diff --git a/contrib/datashim/base/datashim.yaml b/contrib/datashim/base/datashim.yaml new file mode 100644 index 0000000000..ede9b0faf9 --- /dev/null +++ b/contrib/datashim/base/datashim.yaml @@ -0,0 +1,1449 @@ +--- +# Source: dlf-chart/templates/namespace.yaml +kind: Namespace +apiVersion: v1 +metadata: + name: dlf + labels: + app.kubernetes.io/name: "dlf" +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +# This YAML file contains RBAC API objects that are necessary to run external +# CSI attacher for H3 adapter + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-controller-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-nodeplugin-rbac.yaml +# This YAML defines all API objects to create RBAC roles for CSI node plugin + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-nodeplugin-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml +# This YAML file contains RBAC API objects that are necessary to run external +# CSI attacher for nfs flex adapter + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-attacher-nfs + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml +# This YAML defines all API objects to create RBAC roles for CSI node plugin +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-nodeplugin + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/csi-s3.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +# This YAML file contains all RBAC objects that are necessary to run external +# CSI attacher. +# +# In production, each CSI driver deployment has to be customized: +# - to avoid conflicts, use non-default namespace and different names +# for non-namespaced entities like the ClusterRole +# - decide whether the deployment replicates the external CSI +# attacher, in which case leadership election must be enabled; +# this influences the RBAC setup, see below + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-attacher + # replace with non-default namespace name + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +# This YAML file contains all RBAC objects that are necessary to run external +# CSI provisioner. +# +# In production, each CSI driver deployment has to be customized: +# - to avoid conflicts, use non-default namespace and different names +# for non-namespaced entities like the ClusterRole +# - decide whether the deployment replicates the external CSI +# provisioner, in which case leadership election must be enabled; +# this influences the RBAC setup, see below + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-provisioner + # replace with non-default namespace name + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/rbac/service_account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dataset-operator + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/secrets/server-tls.yaml +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/name: dlf + name: webhook-server-tls + namespace: dlf +type: kubernetes.io/tls +data: + tls.crt: YmFyCg== + tls.key: YmFyCg== +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-h3-storageclass.yaml +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: h3 + labels: + app.kubernetes.io/name: "dlf" +provisioner: kubernetes.io/no-provisioner +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/storageclass.yaml +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" +provisioner: ch.ctrox.csi.s3-driver +parameters: + # specify which mounter to use + # can be set to s3fs, goofys + # OTHER OPTIONS NOT WORKING! + mounter: goofys + + csi.storage.k8s.io/provisioner-secret-name: ${pvc.name} + csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace} + + csi.storage.k8s.io/controller-publish-secret-name: ${pvc.name} + csi.storage.k8s.io/controller-publish-secret-namespace: ${pvc.namespace} + + csi.storage.k8s.io/node-stage-secret-name: ${pvc.name} + csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} + + csi.storage.k8s.io/node-publish-secret-name: ${pvc.name} + csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace} +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/crds/com.ie.ibm.hpsys_datasetinternals_crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: datasetsinternal.com.ie.ibm.hpsys +spec: + conversion: + strategy: None + group: com.ie.ibm.hpsys + names: + kind: DatasetInternal + listKind: DatasetInternalList + plural: datasetsinternal + singular: datasetinternal + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: DatasetInternal is the Schema for the datasetsinternal API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DatasetInternalSpec defines the desired state of DatasetInternal + properties: + local: + additionalProperties: + type: string + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "operator-sdk generate k8s" to regenerate code after + modifying this file Add custom validation using kubebuilder tags: + https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html' + type: object + x-kubernetes-preserve-unknown-fields: true + remote: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: DatasetInternalStatus defines the observed state of DatasetInternal + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: + status: {} +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/crds/com.ie.ibm.hpsys_datasets_crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: datasets.com.ie.ibm.hpsys +spec: + conversion: + strategy: None + group: com.ie.ibm.hpsys + names: + kind: Dataset + listKind: DatasetList + plural: datasets + singular: dataset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Dataset is the Schema for the datasets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DatasetSpec defines the desired state of Dataset + properties: + local: + additionalProperties: + type: string + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "operator-sdk generate k8s" to regenerate code after + modifying this file Add custom validation using kubebuilder tags: + https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html + Conf map[string]string `json:"conf,omitempty"`' + type: object + x-kubernetes-preserve-unknown-fields: true + remote: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: DatasetStatus defines the observed state of Dataset + properties: + error: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "operator-sdk generate k8s" to regenerate + code after modifying this file Add custom validation using kubebuilder + tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html' + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: + status: {} +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-controller-h3 + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cluster-driver-registrar-role-h3 + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csidrivers"] + verbs: ["create", "delete"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-nodeplugin-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-h3 + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["secrets","secret"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-attacher-runner-nfs + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/csi-s3.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update","create"] +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +# Attacher must be able to work with PVs, CSINodes and VolumeAttachments +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-attacher-runner + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] #Adding "update" + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch", "create"] #Adding "update" + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] +#Secret permission is optional. +#Enable it if you need value from secret. +#For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters +#see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html +# - apiGroups: [""] +# resources: ["secrets"] +# verbs: ["get", "list"] +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-provisioner-runner + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: + # The following rule should be uncommented for plugins that require secrets + # for provisioning. #Enabling secrets + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + # Access to volumeattachments is only needed when the CSI driver + # has the PUBLISH_UNPUBLISH_VOLUME controller capability. + # In that case, external-provisioner will watch volumeattachments + # to determine when it is safe to delete a volume. + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch","create"] +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: dataset-operator + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - persistentvolumes + - events + - configmaps + - secrets + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - dataset-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get +- apiGroups: + - com.ie.ibm.hpsys + resources: + - '*' + - datasetsinternal + verbs: + - '*' +- apiGroups: + - storage.k8s.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - objectbucket.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - '*' +- apiGroups: ["batch", "extensions"] + resources: ["jobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-controller-h3 + namespace: dlf +roleRef: + kind: ClusterRole + name: external-controller-h3 + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cluster-driver-registrar-binding-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-controller-h3 + namespace: dlf +roleRef: + kind: ClusterRole + name: csi-cluster-driver-registrar-role-h3 + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-nodeplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-nodeplugin-h3 + namespace: dlf +roleRef: + kind: ClusterRole + name: csi-nodeplugin-h3 + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role-nfs + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-attacher-nfs + namespace: dlf +roleRef: + kind: ClusterRole + name: external-attacher-runner-nfs + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-nodeplugin + namespace: dlf +roleRef: + kind: ClusterRole + name: csi-nodeplugin + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/csi-s3.