Add proxy agent as optional kustomize component (#1325)

* clean up * add proxy * revert ns
kubeflow · May 14, 2019 · 47efd82 · 47efd82
1 parent 0a94fc7
commit 47efd82
Show file tree

Hide file tree

Showing 8 changed files with 80 additions and 2 deletions.
diff --git a/manifests/README.md b/manifests/README.md
@@ -11,6 +11,11 @@ You might lack the permission to create role and command might partially fail. I
 kubectl create clusterrolebinding your-binding --clusterrole=cluster-admin --user=[your-user-name]
 ```
 
+When deployment is done, the UI is accessible by port-forwarding
+```
+kubectl port-forward -n kubeflow svc/ml-pipeline-ui 8080:80
+```
+
 # Customization
 Customization can be done through Kustomize Overlay, and don't need to modify the base directory. 
 
@@ -28,6 +33,17 @@ kubectl kustomize . | kubectl apply -f -
 ## Reinstall with existing data
 TODO
 
+## Expose a IAM controlled public endpoint
+By default, the deployment doesn't expose any public endpoint. 
+If you don't want to port-forward every time to access UI, you could install an [invert proxy agent](https://github.com/google/inverting-proxy) that exposes a public endpoint.
+To install, uncomment the proxy component in the [kustomization.yaml](base/kustomization.yaml).
+
+When deployment is done, you can find the endpoint by describing
+```
+kubectl describe configmap inverse-proxy-config -n kubeflow
+```
+and check the Hostname section. The endpoint should have format like **1234567-dot-datalab-vm-us-west1.googleusercontent.com**
+
 
 # Uninstall
 You can uninstall everything by running

diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml
@@ -7,6 +7,8 @@ bases:
 - minio
 - mysql
 - pipeline
+# Uncomment to install the proxy agent
+# - proxy
 
 images:
 - name: argoproj/workflow-controller
@@ -25,3 +27,5 @@ images:
   newTag: 0.1.20
 - name: gcr.io/ml-pipeline/viewer-crd-controller
   newTag: 0.1.20
+- name: gcr.io/ml-pipeline/inverse-proxy-agent
+  newTag: 0.1.20
diff --git a/manifests/base/proxy/kustomization.yaml b/manifests/base/proxy/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- proxy-deployment.yaml
+- proxy-role.yaml
+- proxy-rolebinding.yaml
+- proxy-sa.yaml
diff --git a/manifests/base/proxy/proxy-deployment.yaml b/manifests/base/proxy/proxy-deployment.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  labels:
+    app: proxy-agent
+  name: proxy-agent
+spec:
+  selector:
+    matchLabels:
+      app: proxy-agent
+  template:
+    metadata:
+      labels:
+        app: proxy-agent
+    spec:
+      containers:
+      - image: gcr.io/ml-pipeline/inverse-proxy-agent:0.1.20
+        imagePullPolicy: IfNotPresent
+        name: proxy-agent
+      serviceAccountName: proxy-agent-runner
diff --git a/manifests/base/proxy/proxy-role.yaml b/manifests/base/proxy/proxy-role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  labels:
+    app: proxy-agent-runner
+  name: proxy-agent-runner
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - '*'
diff --git a/manifests/base/proxy/proxy-rolebinding.yaml b/manifests/base/proxy/proxy-rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  labels:
+    app: proxy-agent-runner
+  name: proxy-agent-runner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: proxy-agent-runner
+subjects:
+- kind: ServiceAccount
+  name: proxy-agent-runner
diff --git a/manifests/base/proxy/proxy-sa.yaml b/manifests/base/proxy/proxy-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: proxy-agent-runner
diff --git a/proxy/attempt-register-vm-on-proxy.sh b/proxy/attempt-register-vm-on-proxy.sh
@@ -21,13 +21,13 @@ DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null && pwd)"
 function run-proxy-agent {
   # Start the proxy process
   # https://github.com/google/inverting-proxy/blob/master/agent/Dockerfile
-  # Connect proxy agent to ambassador so anything registered to ambassador can be transparently accessed.
+  # Connect proxy agent to Kubeflow Pipelines UI
   /opt/bin/proxy-forwarding-agent \
         --debug=${DEBUG} \
         --proxy=${PROXY_URL} \
         --proxy-timeout=${PROXY_TIMEOUT} \
         --backend=${BACKEND_ID} \
-        --host=${AMBASSADOR_SERVICE_HOST}:${AMBASSADOR_SERVICE_PORT} \
+        --host=${ML_PIPELINE_UI_SERVICE_HOST}:${ML_PIPELINE_UI_SERVICE_PORT} \
         --shim-websockets=true \
         --shim-path=websocket-shim \
         --health-check-path=${HEALTH_CHECK_PATH} \