arun-vc
5 years ago
474 changed files with 46362 additions and 0 deletions
@ -0,0 +1,25 @@ |
|||
# The configuration for the ML pipelines APIServer |
|||
# Based on https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/config/config.json |
|||
apiVersion: v1 |
|||
data: |
|||
# apiserver assumes the config is named config.json |
|||
config.json: | |
|||
{ |
|||
"DBConfig": { |
|||
"DriverName": "mysql", |
|||
"DataSourceName": "", |
|||
"DBName": "mlpipeline" |
|||
}, |
|||
"ObjectStoreConfig":{ |
|||
"AccessKey": "minio", |
|||
"SecretAccessKey": "minio123", |
|||
"BucketName": "mlpipeline" |
|||
}, |
|||
"InitConnectionTimeout": "6m", |
|||
"DefaultPipelineRunnerServiceAccount": "pipeline-runner", |
|||
"ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", |
|||
"ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 |
|||
} |
|||
kind: ConfigMap |
|||
metadata: |
|||
name: ml-pipeline-config |
|||
@ -0,0 +1,32 @@ |
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
name: ml-pipeline |
|||
spec: |
|||
template: |
|||
spec: |
|||
containers: |
|||
- name: ml-pipeline-api-server |
|||
env: |
|||
- name: POD_NAMESPACE |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: metadata.namespace |
|||
image: gcr.io/ml-pipeline/api-server |
|||
imagePullPolicy: IfNotPresent |
|||
command: |
|||
- apiserver |
|||
- --config=/etc/ml-pipeline-config |
|||
- --sampleconfig=/config/sample_config.json |
|||
- -logtostderr=true |
|||
ports: |
|||
- containerPort: 8888 |
|||
- containerPort: 8887 |
|||
volumeMounts: |
|||
- name: config-volume |
|||
mountPath: /etc/ml-pipeline-config |
|||
serviceAccountName: ml-pipeline |
|||
volumes: |
|||
- name: config-volume |
|||
configMap: |
|||
name: ml-pipeline-config |
|||
@ -0,0 +1,15 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
commonLabels: |
|||
app: ml-pipeline |
|||
resources: |
|||
- config-map.yaml |
|||
- deployment.yaml |
|||
- role-binding.yaml |
|||
- role.yaml |
|||
- service-account.yaml |
|||
- service.yaml |
|||
images: |
|||
- name: gcr.io/ml-pipeline/api-server |
|||
newTag: 0.1.31 |
|||
newName: gcr.io/ml-pipeline/api-server |
|||
@ -0,0 +1,11 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: RoleBinding |
|||
metadata: |
|||
name: ml-pipeline |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: Role |
|||
name: ml-pipeline |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: ml-pipeline |
|||
@ -0,0 +1,28 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: Role |
|||
metadata: |
|||
name: ml-pipeline |
|||
rules: |
|||
- apiGroups: |
|||
- argoproj.io |
|||
resources: |
|||
- workflows |
|||
verbs: |
|||
- create |
|||
- get |
|||
- list |
|||
- watch |
|||
- update |
|||
- patch |
|||
- delete |
|||
- apiGroups: |
|||
- kubeflow.org |
|||
resources: |
|||
- scheduledworkflows |
|||
verbs: |
|||
- create |
|||
- get |
|||
- list |
|||
- update |
|||
- patch |
|||
- delete |
|||
@ -0,0 +1,4 @@ |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: ml-pipeline |
|||
@ -0,0 +1,14 @@ |
|||
apiVersion: v1 |
|||
kind: Service |
|||
metadata: |
|||
name: ml-pipeline |
|||
spec: |
|||
ports: |
|||
- name: http |
|||
port: 8888 |
|||
protocol: TCP |
|||
targetPort: 8888 |
|||
- name: grpc |
|||
port: 8887 |
|||
protocol: TCP |
|||
targetPort: 8887 |
|||
@ -0,0 +1,14 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
commonLabels: |
|||
app.kubernetes.io/component: api-service |
|||
app.kubernetes.io/instance: api-service-0.1.31 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/name: api-service |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: 0.1.31 |
|||
kind: Kustomization |
|||
namespace: kubeflow |
|||
resources: |
|||
- overlays/application/application.yaml |
|||
@ -0,0 +1,31 @@ |
|||
apiVersion: app.k8s.io/v1beta1 |
|||
kind: Application |
|||
metadata: |
|||
name: api-service |
|||
spec: |
|||
selector: |
|||
matchLabels: |
|||
app.kubernetes.io/name: api-service |
|||
app.kubernetes.io/instance: api-service-0.1.31 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: api-service |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: 0.1.31 |
|||
componentKinds: |
|||
- group: core |
|||
kind: ConfigMap |
|||
- group: apps |
|||
kind: Deployment |
|||
descriptor: |
|||
type: api-service |
|||
version: v1beta1 |
|||
description: "" |
|||
maintainers: [] |
|||
owners: [] |
|||
keywords: |
|||
- api-service |
|||
- kubeflow |
|||
links: |
|||
- description: About |
|||
url: "" |
|||
addOwnerRef: true |
|||
@ -0,0 +1,13 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- application.yaml |
|||
commonLabels: |
|||
app.kubernetes.io/name: api-service |
|||
app.kubernetes.io/instance: api-service-0.1.31 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: api-service |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: 0.1.31 |