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-s3 + namespace: dlf +roleRef: + kind: ClusterRole + name: csi-s3 + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role + labels: + app.kubernetes.io/name: "dlf" +subjects: + - kind: ServiceAccount + name: csi-attacher + # replace with non-default namespace name + namespace: dlf +roleRef: + kind: ClusterRole + name: external-attacher-runner + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-role + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-provisioner + # replace with non-default namespace name + namespace: dlf +roleRef: + kind: ClusterRole + name: external-provisioner-runner + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/rbac/role_binding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dataset-operator + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: +- kind: ServiceAccount + name: dataset-operator + namespace: dlf +roleRef: + kind: ClusterRole + name: dataset-operator + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +# Attacher must be able to work with configmaps or leases in the current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # replace with non-default namespace name + namespace: dlf + name: external-attacher-cfg + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +# Provisioner must be able to work with endpoints in current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # replace with non-default namespace name + namespace: dlf + name: external-provisioner-cfg + labels: + app.kubernetes.io/name: "dlf" +rules: + # Only one of the following rules for endpoints or leases is required based on + # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + # Permissions for CSIStorageCapacity are only needed enabling the publishing + # of storage capacity information. + - apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + # The GET permissions below are needed for walking up the ownership chain + # for CSIStorageCapacity. They are sufficient for deployment via + # StatefulSet (only needs to get Pod) and Deployment (needs to get + # Pod and then ReplicaSet to find the Deployment). + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role-cfg + # replace with non-default namespace name + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +subjects: + - kind: ServiceAccount + name: csi-attacher + # replace with non-default namespace name + namespace: dlf +roleRef: + kind: Role + name: external-attacher-cfg + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-role-cfg + # replace with non-default namespace name + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +subjects: + - kind: ServiceAccount + name: csi-provisioner + # replace with non-default namespace name + namespace: dlf +roleRef: + kind: Role + name: external-provisioner-cfg + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-nfsplugin.yaml +# This YAML file contains attacher & csi driver API objects that are necessary +# to run external CSI attacher for nfs +kind: Service +apiVersion: v1 +metadata: + name: csi-attacher-nfsplugin + namespace: dlf + labels: + app: csi-attacher-nfsplugin + app.kubernetes.io/name: "dlf" +spec: + selector: + app: csi-attacher-nfsplugin + ports: + - name: dummy + port: 12345 +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/attacher.yaml +# needed for StatefulSet +kind: Service +apiVersion: v1 +metadata: + name: csi-attacher-s3 + namespace: dlf + labels: + app: csi-attacher-s3 + app.kubernetes.io/name: "dlf" +spec: + selector: + app: csi-attacher-s3 + ports: + - name: dummy + port: 12345 +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/provisioner.yaml +kind: Service +apiVersion: v1 +metadata: + name: csi-provisioner-s3 + namespace: dlf + labels: + app: csi-provisioner-s3 + app.kubernetes.io/name: "dlf" +spec: + selector: + app: csi-provisioner-s3 + ports: + - name: dummy + port: 12345 +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/apps/operator.yaml +apiVersion: v1 +kind: Service +metadata: + name: webhook-server + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + selector: + name: dataset-operator + ports: + - port: 443 + targetPort: webhook-api +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-nodeplugin-h3.yaml +# This YAML file contains driver-registrar & csi driver nodeplugin API objects +# that are necessary to run CSI nodeplugin for H3 +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-nodeplugin-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + selector: + matchLabels: + app: csi-nodeplugin-h3 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-nodeplugin-h3 + spec: + serviceAccountName: csi-nodeplugin-h3 + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: node-driver-registrar + image: "quay.io/k8scsi/csi-node-driver-registrar:v1.2.0" + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/csi-h3 /registration/csi-h3-reg.sock"] + args: + - --v=5 + - --csi-address=/plugin/csi.sock + - --kubelet-registration-path=/var/data/kubelet/plugins/csi-h3/csi.sock + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: registration-dir + mountPath: /registration + - name: h3 + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: "carvicsforth/csi-h3:v1.2.0" + args: + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + # imagePullPolicy: "Always" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "mount -t fuse.h3fuse | while read -r mount; do umount $(echo $mount | awk '{print $3}') ; done"] + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: pods-mount-dir + mountPath: /var/data/kubelet/pods + mountPropagation: "Bidirectional" + volumes: + - name: plugin-dir + hostPath: + path: /var/data/kubelet/plugins/csi-h3 + type: DirectoryOrCreate + - name: pods-mount-dir + hostPath: + path: /var/data/kubelet/pods + type: Directory + - hostPath: + path: /var/data/kubelet/plugins_registry + type: DirectoryOrCreate + name: registration-dir +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-nodeplugin-nfsplugin.yaml +# This YAML file contains driver-registrar & csi driver nodeplugin API objects +# that are necessary to run CSI nodeplugin for nfs +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-nodeplugin-nfsplugin + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + selector: + matchLabels: + app: csi-nodeplugin-nfsplugin + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-nodeplugin-nfsplugin + spec: + serviceAccountName: csi-nodeplugin + hostNetwork: true + containers: + - name: node-driver-registrar + image: "quay.io/k8scsi/csi-node-driver-registrar:v1.2.0" + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/csi-nfsplugin /registration/csi-nfsplugin-reg.sock"] + args: + - --v=10 + - --csi-address=/plugin/csi.sock + - --kubelet-registration-path=/var/data/kubelet/plugins/csi-nfsplugin/csi.sock + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: registration-dir + mountPath: /registration + - name: nfs + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: "quay.io/datashim/csi-nfs:latest-amd64" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + imagePullPolicy: "Always" + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: pods-mount-dir + mountPath: /var/data/kubelet/pods + mountPropagation: "Bidirectional" + volumes: + - name: plugin-dir + hostPath: + path: /var/data/kubelet/plugins/csi-nfsplugin + type: DirectoryOrCreate + - name: pods-mount-dir + hostPath: + path: /var/data/kubelet/pods + type: Directory + - hostPath: + path: /var/data/kubelet/plugins_registry + type: Directory + name: registration-dir +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/csi-s3.yaml +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + selector: + matchLabels: + app: csi-s3 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-s3 + spec: + serviceAccountName: csi-s3 + containers: + - name: driver-registrar + image: "quay.io/k8scsi/csi-node-driver-registrar:v1.2.0" + imagePullPolicy: Always + args: + - --v=5 + - --csi-address=/csi/csi.sock + - --kubelet-registration-path=/var/data/kubelet/plugins/csi-s3/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - name: csi-s3 + image: "quay.io/datashim/csi-s3:latest-amd64" + imagePullPolicy: Always + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: cheap + value: "off" + securityContext: + privileged: true + # ports: + # - containerPort: 9898 + # name: healthz + # protocol: TCP + # TODO make it configurable and build it for ppc64le + # livenessProbe: + # failureThreshold: 5 + # httpGet: + # path: /healthz + # port: healthz + # initialDelaySeconds: 10 + # timeoutSeconds: 3 + # periodSeconds: 2 + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/data/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /dev + name: dev-dir + ##TODO make it configurable and build it for ppc64le + # - name: liveness-probe + # volumeMounts: + # - mountPath: /csi + # name: socket-dir + # image: quay.io/k8scsi/livenessprobe:v1.1.0 + # args: + # - --csi-address=/csi/csi.sock + # - --health-port=9898 + volumes: + - hostPath: + path: /var/data/kubelet/plugins/csi-s3 + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/data/kubelet/pods + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/data/kubelet/plugins_registry + type: Directory + name: registration-dir + - hostPath: + path: /dev + type: Directory + name: dev-dir +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/apps/operator.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dataset-operator + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + replicas: 1 + selector: + matchLabels: + name: dataset-operator + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + name: dataset-operator + app.kubernetes.io/name: "dlf" + spec: + serviceAccountName: dataset-operator + initContainers: + - name: generate-keys + image: "quay.io/datashim/generate-keys:latest-amd64" + imagePullPolicy: Always + env: + - name: DATASET_OPERATOR_NAMESPACE + value: dlf + containers: + - name: dataset-operator + # Replace this with the built image name + image: "quay.io/datashim/dataset-operator:latest-amd64" + command: + - dataset-operator + imagePullPolicy: Always + ports: + - containerPort: 8443 + name: webhook-api + env: + - name: WATCH_NAMESPACE + value: "" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "dataset-operator" + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: webhook-tls-certs + mountPath: /run/secrets/tls + readOnly: true + volumes: + - name: webhook-tls-certs + secret: + secretName: webhook-server-tls +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-h3.yaml +# This YAML file contains attacher & csi driver API objects that are necessary +# to run external CSI attacher for H3 +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-controller-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + serviceName: "csi-controller-h3" + replicas: 1 + selector: + matchLabels: + app: csi-controller-h3 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-controller-h3 + spec: + serviceAccountName: csi-controller-h3 + containers: + - name: csi-attacher + image: "quay.io/k8scsi/csi-attacher:v2.2.0" + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /csi/csi.sock + # imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: csi-cluster-driver-registrar + image: "quay.io/k8scsi/csi-cluster-driver-registrar:v1.0.1" + args: + - "--v=5" + - "--pod-info-mount-version=\"v1\"" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: h3 + image: "carvicsforth/csi-h3:v1.2.0" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + # imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /plugin + volumes: + - name: socket-dir + emptyDir: +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-nfsplugin.yaml +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-attacher-nfsplugin + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +spec: + selector: + matchLabels: + app: csi-attacher-nfsplugin + serviceName: "csi-attacher-nfsplugin" + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-attacher-nfsplugin + spec: + serviceAccountName: csi-attacher-nfs + containers: + - name: csi-attacher + image: "quay.io/k8scsi/csi-attacher:v2.2.0" + args: + - "--v=10" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: Always + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: nfs + image: "quay.io/datashim/csi-nfs:latest-amd64" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + imagePullPolicy: Always + volumeMounts: + - name: socket-dir + mountPath: /plugin + volumes: + - name: socket-dir + emptyDir: {} +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/attacher.yaml +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-attacher-s3 + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +spec: + serviceName: "csi-attacher-s3" + replicas: 1 + selector: + matchLabels: + app: csi-attacher-s3 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-attacher-s3 + spec: + serviceAccountName: csi-attacher + containers: + - name: csi-attacher + image: "quay.io/k8scsi/csi-attacher:v2.2.0" + imagePullPolicy: Always + args: + - --v=5 + - --csi-address=/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + + volumes: + - hostPath: + path: /var/data/kubelet/plugins/csi-s3 + type: DirectoryOrCreate + name: socket-dir +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/provisioner.yaml +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-provisioner-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + serviceName: "csi-provisioner-s3" + replicas: 1 + selector: + matchLabels: + app: csi-provisioner-s3 + template: + metadata: + labels: + app: csi-provisioner-s3 + spec: + serviceAccountName: csi-provisioner + containers: + - name: csi-provisioner + image: "quay.io/k8scsi/csi-provisioner:v2.0.2" + imagePullPolicy: Always + args: + - -v=5 + - --csi-address=/csi/csi.sock + - --feature-gates=Topology=true + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + volumes: + - hostPath: + path: /var/data/kubelet/plugins/csi-s3 + type: DirectoryOrCreate + name: socket-dir +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/driver.yaml +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: ch.ctrox.csi.s3-driver +spec: + attachRequired: false + podInfoOnMount: false +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/apps/webhook-definition.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: dlf-mutating-webhook-cfg diff --git a/contrib/datashim/base/kustomization.yaml b/contrib/datashim/base/kustomization.yaml new file mode 100644 index 0000000000..f16e54df2d --- /dev/null +++ b/contrib/datashim/base/kustomization.yaml @@ -0,0 +1,19 @@ + +# Copyright 2021 IBM Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - datashim.yaml + - minio.yaml diff --git a/contrib/datashim/base/minio.yaml b/contrib/datashim/base/minio.yaml new file mode 100644 index 0000000000..f2a6e7a3bc --- /dev/null +++ b/contrib/datashim/base/minio.yaml @@ -0,0 +1,92 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio-service + namespace: dlf +spec: + ports: + - name: http + port: 9000 + protocol: TCP + targetPort: 9000 + selector: + app: minio +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + namespace: dlf + labels: + app: minio +spec: + selector: + matchLabels: + app: minio + strategy: + type: Recreate + template: + metadata: + labels: + app: minio + spec: + containers: + - args: + - server + - /data + env: + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + image: gcr.io/ml-pipeline/minio:RELEASE.2019-08-14T20-37-41Z-license-compliance + name: minio + ports: + - containerPort: 9000 + volumeMounts: + - mountPath: /data + name: data + subPath: minio + volumes: + - name: data + persistentVolumeClaim: + claimName: minio-pvc +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-pvc + namespace: dlf +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi +--- +kind: Secret +apiVersion: v1 +metadata: + name: mlpipeline-minio-artifact + namespace: dlf +stringData: + accesskey: minio + secretkey: minio123 +--- +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: bWluaW8= + AWS_DEFAULT_REGION: dXMtd2VzdC0y + AWS_SECRET_ACCESS_KEY: bWluaW8xMjM= + ENDPOINT: aHR0cDovL21pbmlvLXNlcnZpY2UuZGxmOjkwMDA= +kind: Secret +metadata: + name: minio-conf + namespace: dlf +type: Opaque diff --git a/contrib/datashim/kind/datashim.yaml b/contrib/datashim/kind/datashim.yaml new file mode 100644 index 0000000000..f23cefbf3a --- /dev/null +++ b/contrib/datashim/kind/datashim.yaml @@ -0,0 +1,1449 @@ +--- +# Source: dlf-chart/templates/namespace.yaml +kind: Namespace +apiVersion: v1 +metadata: + name: dlf + labels: + app.kubernetes.io/name: "dlf" +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +# This YAML file contains RBAC API objects that are necessary to run external +# CSI attacher for H3 adapter + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-controller-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-nodeplugin-rbac.yaml +# This YAML defines all API objects to create RBAC roles for CSI node plugin + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-nodeplugin-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml +# This YAML file contains RBAC API objects that are necessary to run external +# CSI attacher for nfs flex adapter + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-attacher-nfs + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml +# This YAML defines all API objects to create RBAC roles for CSI node plugin +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-nodeplugin + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/csi-s3.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +# This YAML file contains all RBAC objects that are necessary to run external +# CSI attacher. +# +# In production, each CSI driver deployment has to be customized: +# - to avoid conflicts, use non-default namespace and different names +# for non-namespaced entities like the ClusterRole +# - decide whether the deployment replicates the external CSI +# attacher, in which case leadership election must be enabled; +# this influences the RBAC setup, see below + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-attacher + # replace with non-default namespace name + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +# This YAML file contains all RBAC objects that are necessary to run external +# CSI provisioner. +# +# In production, each CSI driver deployment has to be customized: +# - to avoid conflicts, use non-default namespace and different names +# for non-namespaced entities like the ClusterRole +# - decide whether the deployment replicates the external CSI +# provisioner, in which case leadership election must be enabled; +# this influences the RBAC setup, see below + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-provisioner + # replace with non-default namespace name + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/rbac/service_account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dataset-operator + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/secrets/server-tls.yaml +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/name: dlf + name: webhook-server-tls + namespace: dlf +type: kubernetes.io/tls +data: + tls.crt: YmFyCg== + tls.key: YmFyCg== +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-h3-storageclass.yaml +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: h3 + labels: + app.kubernetes.io/name: "dlf" +provisioner: kubernetes.io/no-provisioner +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/storageclass.yaml +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" +provisioner: ch.ctrox.csi.s3-driver +parameters: + # specify which mounter to use + # can be set to s3fs, goofys + # OTHER OPTIONS NOT WORKING! + mounter: goofys + + csi.storage.k8s.io/provisioner-secret-name: ${pvc.name} + csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace} + + csi.storage.k8s.io/controller-publish-secret-name: ${pvc.name} + csi.storage.k8s.io/controller-publish-secret-namespace: ${pvc.namespace} + + csi.storage.k8s.io/node-stage-secret-name: ${pvc.name} + csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} + + csi.storage.k8s.io/node-publish-secret-name: ${pvc.name} + csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace} +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/crds/com.ie.ibm.hpsys_datasetinternals_crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: datasetsinternal.com.ie.ibm.hpsys +spec: + conversion: + strategy: None + group: com.ie.ibm.hpsys + names: + kind: DatasetInternal + listKind: DatasetInternalList + plural: datasetsinternal + singular: datasetinternal + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: DatasetInternal is the Schema for the datasetsinternal API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DatasetInternalSpec defines the desired state of DatasetInternal + properties: + local: + additionalProperties: + type: string + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "operator-sdk generate k8s" to regenerate code after + modifying this file Add custom validation using kubebuilder tags: + https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html' + type: object + x-kubernetes-preserve-unknown-fields: true + remote: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: DatasetInternalStatus defines the observed state of DatasetInternal + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: + status: {} +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/crds/com.ie.ibm.hpsys_datasets_crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: datasets.com.ie.ibm.hpsys +spec: + conversion: + strategy: None + group: com.ie.ibm.hpsys + names: + kind: Dataset + listKind: DatasetList + plural: datasets + singular: dataset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Dataset is the Schema for the datasets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DatasetSpec defines the desired state of Dataset + properties: + local: + additionalProperties: + type: string + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "operator-sdk generate k8s" to regenerate code after + modifying this file Add custom validation using kubebuilder tags: + https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html + Conf map[string]string `json:"conf,omitempty"`' + type: object + x-kubernetes-preserve-unknown-fields: true + remote: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: DatasetStatus defines the observed state of Dataset + properties: + error: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "operator-sdk generate k8s" to regenerate + code after modifying this file Add custom validation using kubebuilder + tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html' + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: + status: {} +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-controller-h3 + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cluster-driver-registrar-role-h3 + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csidrivers"] + verbs: ["create", "delete"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-nodeplugin-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-h3 + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["secrets","secret"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-attacher-runner-nfs + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/csi-s3.