - - target: - group: "" - version: v1 - kind: Service - name: katib-controller - namespace: kubeflow - path: patches/service-serving-cert.yaml - # Annotate WebhookConfigurations to delegate `caBundle` population to OpenShift service controller - # https://docs.openshift.com/container-platform/4.6/security/certificates/service-serving-certificate.html#add-service-certificate-mutating-webhook_service-serving-certificate - - target: - group: admissionregistration.k8s.io - version: v1 - kind: ValidatingWebhookConfiguration - name: katib.kubeflow.org - path: patches/webhook-inject-cabundle.yaml - - target: - group: admissionregistration.k8s.io - version: v1 - kind: MutatingWebhookConfiguration - name: katib.kubeflow.org - path: patches/webhook-inject-cabundle.yaml +- name: ghcr.io/kubeflow/katib/katib-controller + newName: ghcr.io/kubeflow/katib/katib-controller + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-db-manager + newName: ghcr.io/kubeflow/katib/katib-db-manager + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-ui + newName: ghcr.io/kubeflow/katib/katib-ui + newTag: latest configMapGenerator: - - name: katib-config - behavior: create - files: - - katib-config.yaml - options: - disableNameSuffixHash: true +- behavior: create + files: + - katib-config.yaml + name: katib-config + options: + disableNameSuffixHash: true +patches: +# Annotate Service to delegate TLS-secret generation to OpenShift service controller +# https://docs.openshift.com/container-platform/4.6/security/certificates/service-serving-certificate.html#add-service-certificate_service-serving-certificate +- path: patches/service-serving-cert.yaml + target: + kind: Service + name: katib-controller + namespace: kubeflow + version: v1 + # Annotate WebhookConfigurations to delegate `caBundle` population to OpenShift service controller +# https://docs.openshift.com/container-platform/4.6/security/certificates/service-serving-certificate.html#add-service-certificate-mutating-webhook_service-serving-certificate +- path: patches/webhook-inject-cabundle.yaml + target: + group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: katib.kubeflow.org + version: v1 +- path: patches/webhook-inject-cabundle.yaml + target: + group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + name: katib.kubeflow.org + version: v1 diff --git a/manifests/v1beta1/installs/katib-standalone-postgres/kustomization.yaml b/manifests/v1beta1/installs/katib-standalone-postgres/kustomization.yaml index df3457fd38b..1772e9d1d85 100644 --- a/manifests/v1beta1/installs/katib-standalone-postgres/kustomization.yaml +++ b/manifests/v1beta1/installs/katib-standalone-postgres/kustomization.yaml @@ -1,48 +1,47 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kubeflow +namespace: kubeflow resources: - # Namespace. - - ../../components/namespace/ - # Katib controller. - - ../../components/controller/ - # Katib CRDs. - - ../../components/crd/ - # Katib DB manager. - - ../../components/db-manager/ - # Katib DB postgres. - - ../../components/postgres/ - # Katib UI. - - ../../components/ui/ - # Katib webhooks. - - ../../components/webhook/ +# Namespace. +- ../../components/namespace/ +# Katib controller. +- ../../components/controller/ +# Katib CRDs. +- ../../components/crd/ +# Katib DB manager. +- ../../components/db-manager/ +# Katib DB postgres. +- ../../components/postgres/ +# Katib UI. +- ../../components/ui/ +# Katib webhooks. +- ../../components/webhook/ images: - - name: ghcr.io/kubeflow/katib/katib-controller - newName: ghcr.io/kubeflow/katib/katib-controller - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-db-manager - newName: ghcr.io/kubeflow/katib/katib-db-manager - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-ui - newName: ghcr.io/kubeflow/katib/katib-ui - newTag: latest -patchesJson6902: - - target: - group: apps - version: v1 - kind: Deployment - name: katib-db-manager - path: ./patches/db-manager.yaml +- name: ghcr.io/kubeflow/katib/katib-controller + newName: ghcr.io/kubeflow/katib/katib-controller + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-db-manager + newName: ghcr.io/kubeflow/katib/katib-db-manager + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-ui + newName: ghcr.io/kubeflow/katib/katib-ui + newTag: latest configMapGenerator: - - name: katib-config - behavior: create - files: - - katib-config.yaml - options: - disableNameSuffixHash: true +- behavior: create + files: + - katib-config.yaml + name: katib-config + options: + disableNameSuffixHash: true # Secret for webhooks certs. secretGenerator: - - name: katib-webhook-cert - options: - disableNameSuffixHash: true +- name: katib-webhook-cert + options: + disableNameSuffixHash: true +patches: +- path: ./patches/db-manager.yaml + target: + group: apps + kind: Deployment + name: katib-db-manager + version: v1 diff --git a/manifests/v1beta1/installs/katib-with-kubeflow/kustomization.yaml b/manifests/v1beta1/installs/katib-with-kubeflow/kustomization.yaml index 9321af9c930..831ca01e80f 100644 --- a/manifests/v1beta1/installs/katib-with-kubeflow/kustomization.yaml +++ b/manifests/v1beta1/installs/katib-with-kubeflow/kustomization.yaml @@ -1,56 +1,63 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow resources: - - ../katib-cert-manager - # Kubeflow Katib components. - - kubeflow-katib-roles.yaml - - ui-virtual-service.yaml - - istio-authorizationpolicy.yaml +- ../katib-cert-manager +# Kubeflow Katib components. +- kubeflow-katib-roles.yaml +- ui-virtual-service.yaml +- istio-authorizationpolicy.yaml images: - - name: ghcr.io/kubeflow/katib/katib-controller - newName: ghcr.io/kubeflow/katib/katib-controller - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-db-manager - newName: ghcr.io/kubeflow/katib/katib-db-manager - newTag: latest - - name: ghcr.io/kubeflow/katib/katib-ui - newName: ghcr.io/kubeflow/katib/katib-ui - newTag: latest - -patchesStrategicMerge: - - patches/remove-namespace.yaml - +- name: ghcr.io/kubeflow/katib/katib-controller + newName: ghcr.io/kubeflow/katib/katib-controller + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-db-manager + newName: ghcr.io/kubeflow/katib/katib-db-manager + newTag: latest +- name: ghcr.io/kubeflow/katib/katib-ui + newName: ghcr.io/kubeflow/katib/katib-ui + newTag: latest + patches: - # Extend RBAC permission list of katib-ui so it can - # create SubjectAccessReview resources. - - target: - kind: ClusterRole - name: katib-ui - group: rbac.authorization.k8s.io - version: v1 - path: patches/ui-rbac.yaml - # Enable RBAC authz checks in UI's backend. - - target: - version: v1 - kind: Deployment - name: katib-ui - path: patches/enable-ui-authz-checks.yaml - # Allow istio sidecar injection in katib-UI Pod. - - target: - kind: Deployment - name: katib-ui - path: patches/istio-sidecar-injection.yaml +# Extend RBAC permission list of katib-ui so it can +# create SubjectAccessReview resources. +- path: patches/ui-rbac.yaml + target: + group: rbac.authorization.k8s.io + kind: ClusterRole + name: katib-ui + version: v1 +# Enable RBAC authz checks in UI's backend. +- path: patches/enable-ui-authz-checks.yaml + target: + kind: Deployment + name: katib-ui + version: v1 +# Allow istio sidecar injection in katib-UI Pod. +- path: patches/istio-sidecar-injection.yaml + target: + kind: Deployment + name: katib-ui +- path: patches/remove-namespace.yaml -vars: - - fieldref: - fieldPath: metadata.namespace - name: KATIB_UI_NAMESPACE - objref: - apiVersion: apps/v1 - kind: Deployment - name: katib-ui configurations: - - params.yaml +- params.yaml +replacements: +- source: + fieldPath: metadata.namespace + group: apps + kind: Deployment + name: katib-ui + version: v1 + targets: + - fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: . + index: 1 + select: + group: networking.istio.io + kind: VirtualService + name: katib-ui + version: v1alpha3 diff --git a/manifests/v1beta1/installs/katib-with-kubeflow/ui-virtual-service.yaml b/manifests/v1beta1/installs/katib-with-kubeflow/ui-virtual-service.yaml index 4ed0f3d1b5b..fec5aa06c26 100644 --- a/manifests/v1beta1/installs/katib-with-kubeflow/ui-virtual-service.yaml +++ b/manifests/v1beta1/installs/katib-with-kubeflow/ui-virtual-service.yaml @@ -16,6 +16,6 @@ spec: uri: /katib/ route: - destination: - host: katib-ui.$(KATIB_UI_NAMESPACE).svc.cluster.local + host: katib-ui.KATIB_UI_NAMESPACE_PLACEHOLDER.svc.cluster.local port: number: 80