From 5cb17738e58d1f3f79c89ef9098ea4cf1846b7d8 Mon Sep 17 00:00:00 2001 From: Sanyam Kapoor Date: Wed, 13 Jun 2018 11:50:28 -0700 Subject: [PATCH] Consolidate GKE deployment script (#985) * Consolidate GKE deployment script, update required variables with OAuth2 credentials * Restore comments from create_k8s_secrets.sh * Ignore namespace/secret creation errors * Add script title comments * Remove OAuth2 credentials, must be separately injected into environment --- docs/gke/configs/deploy.sh | 78 ++++++++++++++++++++++++++++++++ docs/gke/configs/env-kubeflow.sh | 5 +- docs/gke/create_k8s_secrets.sh | 27 ----------- 3 files changed, 79 insertions(+), 31 deletions(-) create mode 100755 docs/gke/configs/deploy.sh delete mode 100755 docs/gke/create_k8s_secrets.sh diff --git a/docs/gke/configs/deploy.sh b/docs/gke/configs/deploy.sh new file mode 100755 index 00000000000..f962d307c81 --- /dev/null +++ b/docs/gke/configs/deploy.sh @@ -0,0 +1,78 @@ +#!/usr/bin/env bash + +## +# This utility script can be used to deploy Kubeflow end-to-end. +# A few variables are required and can be set in `env-kubeflow.sh`. +# Detailed instructions can be found at https://www.kubeflow.org/docs/getting-started-gke. +# In summary, update `cluster-kubeflow.yaml`, load required variables +# into environment (optionally from `env-kubeflow.sh`) and execute the script. +# Usage: +# $ . env-kubeflow.sh +# $ ./deploy.sh +# + +set -e + +# Required Variables +export PROJECT=${PROJECT:-} +export DEPLOYMENT_NAME=${DEPLOYMENT_NAME:-} +export ZONE=${ZONE:-} +export CONFIG_FILE=${CONFIG_FILE:-} +export CLIENT_ID=${CLIENT_ID:-} +export CLIENT_SECRET=${CLIENT_SECRET:-} + +if [ -z "${PROJECT}" ] || \ + [ -z "${DEPLOYMENT_NAME}" ] || \ + [ -z "${ZONE}" ] || \ + [ -z "${CONFIG_FILE}" ] || \ + [ -z "${CLIENT_ID}" ] || \ + [ -z "${CLIENT_SECRET}" ]; then + echo 'Required variables missing. Please check again!' + exit 1 +fi + +if [[ ! -f "${CONFIG_FILE}" ]]; then + echo "Config file ${CONFIG_FILE} does not exist!" + exit 1 +fi + +# Computed Variables +export PROJECT_NUMBER=`gcloud projects describe ${PROJECT} --format='value(project_number)'` +export SA_EMAIL=${DEPLOYMENT_NAME}-admin@${PROJECT}.iam.gserviceaccount.com +export USER_EMAIL=${DEPLOYMENT_NAME}-user@${PROJECT}.iam.gserviceaccount.com +export USER_SECRET_NAME=${DEPLOYMENT_NAME}-user +export K8S_ADMIN_NAMESPACE=kubeflow-admin +export K8S_NAMESPACE=kubeflow + +# Enable GCloud APIs +gcloud services enable deploymentmanager.googleapis.com +gcloud services enable servicemanagement.googleapis.com + +# Set IAM Admin Policy +gcloud projects add-iam-policy-binding ${PROJECT} \ + --member serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com \ + --role roles/resourcemanager.projectIamAdmin + +# Run Deployment Manager +gcloud deployment-manager --project=${PROJECT} deployments create ${DEPLOYMENT_NAME} --config=${CONFIG_FILE} + +# TODO(jlewi): We should name the secrets more consistently based on the service account name. +# We will need to update the component configs though +gcloud --project=${PROJECT} iam service-accounts keys create ${SA_EMAIL}.json --iam-account ${SA_EMAIL} +gcloud --project=${PROJECT} iam service-accounts keys create ${USER_EMAIL}.json --iam-account ${USER_EMAIL} + +# Set credentials for kubectl context +gcloud --project=${PROJECT} container clusters get-credentials --zone=${ZONE} ${DEPLOYMENT_NAME} + +# Ignore errors from now onwards. If secret/namespace already exists just keep going. +unset -e + +# The namespace kubeflow may not exist yet because the bootstrapper can't run until the admin-gcp-sa +# secret is created. +kubectl create namespace ${K8S_NAMESPACE} + +# We want the secret name to be the same by default for all clusters so that users don't have to set it manually. +kubectl create secret generic --namespace=${K8S_ADMIN_NAMESPACE} admin-gcp-sa --from-file=admin-gcp-sa.json=./${SA_EMAIL}.json +kubectl create secret generic --namespace=${K8S_NAMESPACE} admin-gcp-sa --from-file=admin-gcp-sa.json=./${SA_EMAIL}.json +kubectl create secret generic --namespace=${K8S_NAMESPACE} user-gcp-sa --from-file=user-gcp-sa.json=./${USER_EMAIL}.json +kubectl create secret generic --namespace=${K8S_NAMESPACE} kubeflow-oauth --from-literal=CLIENT_ID=${CLIENT_ID} --from-literal=CLIENT_SECRET=${CLIENT_SECRET} diff --git a/docs/gke/configs/env-kubeflow.sh b/docs/gke/configs/env-kubeflow.sh index 900c385d9b8..cb1c044d131 100644 --- a/docs/gke/configs/env-kubeflow.sh +++ b/docs/gke/configs/env-kubeflow.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Script that defines various environment variables. # This is script defines values for all the variables used in @@ -18,6 +18,3 @@ export ZONE=us-east1-d # Set config file to the YAML file defining your deployment manager configs. export CONFIG_FILE=cluster-kubeflow.yaml - -# Get the project number -export PROJECT_NUMBER=`gcloud projects describe ${PROJECT} --format='value(project_number)'` diff --git a/docs/gke/create_k8s_secrets.sh b/docs/gke/create_k8s_secrets.sh deleted file mode 100755 index 91768e680a0..00000000000 --- a/docs/gke/create_k8s_secrets.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -# -# A simple helper script to download secrets for Kubeflow service -# accounts and store them as K8s secrets. -# -# Ignore errors because if secret/namespace already exists just keep going. -set -x -export SA_EMAIL=${DEPLOYMENT_NAME}-admin@${PROJECT}.iam.gserviceaccount.com - -# TODO(jlewi): We should name the secrets more consistently based on the service account name. -# We will need to update the component configs though -gcloud --project=${PROJECT} iam service-accounts keys create ${SA_EMAIL}.json --iam-account ${SA_EMAIL} - -kubectl create secret generic --namespace=kubeflow-admin admin-gcp-sa --from-file=admin-gcp-sa.json=./${SA_EMAIL}.json - -# The namespace kubeflow may not exist yet because the bootstrapper can't run until the admin-gcp-sa -# secret is created. -kubectl create namespace kubeflow - -kubectl create secret generic --namespace=kubeflow admin-gcp-sa --from-file=admin-gcp-sa.json=./${SA_EMAIL}.json - -export USER_EMAIL=${DEPLOYMENT_NAME}-user@${PROJECT}.iam.gserviceaccount.com -export USER_SECRET_NAME=${DEPLOYMENT_NAME}-user -gcloud --project=${PROJECT} iam service-accounts keys create ${USER_EMAIL}.json --iam-account $USER_EMAIL -# We want the secret name to be the same by default for all clusters so -# that users don't have to set it manually. -kubectl create secret generic --namespace=kubeflow user-gcp-sa --from-file=user-gcp-sa.json=./${USER_EMAIL}.json \ No newline at end of file