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update","create"] +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +# Attacher must be able to work with PVs, CSINodes and VolumeAttachments +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-attacher-runner + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] #Adding "update" + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch", "create"] #Adding "update" + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] +#Secret permission is optional. +#Enable it if you need value from secret. +#For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters +#see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html +# - apiGroups: [""] +# resources: ["secrets"] +# verbs: ["get", "list"] +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-provisioner-runner + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: + # The following rule should be uncommented for plugins that require secrets + # for provisioning. #Enabling secrets + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + # Access to volumeattachments is only needed when the CSI driver + # has the PUBLISH_UNPUBLISH_VOLUME controller capability. + # In that case, external-provisioner will watch volumeattachments + # to determine when it is safe to delete a volume. + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch","create"] +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: dataset-operator + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +rules: +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - persistentvolumes + - events + - configmaps + - secrets + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - dataset-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get +- apiGroups: + - com.ie.ibm.hpsys + resources: + - '*' + - datasetsinternal + verbs: + - '*' +- apiGroups: + - storage.k8s.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - objectbucket.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - '*' +- apiGroups: ["batch", "extensions"] + resources: ["jobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-controller-h3 + namespace: dlf +roleRef: + kind: ClusterRole + name: external-controller-h3 + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cluster-driver-registrar-binding-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-controller-h3 + namespace: dlf +roleRef: + kind: ClusterRole + name: csi-cluster-driver-registrar-role-h3 + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-nodeplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-nodeplugin-h3 + namespace: dlf +roleRef: + kind: ClusterRole + name: csi-nodeplugin-h3 + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role-nfs + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-attacher-nfs + namespace: dlf +roleRef: + kind: ClusterRole + name: external-attacher-runner-nfs + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-nodeplugin + namespace: dlf +roleRef: + kind: ClusterRole + name: csi-nodeplugin + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/csi-s3.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-s3 + namespace: dlf +roleRef: + kind: ClusterRole + name: csi-s3 + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role + labels: + app.kubernetes.io/name: "dlf" +subjects: + - kind: ServiceAccount + name: csi-attacher + # replace with non-default namespace name + namespace: dlf +roleRef: + kind: ClusterRole + name: external-attacher-runner + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-role + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: + - kind: ServiceAccount + name: csi-provisioner + # replace with non-default namespace name + namespace: dlf +roleRef: + kind: ClusterRole + name: external-provisioner-runner + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/rbac/role_binding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dataset-operator + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +subjects: +- kind: ServiceAccount + name: dataset-operator + namespace: dlf +roleRef: + kind: ClusterRole + name: dataset-operator + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +# Attacher must be able to work with configmaps or leases in the current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # replace with non-default namespace name + namespace: dlf + name: external-attacher-cfg + labels: + app.kubernetes.io/name: "dlf" +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +# Provisioner must be able to work with endpoints in current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # replace with non-default namespace name + namespace: dlf + name: external-provisioner-cfg + labels: + app.kubernetes.io/name: "dlf" +rules: + # Only one of the following rules for endpoints or leases is required based on + # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + # Permissions for CSIStorageCapacity are only needed enabling the publishing + # of storage capacity information. + - apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + # The GET permissions below are needed for walking up the ownership chain + # for CSIStorageCapacity. They are sufficient for deployment via + # StatefulSet (only needs to get Pod) and Deployment (needs to get + # Pod and then ReplicaSet to find the Deployment). + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role-cfg + # replace with non-default namespace name + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +subjects: + - kind: ServiceAccount + name: csi-attacher + # replace with non-default namespace name + namespace: dlf +roleRef: + kind: Role + name: external-attacher-cfg + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-role-cfg + # replace with non-default namespace name + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +subjects: + - kind: ServiceAccount + name: csi-provisioner + # replace with non-default namespace name + namespace: dlf +roleRef: + kind: Role + name: external-provisioner-cfg + apiGroup: rbac.authorization.k8s.io +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-nfsplugin.yaml +# This YAML file contains attacher & csi driver API objects that are necessary +# to run external CSI attacher for nfs +kind: Service +apiVersion: v1 +metadata: + name: csi-attacher-nfsplugin + namespace: dlf + labels: + app: csi-attacher-nfsplugin + app.kubernetes.io/name: "dlf" +spec: + selector: + app: csi-attacher-nfsplugin + ports: + - name: dummy + port: 12345 +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/attacher.yaml +# needed for StatefulSet +kind: Service +apiVersion: v1 +metadata: + name: csi-attacher-s3 + namespace: dlf + labels: + app: csi-attacher-s3 + app.kubernetes.io/name: "dlf" +spec: + selector: + app: csi-attacher-s3 + ports: + - name: dummy + port: 12345 +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/provisioner.yaml +kind: Service +apiVersion: v1 +metadata: + name: csi-provisioner-s3 + namespace: dlf + labels: + app: csi-provisioner-s3 + app.kubernetes.io/name: "dlf" +spec: + selector: + app: csi-provisioner-s3 + ports: + - name: dummy + port: 12345 +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/apps/operator.yaml +apiVersion: v1 +kind: Service +metadata: + name: webhook-server + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + selector: + name: dataset-operator + ports: + - port: 443 + targetPort: webhook-api +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-nodeplugin-h3.yaml +# This YAML file contains driver-registrar & csi driver nodeplugin API objects +# that are necessary to run CSI nodeplugin for H3 +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-nodeplugin-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + selector: + matchLabels: + app: csi-nodeplugin-h3 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-nodeplugin-h3 + spec: + serviceAccountName: csi-nodeplugin-h3 + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: node-driver-registrar + image: "quay.io/k8scsi/csi-node-driver-registrar:v1.2.0" + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/csi-h3 /registration/csi-h3-reg.sock"] + args: + - --v=5 + - --csi-address=/plugin/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-h3/csi.sock + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: registration-dir + mountPath: /registration + - name: h3 + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: "carvicsforth/csi-h3:v1.2.0" + args: + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + # imagePullPolicy: "Always" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "mount -t fuse.h3fuse | while read -r mount; do umount $(echo $mount | awk '{print $3}') ; done"] + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: pods-mount-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: "Bidirectional" + volumes: + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/csi-h3 + type: DirectoryOrCreate + - name: pods-mount-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + - hostPath: + path: /var/lib/kubelet/plugins_registry + type: DirectoryOrCreate + name: registration-dir +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-nodeplugin-nfsplugin.yaml +# This YAML file contains driver-registrar & csi driver nodeplugin API objects +# that are necessary to run CSI nodeplugin for nfs +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-nodeplugin-nfsplugin + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + selector: + matchLabels: + app: csi-nodeplugin-nfsplugin + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-nodeplugin-nfsplugin + spec: + serviceAccountName: csi-nodeplugin + hostNetwork: true + containers: + - name: node-driver-registrar + image: "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.3.0" + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/csi-nfsplugin /registration/csi-nfsplugin-reg.sock"] + args: + - --v=10 + - --csi-address=/plugin/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-nfsplugin/csi.sock + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: registration-dir + mountPath: /registration + - name: nfs + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: "quay.io/datashim/csi-nfs:latest-amd64" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + imagePullPolicy: "Always" + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: pods-mount-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: "Bidirectional" + volumes: + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/csi-nfsplugin + type: DirectoryOrCreate + - name: pods-mount-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + - hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + name: registration-dir +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/csi-s3.yaml +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + selector: + matchLabels: + app: csi-s3 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-s3 + spec: + serviceAccountName: csi-s3 + containers: + - name: driver-registrar + image: "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.3.0" + imagePullPolicy: Always + args: + - --v=5 + - --csi-address=/csi/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-s3/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - name: csi-s3 + image: "quay.io/datashim/csi-s3:latest-amd64" + imagePullPolicy: Always + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: cheap + value: "off" + securityContext: + privileged: true + # ports: + # - containerPort: 9898 + # name: healthz + # protocol: TCP + # TODO make it configurable and build it for ppc64le + # livenessProbe: + # failureThreshold: 5 + # httpGet: + # path: /healthz + # port: healthz + # initialDelaySeconds: 10 + # timeoutSeconds: 3 + # periodSeconds: 2 + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /dev + name: dev-dir + ##TODO make it configurable and build it for ppc64le + # - name: liveness-probe + # volumeMounts: + # - mountPath: /csi + # name: socket-dir + # image: quay.io/k8scsi/livenessprobe:v1.1.0 + # args: + # - --csi-address=/csi/csi.sock + # - --health-port=9898 + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-s3 + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/pods + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + name: registration-dir + - hostPath: + path: /dev + type: Directory + name: dev-dir +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/apps/operator.