diff --git a/manifests/README.md b/manifests/README.md index 2e387a136f2..5a17c5118ca 100644 --- a/manifests/README.md +++ b/manifests/README.md @@ -11,6 +11,11 @@ You might lack the permission to create role and command might partially fail. I kubectl create clusterrolebinding your-binding --clusterrole=cluster-admin --user=[your-user-name] ``` +When deployment is done, the UI is accessible by port-forwarding +``` +kubectl port-forward -n kubeflow svc/ml-pipeline-ui 8080:80 +``` + # Customization Customization can be done through Kustomize Overlay, and don't need to modify the base directory. @@ -28,6 +33,17 @@ kubectl kustomize . | kubectl apply -f - ## Reinstall with existing data TODO +## Expose a IAM controlled public endpoint +By default, the deployment doesn't expose any public endpoint. +If you don't want to port-forward every time to access UI, you could install an [invert proxy agent](https://github.com/google/inverting-proxy) that exposes a public endpoint. +To install, uncomment the proxy component in the [kustomization.yaml](base/kustomization.yaml). + +When deployment is done, you can find the endpoint by describing +``` +kubectl describe configmap inverse-proxy-config -n kubeflow +``` +and check the Hostname section. The endpoint should have format like **1234567-dot-datalab-vm-us-west1.googleusercontent.com** + # Uninstall You can uninstall everything by running diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml index 70b58fb8e54..ea623b71ea6 100644 --- a/manifests/base/kustomization.yaml +++ b/manifests/base/kustomization.yaml @@ -7,6 +7,8 @@ bases: - minio - mysql - pipeline +# Uncomment to install the proxy agent +# - proxy images: - name: argoproj/workflow-controller @@ -25,3 +27,5 @@ images: newTag: 0.1.20 - name: gcr.io/ml-pipeline/viewer-crd-controller newTag: 0.1.20 +- name: gcr.io/ml-pipeline/inverse-proxy-agent + newTag: 0.1.20 diff --git a/manifests/base/proxy/kustomization.yaml b/manifests/base/proxy/kustomization.yaml new file mode 100644 index 00000000000..3cbf11b2c76 --- /dev/null +++ b/manifests/base/proxy/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- proxy-deployment.yaml +- proxy-role.yaml +- proxy-rolebinding.yaml +- proxy-sa.yaml \ No newline at end of file diff --git a/manifests/base/proxy/proxy-deployment.yaml b/manifests/base/proxy/proxy-deployment.yaml new file mode 100644 index 00000000000..19e096c7691 --- /dev/null +++ b/manifests/base/proxy/proxy-deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + labels: + app: proxy-agent + name: proxy-agent +spec: + selector: + matchLabels: + app: proxy-agent + template: + metadata: + labels: + app: proxy-agent + spec: + containers: + - image: gcr.io/ml-pipeline/inverse-proxy-agent:0.1.20 + imagePullPolicy: IfNotPresent + name: proxy-agent + serviceAccountName: proxy-agent-runner \ No newline at end of file diff --git a/manifests/base/proxy/proxy-role.yaml b/manifests/base/proxy/proxy-role.yaml new file mode 100644 index 00000000000..65ee28d0d47 --- /dev/null +++ b/manifests/base/proxy/proxy-role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: proxy-agent-runner + name: proxy-agent-runner +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' \ No newline at end of file diff --git a/manifests/base/proxy/proxy-rolebinding.yaml b/manifests/base/proxy/proxy-rolebinding.yaml new file mode 100644 index 00000000000..8a31bde3945 --- /dev/null +++ b/manifests/base/proxy/proxy-rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: proxy-agent-runner + name: proxy-agent-runner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: proxy-agent-runner +subjects: +- kind: ServiceAccount + name: proxy-agent-runner diff --git a/manifests/base/proxy/proxy-sa.yaml b/manifests/base/proxy/proxy-sa.yaml new file mode 100644 index 00000000000..af8b0c3c2d6 --- /dev/null +++ b/manifests/base/proxy/proxy-sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: proxy-agent-runner diff --git a/proxy/attempt-register-vm-on-proxy.sh b/proxy/attempt-register-vm-on-proxy.sh index a305fcd3e4a..2c53069bb15 100755 --- a/proxy/attempt-register-vm-on-proxy.sh +++ b/proxy/attempt-register-vm-on-proxy.sh @@ -21,13 +21,13 @@ DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null && pwd)" function run-proxy-agent { # Start the proxy process # https://github.com/google/inverting-proxy/blob/master/agent/Dockerfile - # Connect proxy agent to ambassador so anything registered to ambassador can be transparently accessed. + # Connect proxy agent to Kubeflow Pipelines UI /opt/bin/proxy-forwarding-agent \ --debug=${DEBUG} \ --proxy=${PROXY_URL} \ --proxy-timeout=${PROXY_TIMEOUT} \ --backend=${BACKEND_ID} \ - --host=${AMBASSADOR_SERVICE_HOST}:${AMBASSADOR_SERVICE_PORT} \ + --host=${ML_PIPELINE_UI_SERVICE_HOST}:${ML_PIPELINE_UI_SERVICE_PORT} \ --shim-websockets=true \ --shim-path=websocket-shim \ --health-check-path=${HEALTH_CHECK_PATH} \