feat: KFP multi user mode PR1 - enable multi user mode without istio …

…authorization (kubeflow#1342)

* Add argo to stacks/generic

* Pull pipelines manifest from upstream

* Updated kfp

* Minio v3 manifests

* Rename minio configmap

* Add generic minio install

* Generate new test data

* Mysql kustomize v3 manifest - generic install

* Add mysql gcp pd install

* Generate test data

* Pipelines kustomize v3 manifests

* Add kfp ui virtual service

* Add metadata deployment to stacks/generic

* Use common cluster domain

* Deploy metadata writer

* Add kfp cache server

* Update test data

* Enable KFP multi user mode without istio security

* Fix persistence agent watch namespace

* Fix namespace env for some deployments

* Fix cluster roles and bindings

* fix rename

* Fix pipelines ui role

* Updated kfp to rc2

* simplify pipeline v3 manifest using updated kfp rc2 manifest

* Fix pipeline-install-config

* remove redundant configmap

* update tests

* updated to kfp 1.0.0-rc.3

* Adapt to kfp 1.0rc3 refactoring

* update test snapshots

* fix pull kfp script to detect empty dir

* fix example ref

* update snapshot

* fix gcp pd manifest

* Update stacks ref

* revert alice example to gcp stack

* update snapshot

* fix profile controller iam binding

* Update kfp profile controller can be configured to different images and
istio sidecar

* add missing viewer controller cluster roles

* Use python3 for sync.py

* Revert gcp stack back to use non multi user kfp

* revert unintended changes

* revert upstream changes

hack/pull_kfp_upstream.sh

@@ -10,11 +10,15 @@ set -ex
 # pipelines version.
 export PIPELINES_VERSION=1.0.0-rc.3
 export PIPELINES_SRC_REPO=https://github.com/kubeflow/pipelines.git
-# Pulling for the first time
-# kpt pkg get $PIPELINES_SRC_REPO/manifests/kustomize@$PIPELINES_VERSION pipeline/upstream
 
-# Updates
-kpt pkg update pipeline/upstream/@$PIPELINES_VERSION --strategy force-delete-replace
+if [ -d pipeline/upstream ]; then
+    # Updates
+    kpt pkg update pipeline/upstream/@$PIPELINES_VERSION --strategy force-delete-replace
+else
+    # Pulling for the first time
+    kpt pkg get $PIPELINES_SRC_REPO/manifests/kustomize@$PIPELINES_VERSION pipeline/upstream
+fi
+
 # Before kubeflow/pipelines/manifests/kustomize supports kustomize v3.5+, we
 # have to convert kustomization.yaml env to envs syntax, so that it is compatible
 # with latest kustomize used in kubeflow/manifests.

pipeline/installs/multi-user/api-service/cluster-role-binding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: ml-pipeline
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ml-pipeline
+subjects:
+- kind: ServiceAccount
+  name: ml-pipeline

pipeline/installs/multi-user/api-service/cluster-role.yaml

@@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: ml-pipeline
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - delete

pipeline/installs/multi-user/api-service/deployment-patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ml-pipeline
+spec:
+  template:
+    spec:
+      containers:
+      - name: ml-pipeline-api-server
+        envFrom:
+        - configMapRef:
+            name: pipeline-api-server-config

pipeline/installs/multi-user/api-service/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cluster-role-binding.yaml
+- cluster-role.yaml
+configMapGenerator:
+- name: pipeline-api-server-config
+  env: params.env

pipeline/installs/multi-user/api-service/params.env

@@ -0,0 +1,4 @@
+MULTIUSER=true
+DEFAULTPIPELINERUNNERSERVICEACCOUNT=default-editor
+VISUALIZATIONSERVICE_NAME=ml-pipeline-visualizationserver
+VISUALIZATIONSERVICE_PORT=8888

pipeline/installs/multi-user/cache/cluster-role-binding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubeflow-pipelines-cache-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeflow-pipelines-cache-role
+subjects:
+- kind: ServiceAccount
+  name: kubeflow-pipelines-cache

pipeline/installs/multi-user/cache/cluster-role.yaml

@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-pipelines-cache-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch

pipeline/installs/multi-user/cache/deployment-patch.yaml

@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cache-server
+spec:
+  template:
+    spec:
+      containers:
+      - name: server
+        env:
+          - name: NAMESPACE_TO_WATCH
+            value: ''
+            valueFrom: null

pipeline/installs/multi-user/cache/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cluster-role.yaml
+- cluster-role-binding.yaml