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dataset-operator + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + replicas: 1 + selector: + matchLabels: + name: dataset-operator + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + name: dataset-operator + app.kubernetes.io/name: "dlf" + spec: + serviceAccountName: dataset-operator + initContainers: + - name: generate-keys + image: "quay.io/datashim/generate-keys:latest-amd64" + imagePullPolicy: Always + env: + - name: DATASET_OPERATOR_NAMESPACE + value: dlf + containers: + - name: dataset-operator + # Replace this with the built image name + image: "quay.io/datashim/dataset-operator:latest-amd64" + command: + - dataset-operator + imagePullPolicy: Always + ports: + - containerPort: 8443 + name: webhook-api + env: + - name: WATCH_NAMESPACE + value: "" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "dataset-operator" + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: webhook-tls-certs + mountPath: /run/secrets/tls + readOnly: true + volumes: + - name: webhook-tls-certs + secret: + secretName: webhook-server-tls +--- +# Source: dlf-chart/charts/csi-h3-chart/templates/csi-controller-h3.yaml +# This YAML file contains attacher & csi driver API objects that are necessary +# to run external CSI attacher for H3 +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-controller-h3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + serviceName: "csi-controller-h3" + replicas: 1 + selector: + matchLabels: + app: csi-controller-h3 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-controller-h3 + spec: + serviceAccountName: csi-controller-h3 + containers: + - name: csi-attacher + image: "quay.io/k8scsi/csi-attacher:v2.2.0" + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /csi/csi.sock + # imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: csi-cluster-driver-registrar + image: "quay.io/k8scsi/csi-cluster-driver-registrar:v1.0.1" + args: + - "--v=5" + - "--pod-info-mount-version=\"v1\"" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: h3 + image: "carvicsforth/csi-h3:v1.2.0" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + # imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /plugin + volumes: + - name: socket-dir + emptyDir: +--- +# Source: dlf-chart/charts/csi-nfs-chart/templates/csi-attacher-nfsplugin.yaml +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-attacher-nfsplugin + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +spec: + selector: + matchLabels: + app: csi-attacher-nfsplugin + serviceName: "csi-attacher-nfsplugin" + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-attacher-nfsplugin + spec: + serviceAccountName: csi-attacher-nfs + containers: + - name: csi-attacher + image: "k8s.gcr.io/sig-storage/csi-attacher:v3.3.0" + args: + - "--v=10" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: Always + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: nfs + image: "quay.io/datashim/csi-nfs:latest-amd64" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + imagePullPolicy: Always + volumeMounts: + - name: socket-dir + mountPath: /plugin + volumes: + - name: socket-dir + emptyDir: {} +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/attacher.yaml +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-attacher-s3 + namespace: dlf + labels: + app.kubernetes.io/name: "dlf" +spec: + serviceName: "csi-attacher-s3" + replicas: 1 + selector: + matchLabels: + app: csi-attacher-s3 + template: + metadata: + labels: + app.kubernetes.io/name: "dlf" + app: csi-attacher-s3 + spec: + serviceAccountName: csi-attacher + containers: + - name: csi-attacher + image: "k8s.gcr.io/sig-storage/csi-attacher:v3.3.0" + imagePullPolicy: Always + args: + - --v=5 + - --csi-address=/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-s3 + type: DirectoryOrCreate + name: socket-dir +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/provisioner.yaml +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-provisioner-s3 + labels: + app.kubernetes.io/name: "dlf" + namespace: dlf +spec: + serviceName: "csi-provisioner-s3" + replicas: 1 + selector: + matchLabels: + app: csi-provisioner-s3 + template: + metadata: + labels: + app: csi-provisioner-s3 + spec: + serviceAccountName: csi-provisioner + containers: + - name: csi-provisioner + image: "k8s.gcr.io/sig-storage/csi-provisioner:v2.2.2" + imagePullPolicy: Always + args: + - -v=5 + - --csi-address=/csi/csi.sock + - --feature-gates=Topology=true + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-s3 + type: DirectoryOrCreate + name: socket-dir +--- +# Source: dlf-chart/charts/csi-s3-chart/templates/driver.yaml +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: ch.ctrox.csi.s3-driver +spec: + attachRequired: false + podInfoOnMount: false +--- +# Source: dlf-chart/charts/dataset-operator-chart/templates/apps/webhook-definition.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: dlf-mutating-webhook-cfg diff --git a/contrib/datashim/kind/kustomization.yaml b/contrib/datashim/kind/kustomization.yaml new file mode 100644 index 0000000000..f16e54df2d --- /dev/null +++ b/contrib/datashim/kind/kustomization.yaml @@ -0,0 +1,19 @@ + +# Copyright 2021 IBM Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - datashim.yaml + - minio.yaml diff --git a/contrib/datashim/kind/minio.yaml b/contrib/datashim/kind/minio.yaml new file mode 100644 index 0000000000..f2a6e7a3bc --- /dev/null +++ b/contrib/datashim/kind/minio.yaml @@ -0,0 +1,92 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio-service + namespace: dlf +spec: + ports: + - name: http + port: 9000 + protocol: TCP + targetPort: 9000 + selector: + app: minio +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + namespace: dlf + labels: + app: minio +spec: + selector: + matchLabels: + app: minio + strategy: + type: Recreate + template: + metadata: + labels: + app: minio + spec: + containers: + - args: + - server + - /data + env: + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + image: gcr.io/ml-pipeline/minio:RELEASE.2019-08-14T20-37-41Z-license-compliance + name: minio + ports: + - containerPort: 9000 + volumeMounts: + - mountPath: /data + name: data + subPath: minio + volumes: + - name: data + persistentVolumeClaim: + claimName: minio-pvc +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-pvc + namespace: dlf +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi +--- +kind: Secret +apiVersion: v1 +metadata: + name: mlpipeline-minio-artifact + namespace: dlf +stringData: + accesskey: minio + secretkey: minio123 +--- +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: bWluaW8= + AWS_DEFAULT_REGION: dXMtd2VzdC0y + AWS_SECRET_ACCESS_KEY: bWluaW8xMjM= + ENDPOINT: aHR0cDovL21pbmlvLXNlcnZpY2UuZGxmOjkwMDA= +kind: Secret +metadata: + name: minio-conf + namespace: dlf +type: Opaque diff --git a/contrib/mlx/base/kustomization.yaml b/contrib/mlx/base/kustomization.yaml new file mode 100644 index 0000000000..0888682f1e --- /dev/null +++ b/contrib/mlx/base/kustomization.yaml @@ -0,0 +1,10 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: + - mlx-deployments + - mlx-vs +resources: + - mlx-profile.yaml diff --git a/contrib/mlx/base/mlx-deployments/kustomization.yaml b/contrib/mlx/base/mlx-deployments/kustomization.yaml new file mode 100644 index 0000000000..2c657a9aa9 --- /dev/null +++ b/contrib/mlx/base/mlx-deployments/kustomization.yaml @@ -0,0 +1,8 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - mlx-api.yaml + - mlx-ui.yaml diff --git a/contrib/mlx/base/mlx-deployments/mlx-api.yaml b/contrib/mlx/base/mlx-deployments/mlx-api.yaml new file mode 100644 index 0000000000..6085de9fc0 --- /dev/null +++ b/contrib/mlx/base/mlx-deployments/mlx-api.yaml @@ -0,0 +1,98 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: v1 +kind: Service +metadata: + name: mlx-api + namespace: kubeflow + labels: + service: mlx-api + environment: dev +spec: + ports: + - name: mlx-api + port: 80 + targetPort: 8080 + selector: + service: mlx-api +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlx-api + namespace: kubeflow + labels: + service: mlx-api + environment: dev +spec: + selector: + matchLabels: + service: mlx-api + environment: dev + replicas: 1 + template: + metadata: + labels: + service: mlx-api + environment: dev + version: v0.1.25-related-assets + spec: + serviceAccountName: mlx-api + containers: + - name: mlx-api-server + image: mlexchange/mlx-api:nightly-main + imagePullPolicy: Always + ports: + - containerPort: 8080 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + livenessProbe: + httpGet: + path: /apis/v1alpha1/health_check?check_database=true&check_object_store=true + port: 8080 + initialDelaySeconds: 120 + timeoutSeconds: 10 + periodSeconds: 60 + failureThreshold: 3 +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: mlx-api-access +subjects: +- kind: ServiceAccount + name: mlx-api + namespace: kubeflow +roleRef: + kind: ClusterRole + name: mlx-api-access + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mlx-api-access +rules: +- apiGroups: [""] + resources: ["pods", "pods/log", "secrets", "events", "serviceaccounts", "configmaps", + "persistentvolumeclaims", "limitranges"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["serving.kubeflow.org"] + resources: ["inferenceservices"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["serving.knative.dev"] + resources: ["services", "revisions", "configurations"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["serving.kserve.io"] + resources: ["predictors", "inferenceservices"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mlx-api + namespace: kubeflow diff --git a/contrib/mlx/base/mlx-deployments/mlx-ui.yaml b/contrib/mlx/base/mlx-deployments/mlx-ui.yaml new file mode 100644 index 0000000000..0f4b3f6ed9 --- /dev/null +++ b/contrib/mlx/base/mlx-deployments/mlx-ui.yaml @@ -0,0 +1,93 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mlx-ui + namespace: kubeflow +--- +apiVersion: v1 +kind: Secret +metadata: + name: mlx-dashboard-admin + namespace: kubeflow +type: Opaque +stringData: + admin.json: | + { + "admin": { "password": "passw0rd", "email": "mlx@ibm.com", "roles": ["admin"] } + } + session: "machine learning exchange" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlx-ui + namespace: kubeflow + labels: + service: mlx-ui +spec: + replicas: 1 + selector: + matchLabels: + service: mlx-ui + template: + metadata: + name: mlx-ui + labels: + service: mlx-ui + spec: + containers: + - name: mlx-ui + # You can use your own webapp image below + image: mlexchange/mlx-ui:nightly-origin-main + imagePullPolicy: Always + env: + - name: REACT_APP_BRAND + value: "Machine Learning eXchange" + - name: REACT_APP_RUN + value: "true" + - name: REACT_APP_UPLOAD + value: "true" + - name: REACT_APP_BASE_PATH + value: "" + - name: REACT_APP_DISABLE_LOGIN + value: "false" + - name: KUBEFLOW_USERID_HEADER + value: kubeflow-userid + - name: SESSION_SECRET + valueFrom: + secretKeyRef: + name: mlx-dashboard-admin + key: session + ports: + - containerPort: 3000 + volumeMounts: + - mountPath: /workspace/models + name: dashboard-admin + readOnly: true + # When deploying MLX on OpenShift, readOnly SCC may be required for mlx-ui. + volumes: + - name: dashboard-admin + secret: + items: + - key: admin.json + path: admin.json + secretName: mlx-dashboard-admin + serviceAccountName: mlx-ui +--- +apiVersion: v1 +kind: Service +metadata: + name: mlx-ui + namespace: kubeflow + labels: + service: mlx-ui +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 3000 + selector: + service: mlx-ui diff --git a/contrib/mlx/base/mlx-profile.yaml b/contrib/mlx/base/mlx-profile.yaml new file mode 100644 index 0000000000..f70733f03e --- /dev/null +++ b/contrib/mlx/base/mlx-profile.yaml @@ -0,0 +1,12 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: kubeflow.org/v1 +kind: Profile +metadata: + name: mlx + namespace: kubeflow +spec: + owner: + kind: User + name: mlx@ibm.com diff --git a/contrib/mlx/base/mlx-vs/kustomization.yaml b/contrib/mlx/base/mlx-vs/kustomization.yaml new file mode 100644 index 0000000000..1c10d36df3 --- /dev/null +++ b/contrib/mlx/base/mlx-vs/kustomization.yaml @@ -0,0 +1,8 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - mlx-api-vs.yaml + - mlx-ui-vs.yaml diff --git a/contrib/mlx/base/mlx-vs/mlx-api-vs.yaml b/contrib/mlx/base/mlx-vs/mlx-api-vs.yaml new file mode 100644 index 0000000000..a959e71df6 --- /dev/null +++ b/contrib/mlx/base/mlx-vs/mlx-api-vs.yaml @@ -0,0 +1,26 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: mlx-api + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /apis/v1alpha1 + rewrite: + uri: /apis/v1alpha1 + route: + - destination: + host: mlx-api.kubeflow.svc.cluster.local + port: + number: 80 + timeout: 300s diff --git a/contrib/mlx/base/mlx-vs/mlx-ui-vs.yaml b/contrib/mlx/base/mlx-vs/mlx-ui-vs.yaml new file mode 100644 index 0000000000..9227793fc6 --- /dev/null +++ b/contrib/mlx/base/mlx-vs/mlx-ui-vs.yaml @@ -0,0 +1,25 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: mlx-ui + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: / + rewrite: + uri: / + route: + - destination: + host: mlx-ui.kubeflow.svc.cluster.local + port: + number: 80 + timeout: 300s diff --git a/contrib/mlx/istio-auth/istio-configmap.yaml b/contrib/mlx/istio-auth/istio-configmap.yaml new file mode 100644 index 0000000000..521225151a --- /dev/null +++ b/contrib/mlx/istio-auth/istio-configmap.yaml @@ -0,0 +1,40 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +# Since this modify the istio configmap, need to restart istiod with the +# following command: +# kubectl rollout restart deployment/istiod -n istio-system +# +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istio + namespace: istio-system +data: + mesh: |- + accessLogFile: /dev/stdout + defaultConfig: + discoveryAddress: istiod.istio-system.svc:15012 + proxyMetadata: {} + tracing: + zipkin: + address: zipkin.istio-system:9411 + enablePrometheusMerge: true + rootNamespace: istio-system + trustDomain: cluster.local + extensionProviders: + - name: "mlx-authz-http" + envoyExtAuthzHttp: + service: "mlx-ui.kubeflow.svc.cluster.local" + port: "80" + pathPrefix: "/session-validation" + includeHeadersInCheck: ["cookie", "x-ext-authz"] + headersToUpstreamOnAllow: ["kubeflow-userid"] + headersToDownstreamOnDeny: ["content-type", "set-cookie"] + meshNetworks: 'networks: {}' diff --git a/contrib/mlx/istio-auth/kustomization.yaml b/contrib/mlx/istio-auth/kustomization.yaml new file mode 100644 index 0000000000..dafe35915b --- /dev/null +++ b/contrib/mlx/istio-auth/kustomization.yaml @@ -0,0 +1,15 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +kind: Kustomization +bases: + - ../base +resources: + - mlx-api-auth.yaml + - mlx-ui-auth.yaml + - mysql-auth.yaml + - ml-pipeline-api-auth.yaml + - mlx-ext-authz.yaml + - istio-configmap.yaml +patchesStrategicMerge: + - mlx-api-patch.yaml diff --git a/contrib/mlx/istio-auth/ml-pipeline-api-auth.yaml b/contrib/mlx/istio-auth/ml-pipeline-api-auth.yaml new file mode 100644 index 0000000000..0ffd76db96 --- /dev/null +++ b/contrib/mlx/istio-auth/ml-pipeline-api-auth.yaml @@ -0,0 +1,28 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: ml-pipeline + namespace: kubeflow +spec: + selector: + matchLabels: + app: ml-pipeline + rules: + - from: + - source: + principals: + - cluster.local/ns/kubeflow/sa/ml-pipeline + - cluster.local/ns/kubeflow/sa/ml-pipeline-ui + - cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent + - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow + - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account + - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache + - cluster.local/ns/kubeflow/sa/mlx-api + - cluster.local/ns/kubeflow/sa/mlx-ui + # For user workloads, which cannot user http headers for authentication + - when: + - key: request.headers[kubeflow-userid] + notValues: ['*'] diff --git a/contrib/mlx/istio-auth/mlx-api-auth.yaml b/contrib/mlx/istio-auth/mlx-api-auth.yaml new file mode 100644 index 0000000000..b8c5f94438 --- /dev/null +++ b/contrib/mlx/istio-auth/mlx-api-auth.yaml @@ -0,0 +1,51 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: mlx-api + namespace: kubeflow +spec: + selector: + matchLabels: + service: mlx-api + rules: + # We need this rule to access the Swagger UI and post API requests directly to mlx-api + - from: + - source: + namespaces: + - istio-system + - from: + - source: + principals: + - cluster.local/ns/kubeflow/sa/mlx-ui +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: mlx-api + namespace: kubeflow +spec: + host: mlx-api.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mlx-api-configmap + namespace: kubeflow +data: + # for kfp context.json + # Note: currently these is only one user profile and mlx namespace. + # use the context which using 'mlx' namespace, to create kfp.KfpClient + # and send proper user headers to ml-pipeline api + # need to find a way to support multi user profile in the future + kfp-context: | + { + "namespace": "mlx", + "client_authentication_header_name": "kubeflow-userid", + "client_authentication_header_value": "mlx@ibm.com" + } diff --git a/contrib/mlx/istio-auth/mlx-api-patch.yaml b/contrib/mlx/istio-auth/mlx-api-patch.yaml new file mode 100644 index 0000000000..bea706a49a --- /dev/null +++ b/contrib/mlx/istio-auth/mlx-api-patch.yaml @@ -0,0 +1,24 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlx-api + namespace: kubeflow +spec: + template: + spec: + containers: + - name: mlx-api-server + volumeMounts: + - name: context + mountPath: "/root/.config/kfp" + readOnly: true + volumes: + - name: context + configMap: + name: mlx-api-configmap + items: + - key: kfp-context + path: context.json diff --git a/contrib/mlx/istio-auth/mlx-ext-authz.yaml b/contrib/mlx/istio-auth/mlx-ext-authz.yaml new file mode 100644 index 0000000000..41fad3d9c0 --- /dev/null +++ b/contrib/mlx/istio-auth/mlx-ext-authz.yaml @@ -0,0 +1,23 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +# Need to remove the "authn-filter" envoyfilter and replace it with +# this mlx-ext-authz +# +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: mlx-ext-authz + namespace: istio-system +spec: + selector: + matchLabels: + istio: ingressgateway + action: CUSTOM + provider: + name: "mlx-authz-http" + rules: + - to: + - operation: + notPaths: ["/mlx*"] diff --git a/contrib/mlx/istio-auth/mlx-ui-auth.yaml b/contrib/mlx/istio-auth/mlx-ui-auth.yaml new file mode 100644 index 0000000000..cfbecd7cae --- /dev/null +++ b/contrib/mlx/istio-auth/mlx-ui-auth.yaml @@ -0,0 +1,28 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: mlx-ui + namespace: kubeflow +spec: + selector: + matchLabels: + service: mlx-ui + rules: + - from: + - source: + namespaces: + - istio-system +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: mlx-ui + namespace: kubeflow +spec: + host: mlx-ui.