pipeline/installs/multi-user/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../generic
+- api-service
+- pipelines-ui
+- pipelines-profile-controller
+- scheduled-workflow
+- viewer-controller
+- persistence-agent
+- cache
+- metadata-writer
+patchesStrategicMerge:
+- api-service/deployment-patch.yaml
+- pipelines-ui/deployment-patch.yaml
+- scheduled-workflow/deployment-patch.yaml
+- viewer-controller/deployment-patch.yaml
+- persistence-agent/deployment-patch.yaml
+- metadata-writer/deployment-patch.yaml
+- cache/deployment-patch.yaml

pipeline/installs/multi-user/metadata-writer/cluster-role-binding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubeflow-pipelines-metadata-writer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeflow-pipelines-metadata-writer-role
+subjects:
+- kind: ServiceAccount
+  name: kubeflow-pipelines-metadata-writer

pipeline/installs/multi-user/metadata-writer/cluster-role.yaml

@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-pipelines-metadata-writer-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch

pipeline/installs/multi-user/metadata-writer/deployment-patch.yaml

@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: metadata-writer
+spec:
+  template:
+    spec:
+      containers:
+      - name: main
+        env:
+        - name: NAMESPACE_TO_WATCH
+          value: ''
+          valueFrom: null

pipeline/installs/multi-user/metadata-writer/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cluster-role.yaml
+- cluster-role-binding.yaml

pipeline/installs/multi-user/persistence-agent/cluster-role-binding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ml-pipeline-persistenceagent-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ml-pipeline-persistenceagent-role
+subjects:
+- kind: ServiceAccount
+  name: ml-pipeline-persistenceagent

pipeline/installs/multi-user/persistence-agent/cluster-role.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ml-pipeline-persistenceagent-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - scheduledworkflows
+  verbs:
+  - get
+  - list
+  - watch

pipeline/installs/multi-user/persistence-agent/deployment-patch.yaml

@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ml-pipeline-persistenceagent
+spec:
+  template:
+    spec:
+      containers:
+      - name: ml-pipeline-persistenceagent
+        env:
+        - name: NAMESPACE
+          value: ''
+          valueFrom: null

pipeline/installs/multi-user/persistence-agent/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cluster-role.yaml
+- cluster-role-binding.yaml

pipeline/installs/multi-user/pipelines-profile-controller/composite-controller.yaml

@@ -0,0 +1,43 @@
+apiVersion: metacontroller.k8s.io/v1alpha1
+kind: CompositeController
+metadata:
+  name: profile-controller
+spec:
+  generateSelector: true
+  resyncPeriodSeconds: 10
+  parentResource:
+    apiVersion: v1
+    resource: namespaces
+  childResources:
+  - apiVersion: v1
+    resource: secrets
+    updateStrategy:
+      method: OnDelete
+  - apiVersion: v1
+    resource: configmaps
+    updateStrategy:
+      method: OnDelete
+  - apiVersion: apps/v1
+    resource: deployments
+    updateStrategy:
+      method: InPlace
+  - apiVersion: v1
+    resource: services
+    updateStrategy:
+      method: InPlace
+  - apiVersion: networking.istio.io/v1alpha3
+    resource: destinationrules
+    updateStrategy:
+      method: InPlace
+  - apiVersion: rbac.istio.io/v1alpha1
+    resource: serviceroles
+    updateStrategy:
+      method: InPlace
+  - apiVersion: rbac.istio.io/v1alpha1
+    resource: servicerolebindings
+    updateStrategy:
+      method: InPlace
+  hooks:
+    sync:
+      webhook:
+        url: http://kubeflow-pipelines-profile-controller/sync

pipeline/installs/multi-user/pipelines-profile-controller/deployment.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: profile-controller
+spec:
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      containers:
+      - name: profile-controller
+        image: python:3.7
+        command: ["python", "/hooks/sync.py"]
+        envFrom:
+        - configMapRef:
+            name: profile-controller-env
+        volumeMounts:
+        - name: hooks
+          mountPath: /hooks
+        ports:
+        - containerPort: 80
+      volumes:
+      - name: hooks
+        configMap:
+          name: profile-controller-code

pipeline/installs/multi-user/pipelines-profile-controller/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+nameprefix: kubeflow-pipelines-
+commonLabels:
+  app: kubeflow-pipelines-profile-controller
+resources:
+- service.yaml
+- deployment.yaml
+- composite-controller.yaml
+configMapGenerator:
+- name: profile-controller-code
+  files:
+  - sync.py
+- name: profile-controller-env
+  envs:
+  - params.env

pipeline/installs/multi-user/pipelines-profile-controller/params.env

@@ -0,0 +1,3 @@
+KFP_VERSION=1.0.0-rc.3
+# TODO: make visualization server work with sidecar
+DISABLE_ISTIO_SIDECAR=true