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/contrib/mlx/istio-auth/mysql-auth.yaml b/contrib/mlx/istio-auth/mysql-auth.yaml new file mode 100644 index 0000000000..b3b700a147 --- /dev/null +++ b/contrib/mlx/istio-auth/mysql-auth.yaml @@ -0,0 +1,25 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: mysql + namespace: kubeflow +spec: + selector: + matchLabels: + app: mysql + rules: + - from: + - source: + principals: + - cluster.local/ns/kubeflow/sa/ml-pipeline + - cluster.local/ns/kubeflow/sa/ml-pipeline-ui + - cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent + - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow + - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account + - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache + - cluster.local/ns/kubeflow/sa/metadata-grpc-server + - cluster.local/ns/kubeflow/sa/mlx-api + - cluster.local/ns/kubeflow/sa/mlx-ui diff --git a/contrib/mlx/mlx-standalone/clusterrolebinding.yaml b/contrib/mlx/mlx-standalone/clusterrolebinding.yaml new file mode 100644 index 0000000000..5b1b0454fc --- /dev/null +++ b/contrib/mlx/mlx-standalone/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pipeline-runner-extend +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: pipeline-runner + namespace: kubeflow diff --git a/contrib/mlx/mlx-standalone/kfp-vs.yaml b/contrib/mlx/mlx-standalone/kfp-vs.yaml new file mode 100644 index 0000000000..4601766291 --- /dev/null +++ b/contrib/mlx/mlx-standalone/kfp-vs.yaml @@ -0,0 +1,50 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ml-pipeline-ui + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /pipeline + rewrite: + uri: /pipeline + route: + - destination: + host: ml-pipeline-ui.kubeflow.svc.cluster.local + port: + number: 80 + timeout: 300s + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: metadata-grpc + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /ml_metadata + rewrite: + uri: /ml_metadata + route: + - destination: + host: ml-pipeline-ui.kubeflow.svc.cluster.local + port: + number: 80 diff --git a/contrib/mlx/mlx-standalone/kustomization.yaml b/contrib/mlx/mlx-standalone/kustomization.yaml new file mode 100644 index 0000000000..8c1752d535 --- /dev/null +++ b/contrib/mlx/mlx-standalone/kustomization.yaml @@ -0,0 +1,14 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: + - ../base/mlx-deployments + - ../base/mlx-vs +resources: + - kfp-vs.yaml + - clusterrolebinding.yaml + - secrets.yaml +patchesStrategicMerge: + - mlx-ui-patch.yaml diff --git a/contrib/mlx/mlx-standalone/mlx-ui-patch.yaml b/contrib/mlx/mlx-standalone/mlx-ui-patch.yaml new file mode 100644 index 0000000000..427ec19f75 --- /dev/null +++ b/contrib/mlx/mlx-standalone/mlx-ui-patch.yaml @@ -0,0 +1,30 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlx-ui + namespace: kubeflow + labels: + service: mlx-ui +spec: + replicas: 1 + selector: + matchLabels: + service: mlx-ui + template: + metadata: + name: mlx-ui + labels: + service: mlx-ui + spec: + containers: + - name: mlx-ui + # You can use your own webapp image below + image: mlexchange/mlx-ui:nightly-origin-main + imagePullPolicy: Always + env: + - name: REACT_APP_KFP_STANDALONE + value: "true" diff --git a/contrib/mlx/mlx-standalone/secrets.yaml b/contrib/mlx/mlx-standalone/secrets.yaml new file mode 100644 index 0000000000..c70e854450 --- /dev/null +++ b/contrib/mlx/mlx-standalone/secrets.yaml @@ -0,0 +1,12 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: v1 +data: + local_cluster_deployment: dHJ1ZQ== + public_ip: JE5PREVQT1JUX0lQ +kind: Secret +metadata: + name: e2e-creds + namespace: kubeflow +type: Opaque diff --git a/contrib/mlx/plugins/nbviewer-enterprise/kustomization.yaml b/contrib/mlx/plugins/nbviewer-enterprise/kustomization.yaml new file mode 100644 index 0000000000..b6d29591e9 --- /dev/null +++ b/contrib/mlx/plugins/nbviewer-enterprise/kustomization.yaml @@ -0,0 +1,6 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +kind: Kustomization +resources: + - nbviewer-enterprise.yaml diff --git a/contrib/mlx/plugins/nbviewer-enterprise/nbviewer-enterprise.yaml b/contrib/mlx/plugins/nbviewer-enterprise/nbviewer-enterprise.yaml new file mode 100644 index 0000000000..caaa1705a2 --- /dev/null +++ b/contrib/mlx/plugins/nbviewer-enterprise/nbviewer-enterprise.yaml @@ -0,0 +1,49 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nbviewer-enterprise + namespace: kubeflow + labels: + service: nbviewer-enterprise +spec: + replicas: 1 + selector: + matchLabels: + service: nbviewer-enterprise + template: + metadata: + name: nbviewer-enterprise + labels: + service: nbviewer-enterprise + spec: + containers: + - name: nbviewer-enterprise + image: jupyter/nbviewer + imagePullPolicy: Always + env: + - name: GITHUB_API_TOKEN + # Fill in the Enterpise github token below + value: '' + - name: GITHUB_API_URL + value: https://github.ibm.com/api/v3/ + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: nbviewer-enterprise + namespace: kubeflow + labels: + service: nbviewer-enterprise +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + type: LoadBalancer + selector: + service: nbviewer-enterprise diff --git a/contrib/mlx/prod-multi-user/envoy-filter-patch.yaml b/contrib/mlx/prod-multi-user/envoy-filter-patch.yaml new file mode 100644 index 0000000000..7c13d39286 --- /dev/null +++ b/contrib/mlx/prod-multi-user/envoy-filter-patch.yaml @@ -0,0 +1,12 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: authn-filter + namespace: istio-system +spec: + workloadSelector: + labels: + istio: dummygateway diff --git a/contrib/mlx/prod-multi-user/kubeflow-dashboard-patch.yaml b/contrib/mlx/prod-multi-user/kubeflow-dashboard-patch.yaml new file mode 100644 index 0000000000..d6de655fa2 --- /dev/null +++ b/contrib/mlx/prod-multi-user/kubeflow-dashboard-patch.yaml @@ -0,0 +1,25 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: centraldashboard + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /kubeflow + rewrite: + uri: /kubeflow + route: + - destination: + host: centraldashboard.kubeflow.svc.cluster.local + port: + number: 80 diff --git a/contrib/mlx/prod-multi-user/kustomization.yaml b/contrib/mlx/prod-multi-user/kustomization.yaml new file mode 100644 index 0000000000..fb382d2123 --- /dev/null +++ b/contrib/mlx/prod-multi-user/kustomization.yaml @@ -0,0 +1,14 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +kind: Kustomization +bases: + - ../istio-auth +resources: + - kubeflow-dashboard-patch.yaml + - oidc-patch.yaml + - envoy-filter-patch.yaml +patchesStrategicMerge: + - mlx-ui-patch.yaml + - mlx-ext-authz-patch.yaml diff --git a/contrib/mlx/prod-multi-user/mlx-ext-authz-patch.yaml b/contrib/mlx/prod-multi-user/mlx-ext-authz-patch.yaml new file mode 100644 index 0000000000..0ed22dbbff --- /dev/null +++ b/contrib/mlx/prod-multi-user/mlx-ext-authz-patch.yaml @@ -0,0 +1,47 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +# Need to remove the "authn-filter" envoyfilter and replace it with +# this mlx-ext-authz +# +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: mlx-ext-authz + namespace: istio-system +spec: + action: CUSTOM + provider: + name: mlx-authz-http + rules: + - to: + - operation: + notPaths: + - / + - /index* + - /login* + - /mlx*.png + - /static* + - /datasets* + - /models* + - /pipelines* + - /components* + - /notebooks* + - /inferenceservices* + - /dashboard_lib.bundle.js* + - /apis* + - /manifest.json + - /mlx-logo-white.png + - /favicon.ico + - to: + - operation: + methods: + - POST + - DELETE + - PUT + paths: + - /apis* + selector: + matchLabels: + istio: ingressgateway diff --git a/contrib/mlx/prod-multi-user/mlx-ui-patch.yaml b/contrib/mlx/prod-multi-user/mlx-ui-patch.yaml new file mode 100644 index 0000000000..18826e0c6d --- /dev/null +++ b/contrib/mlx/prod-multi-user/mlx-ui-patch.yaml @@ -0,0 +1,83 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlx-ui + namespace: kubeflow + labels: + service: mlx-ui +spec: + replicas: 1 + selector: + matchLabels: + service: mlx-ui + template: + metadata: + name: mlx-ui + labels: + service: mlx-ui + spec: + containers: + - name: mlx-ui + # You can use your own webapp image below + image: mlexchange/mlx-ui:nightly-origin-main + imagePullPolicy: Always + env: + - name: REACT_APP_BRAND + value: "Machine Learning eXchange" + - name: REACT_APP_RUN + value: "true" + - name: REACT_APP_UPLOAD + value: "true" + - name: REACT_APP_BASE_PATH + value: "" + - name: REACT_APP_DISABLE_LOGIN + value: "false" + - name: KUBEFLOW_USERID_HEADER + value: kubeflow-userid + - name: SESSION_SECRET + valueFrom: + secretKeyRef: + name: mlx-dashboard-admin + key: session + ports: + - containerPort: 3000 + volumeMounts: + - mountPath: /workspace/models + name: dashboard-admin + readOnly: true + # When deploying MLX on OpenShift, readOnly SCC may be required for mlx-ui. + volumes: + - name: dashboard-admin + secret: + items: + - key: admin.json + path: admin.json + secretName: mlx-dashboard-admin + serviceAccountName: mlx-ui +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: mlx-ui + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: / + rewrite: + uri: / + route: + - destination: + host: mlx-ui.kubeflow.svc.cluster.local + port: + number: 80 + timeout: 300s diff --git a/contrib/mlx/prod-multi-user/oidc-patch.yaml b/contrib/mlx/prod-multi-user/oidc-patch.yaml new file mode 100644 index 0000000000..f58aa66165 --- /dev/null +++ b/contrib/mlx/prod-multi-user/oidc-patch.yaml @@ -0,0 +1,27 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + labels: + app.kubernetes.io/component: oidc-authservice + app.kubernetes.io/name: oidc-authservice + name: authservice + namespace: istio-system +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + # Dummy path to avoid mlx-ui login redirect path + prefix: /oidc/login + route: + - destination: + host: authservice.istio-system.svc.cluster.local + port: + number: 8080 diff --git a/contrib/mlx/read-only-k8s/config.yaml b/contrib/mlx/read-only-k8s/config.yaml new file mode 100644 index 0000000000..367818b910 --- /dev/null +++ b/contrib/mlx/read-only-k8s/config.yaml @@ -0,0 +1,37 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: v1 +kind: ConfigMap +metadata: + name: mysql-initdb-config + namespace: kubeflow +data: + initdb.sql: | + CREATE TABLE IF NOT EXISTS `pipelines` ( + `UUID` varchar(255) NOT NULL, + `CreatedAtInSec` bigint(20) NOT NULL, + `Name` varchar(255) NOT NULL, + `Description` longtext NOT NULL, + `Parameters` longtext NOT NULL, + `Status` varchar(255) NOT NULL, + `DefaultVersionId` varchar(255) DEFAULT NULL, + `Namespace` varchar(63) DEFAULT '', + PRIMARY KEY (`UUID`), + UNIQUE KEY `name_namespace_index` (`Name`,`Namespace`) + ) ENGINE=InnoDB DEFAULT CHARSET=latin1; + + CREATE TABLE IF NOT EXISTS `pipeline_versions` ( + `UUID` varchar(255) NOT NULL, + `CreatedAtInSec` bigint(20) NOT NULL, + `Name` varchar(255) NOT NULL, + `Parameters` longtext NOT NULL, + `PipelineId` varchar(255) NOT NULL, + `Status` varchar(255) NOT NULL, + `CodeSourceUrl` varchar(255) DEFAULT NULL, + PRIMARY KEY (`UUID`), + UNIQUE KEY `idx_pipelineid_name` (`Name`,`PipelineId`), + KEY `idx_pipeline_versions_CreatedAtInSec` (`CreatedAtInSec`), + KEY `idx_pipeline_versions_PipelineId` (`PipelineId`), + CONSTRAINT `pipeline_versions_PipelineId_pipelines_UUID_foreign` FOREIGN KEY (`PipelineId`) REFERENCES `pipelines` (`UUID`) ON DELETE CASCADE ON UPDATE CASCADE + ) ENGINE=InnoDB DEFAULT CHARSET=latin1; diff --git a/contrib/mlx/read-only-k8s/init-jobs.yaml b/contrib/mlx/read-only-k8s/init-jobs.yaml new file mode 100644 index 0000000000..52fb0b29c8 --- /dev/null +++ b/contrib/mlx/read-only-k8s/init-jobs.yaml @@ -0,0 +1,65 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: batch/v1 +kind: Job +metadata: + name: miniosetup + namespace: kubeflow + labels: + app: miniosetup +spec: + backoffLimit: 10 + template: + spec: + restartPolicy: Never + containers: + - args: + - | + /usr/bin/mc config host add miniohost http://minio-service:9000 $MINIO_ACCESS_KEY $MINIO_SECRET_KEY; + /usr/bin/mc mb -p miniohost/mlpipeline; + /usr/bin/mc policy set download miniohost/mlpipeline; + command: + - /bin/sh + - -c + env: + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + image: minio/mc + name: minio +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: katalog + namespace: kubeflow + labels: + app: katalog +spec: + backoffLimit: 10 + template: + spec: + restartPolicy: Never + containers: + - command: + - /bin/sh + - -c + - | + cd /tmp && + curl -L --output init_catalog.sh https://raw.githubusercontent.com/machine-learning-exchange/mlx/main/quickstart/init_catalog.sh && + curl -L --output catalog_upload.json https://raw.githubusercontent.com/machine-learning-exchange/mlx/main/bootstrapper/catalog_upload.json && + chmod 777 init_catalog.sh && + ./init_catalog.sh + env: + - name: MLX_API_SERVER + value: mlx-api:80 + image: curlimages/curl + name: katalog diff --git a/contrib/mlx/read-only-k8s/k8s-ingress.yaml b/contrib/mlx/read-only-k8s/k8s-ingress.yaml new file mode 100644 index 0000000000..f73978c471 --- /dev/null +++ b/contrib/mlx/read-only-k8s/k8s-ingress.yaml @@ -0,0 +1,27 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mlx-ingress + namespace: kubeflow + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + tls: + - hosts: + - ml-exchange.org + secretName: mlx-certs + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mlx-ui + port: + number: 80 + host: $(ingress-domain) + diff --git a/contrib/mlx/read-only-k8s/kustomization.yaml b/contrib/mlx/read-only-k8s/kustomization.yaml new file mode 100644 index 0000000000..5933bb9cbc --- /dev/null +++ b/contrib/mlx/read-only-k8s/kustomization.yaml @@ -0,0 +1,33 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +kind: Kustomization +bases: + - ../base/mlx-deployments +resources: + - minio.yaml + - mysql.yaml + - namespace.yaml + - k8s-ingress.yaml + - init-jobs.yaml + - config.yaml +patchesStrategicMerge: + - mlx-api-patch.yaml + - mlx-ui-patch.yaml +configMapGenerator: +- name: mlx-parameters + literals: + # Update the credentials for the below fields before apply. + - ingress-domain=ml-exchange.org +generatorOptions: + disableNameSuffixHash: true +vars: +- name: ingress-domain + objref: + kind: ConfigMap + name: mlx-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ingress-domain +configurations: +- params.yaml diff --git a/contrib/mlx/read-only-k8s/minio.yaml b/contrib/mlx/read-only-k8s/minio.yaml new file mode 100644 index 0000000000..bdca96ac0e --- /dev/null +++ b/contrib/mlx/read-only-k8s/minio.yaml @@ -0,0 +1,101 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: v1 +kind: Service +metadata: + name: minio-service + namespace: kubeflow +spec: + ports: + - name: http + port: 9000 + protocol: TCP + targetPort: 9000 + selector: + app: minio +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + namespace: kubeflow + labels: + app: minio +spec: + selector: + matchLabels: + app: minio + strategy: + type: Recreate + template: + metadata: + labels: + app: minio + spec: + containers: + - args: + - server + - /data + env: + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + image: gcr.io/ml-pipeline/minio:RELEASE.2019-08-14T20-37-41Z-license-compliance + name: minio + ports: + - containerPort: 9000 + volumeMounts: + - mountPath: /data + name: data + subPath: minio + volumes: + - name: data + persistentVolumeClaim: + claimName: minio-pvc +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-pvc + namespace: kubeflow +spec: + # storageClassName: "" + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi +--- +kind: Secret +apiVersion: v1 +metadata: + name: mlpipeline-minio-artifact + namespace: kubeflow +stringData: + accesskey: minio + secretkey: minio123 +# For free tier Kubernetes Cluster +# --- +# apiVersion: v1 +# kind: PersistentVolume +# metadata: +# name: local-volume-1 +# namespace: kubeflow +# labels: +# type: local +# spec: +# capacity: +# storage: 20Gi +# accessModes: +# - ReadWriteOnce +# hostPath: +# path: /tmp/data +# persistentVolumeReclaimPolicy: Recycle diff --git a/contrib/mlx/read-only-k8s/mlx-api-patch.yaml b/contrib/mlx/read-only-k8s/mlx-api-patch.yaml new file mode 100644 index 0000000000..1b77fe6418 --- /dev/null +++ b/contrib/mlx/read-only-k8s/mlx-api-patch.yaml @@ -0,0 +1,18 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlx-api + namespace: kubeflow +spec: + template: + spec: + containers: + - name: mlx-api-server + env: + - name: ML_PIPELINE_SERVICE_HOST + value: UNAVAILABLE + - name: ML_PIPELINE_SERVICE_PORT + value: UNAVAILABLE diff --git a/contrib/mlx/read-only-k8s/mlx-ui-patch.yaml b/contrib/mlx/read-only-k8s/mlx-ui-patch.yaml new file mode 100644 index 0000000000..970a17a78b --- /dev/null +++ b/contrib/mlx/read-only-k8s/mlx-ui-patch.yaml @@ -0,0 +1,20 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlx-ui + namespace: kubeflow +spec: + template: + spec: + containers: + - name: mlx-ui + env: + - name: REACT_APP_RUN + value: "false" + - name: REACT_APP_DISABLE_LOGIN + value: "false" + - name: REACT_APP_BASE_PATH + value: "" diff --git a/contrib/mlx/read-only-k8s/mysql.yaml b/contrib/mlx/read-only-k8s/mysql.yaml new file mode 100644 index 0000000000..c8f2570dcf --- /dev/null +++ b/contrib/mlx/read-only-k8s/mysql.yaml @@ -0,0 +1,105 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: v1 +kind: Service +metadata: + name: mysql + namespace: kubeflow +spec: + ports: + - # We cannot have name: mysql here, because some requests through istio fail with it. + port: 3306 + protocol: TCP + targetPort: 3306 + selector: + app: mysql +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mysql + namespace: kubeflow +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mysql-pv-claim + namespace: kubeflow +spec: + # storageClassName: "" + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql + namespace: kubeflow + labels: + app: mysql +spec: + selector: + matchLabels: + app: mysql + strategy: + type: Recreate + template: + metadata: + labels: + app: mysql + spec: + serviceAccountName: mysql + containers: + # https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_ignore-db-dir + # Ext4, Btrfs etc. volumes root directories have a lost+found directory that should not be treated as a database. + - args: + - --ignore-db-dir=lost+found + - --datadir + - /var/lib/mysql + env: + - name: MYSQL_ALLOW_EMPTY_PASSWORD + value: "true" + - name: MYSQL_DATABASE + value: "mlpipeline" + image: gcr.io/ml-pipeline/mysql:5.7 + name: mysql + ports: + - containerPort: 3306 + name: mysql + volumeMounts: + - mountPath: /var/lib/mysql + name: mysql-persistent-storage + - name: mysql-initdb + mountPath: /docker-entrypoint-initdb.d + resources: + requests: + cpu: 100m + memory: 800Mi + volumes: + - name: mysql-persistent-storage + persistentVolumeClaim: + claimName: mysql-pv-claim + - name: mysql-initdb + configMap: + name: mysql-initdb-config +# For free tier Kubernetes Cluster +# --- +# apiVersion: v1 +# kind: PersistentVolume +# metadata: +# name: local-volume-2 +# namespace: kubeflow +# labels: +# type: local +# spec: +# capacity: +# storage: 20Gi +# accessModes: +# - ReadWriteOnce +# hostPath: +# path: /tmp/data-2 +# persistentVolumeReclaimPolicy: Recycle diff --git a/contrib/mlx/read-only-k8s/namespace.yaml b/contrib/mlx/read-only-k8s/namespace.yaml new file mode 100644 index 0000000000..c5378910cf --- /dev/null +++ b/contrib/mlx/read-only-k8s/namespace.yaml @@ -0,0 +1,7 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow diff --git a/contrib/mlx/read-only-k8s/params.yaml b/contrib/mlx/read-only-k8s/params.yaml new file mode 100644 index 0000000000..4025567798 --- /dev/null +++ b/contrib/mlx/read-only-k8s/params.yaml @@ -0,0 +1,12 @@ +# Copyright 2021 The MLX Contributors +# +# SPDX-License-Identifier: Apache-2.0 +varReference: +- path: data + kind: Secret +- path: spec/tls/hosts + kind: Ingress +- path: spec/rules/host + kind: Ingress +- path: spec/tls/secretName + kind: Ingress diff --git a/dist/stacks/ibm/application/kfp-tekton-no-auth/kustomization.yaml b/dist/stacks/ibm/application/kfp-tekton-no-auth/kustomization.yaml new file mode 100644 index 0000000000..05e9e2f656 --- /dev/null +++ b/dist/stacks/ibm/application/kfp-tekton-no-auth/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../../../apps/kfp-tekton/upstream/env/platform-agnostic + +patchesStrategicMerge: +- removesidemenu.yaml diff --git a/dist/stacks/ibm/application/kfp-tekton-no-auth/removesidemenu.yaml b/dist/stacks/ibm/application/kfp-tekton-no-auth/removesidemenu.yaml new file mode 100644 index 0000000000..d8772fa814 --- /dev/null +++ b/dist/stacks/ibm/application/kfp-tekton-no-auth/removesidemenu.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-ui +spec: + template: + spec: + containers: + - name: ml-pipeline-ui + env: + - name: DEPLOYMENT + value: KUBEFLOW diff --git a/dist/stacks/ibm/application/kfp-tekton/kustomization.yaml b/dist/stacks/ibm/application/kfp-tekton/kustomization.yaml index 774020ad51..0f85df141e 100644 --- a/dist/stacks/ibm/application/kfp-tekton/kustomization.yaml +++ b/dist/stacks/ibm/application/kfp-tekton/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../../../../apps/kfp-tekton/upstream/env/platform-agnostic-multi-user - - ../../../../../apps//pipeline/upstream/third-party/application/cluster-scoped + - ../../../../../apps/pipeline/upstream/third-party/application/cluster-scoped - application.yaml diff --git a/dist/stacks/ibm/application/kubeflow-namespace-no-auth/kustomization.yaml b/dist/stacks/ibm/application/kubeflow-namespace-no-auth/kustomization.yaml new file mode 100644 index 0000000000..3f94a951db --- /dev/null +++ b/dist/stacks/ibm/application/kubeflow-namespace-no-auth/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../../../common/kubeflow-namespace/base + +patchesStrategicMerge: +- no-auth-patch.yaml diff --git a/dist/stacks/ibm/application/kubeflow-namespace-no-auth/no-auth-patch.yaml b/dist/stacks/ibm/application/kubeflow-namespace-no-auth/no-auth-patch.yaml new file mode 100644 index 0000000000..6c4f25122c --- /dev/null +++ b/dist/stacks/ibm/application/kubeflow-namespace-no-auth/no-auth-patch.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow + labels: + istio-injection: disabled diff --git a/mlx-single-ibmcloud/kustomization.yaml b/mlx-single-ibmcloud/kustomization.yaml new file mode 100644 index 0000000000..d83d05c15e --- /dev/null +++ b/mlx-single-ibmcloud/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +# Istio +- ../dist/stacks/ibm/application/istio-1-9-0 +# Kubeflow namespace (required) +- ../dist/stacks/ibm/application/kubeflow-namespace-no-auth +# Kubeflow Roles (required) +- ../dist/stacks/ibm/application/kubeflow-roles +# Kubeflow istio resource (required) +- ../dist/stacks/ibm/application/kubeflow-istio-resources + + +# Kubeflow Pipelines with Tekton +- ../dist/stacks/ibm/application/kfp-tekton-no-auth +# Datashim +- ../contrib/datashim/base +# MLX +- ../contrib/mlx/mlx-standalone + diff --git a/mlx-single-kind/kustomization.yaml b/mlx-single-kind/kustomization.yaml new file mode 100644 index 0000000000..000a466e1a --- /dev/null +++ b/mlx-single-kind/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +# Istio +- ../dist/stacks/ibm/application/istio-1-9-0 +# Kubeflow namespace (required) +- ../dist/stacks/ibm/application/kubeflow-namespace-no-auth +# Kubeflow Roles (required) +- ../dist/stacks/ibm/application/kubeflow-roles +# Kubeflow istio resource (required) +- ../dist/stacks/ibm/application/kubeflow-istio-resources + + +# Kubeflow Pipelines with Tekton +- ../dist/stacks/ibm/application/kfp-tekton-no-auth +# Datashim +- ../contrib/datashim/kind +# MLX +- ../contrib/mlx/mlx-standalone +