|||
@ -0,0 +1,239 @@ |
|||
apiVersion: apiextensions.k8s.io/v1beta1 |
|||
kind: CustomResourceDefinition |
|||
metadata: |
|||
creationTimestamp: null |
|||
name: applications.app.k8s.io |
|||
spec: |
|||
group: app.k8s.io |
|||
names: |
|||
kind: Application |
|||
plural: applications |
|||
scope: Namespaced |
|||
validation: |
|||
openAPIV3Schema: |
|||
properties: |
|||
apiVersion: |
|||
type: string |
|||
kind: |
|||
type: string |
|||
metadata: |
|||
type: object |
|||
spec: |
|||
properties: |
|||
addOwnerRef: |
|||
type: boolean |
|||
assemblyPhase: |
|||
type: string |
|||
componentKinds: |
|||
items: |
|||
type: object |
|||
type: array |
|||
descriptor: |
|||
properties: |
|||
description: |
|||
type: string |
|||
icons: |
|||
items: |
|||
properties: |
|||
size: |
|||
type: string |
|||
src: |
|||
type: string |
|||
type: |
|||
type: string |
|||
required: |
|||
- src |
|||
type: object |
|||
type: array |
|||
keywords: |
|||
items: |
|||
type: string |
|||
type: array |
|||
links: |
|||
items: |
|||
properties: |
|||
description: |
|||
type: string |
|||
url: |
|||
type: string |
|||
type: object |
|||
type: array |
|||
maintainers: |
|||
items: |
|||
properties: |
|||
email: |
|||
type: string |
|||
name: |
|||
type: string |
|||
url: |
|||
type: string |
|||
type: object |
|||
type: array |
|||
notes: |
|||
type: string |
|||
owners: |
|||
items: |
|||
properties: |
|||
email: |
|||
type: string |
|||
name: |
|||
type: string |
|||
url: |
|||
type: string |
|||
type: object |
|||
type: array |
|||
type: |
|||
type: string |
|||
version: |
|||
type: string |
|||
type: object |
|||
info: |
|||
items: |
|||
properties: |
|||
name: |
|||
type: string |
|||
type: |
|||
type: string |
|||
value: |
|||
type: string |
|||
valueFrom: |
|||
properties: |
|||
configMapKeyRef: |
|||
properties: |
|||
apiVersion: |
|||
type: string |
|||
fieldPath: |
|||
type: string |
|||
key: |
|||
type: string |
|||
kind: |
|||
type: string |
|||
name: |
|||
type: string |
|||
namespace: |
|||
type: string |
|||
resourceVersion: |
|||
type: string |
|||
uid: |
|||
type: string |
|||
type: object |
|||
ingressRef: |
|||
properties: |
|||
apiVersion: |
|||
type: string |
|||
fieldPath: |
|||
type: string |
|||
host: |
|||
type: string |
|||
kind: |
|||
type: string |
|||
name: |
|||
type: string |
|||
namespace: |
|||
type: string |
|||
path: |
|||
type: string |
|||
resourceVersion: |
|||
type: string |
|||
uid: |
|||
type: string |
|||
type: object |
|||
secretKeyRef: |
|||
properties: |
|||
apiVersion: |
|||
type: string |
|||
fieldPath: |
|||
type: string |
|||
key: |
|||
type: string |
|||
kind: |
|||
type: string |
|||
name: |
|||
type: string |
|||
namespace: |
|||
type: string |
|||
resourceVersion: |
|||
type: string |
|||
uid: |
|||
type: string |
|||
type: object |
|||
serviceRef: |
|||
properties: |
|||
apiVersion: |
|||
type: string |
|||
fieldPath: |
|||
type: string |
|||
kind: |
|||
type: string |
|||
name: |
|||
type: string |
|||
namespace: |
|||
type: string |
|||
path: |
|||
type: string |
|||
port: |
|||
format: int32 |
|||
type: integer |
|||
resourceVersion: |
|||
type: string |
|||
uid: |
|||
type: string |
|||
type: object |
|||
type: |
|||
type: string |
|||
type: object |
|||
type: object |
|||
type: array |
|||
selector: |
|||
type: object |
|||
type: object |
|||
status: |
|||
properties: |
|||
components: |
|||
items: |
|||
properties: |
|||
group: |
|||
type: string |
|||
kind: |
|||
type: string |
|||
link: |
|||
type: string |
|||
name: |
|||
type: string |
|||
status: |
|||
type: string |
|||
type: object |
|||
type: array |
|||
conditions: |
|||
items: |
|||
properties: |
|||
lastTransitionTime: |
|||
format: date-time |
|||
type: string |
|||
lastUpdateTime: |
|||
format: date-time |
|||
type: string |
|||
message: |
|||
type: string |
|||
reason: |
|||
type: string |
|||
status: |
|||
type: string |
|||
type: |
|||
type: string |
|||
required: |
|||
- type |
|||
- status |
|||
type: object |
|||
type: array |
|||
observedGeneration: |
|||
format: int64 |
|||
type: integer |
|||
type: object |
|||
version: v1beta1 |
|||
status: |
|||
acceptedNames: |
|||
kind: "" |
|||
plural: "" |
|||
conditions: [] |
|||
storedVersions: [] |
|||
@ -0,0 +1,4 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
resources: |
|||
- crd.yaml |
|||
@ -0,0 +1,5 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
kind: Kustomization |
|||
namespace: kubeflow |
|||
@ -0,0 +1,11 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cluster-role-binding |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: cluster-role |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: service-account |
|||
@ -0,0 +1,21 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cluster-role |
|||
rules: |
|||
- apiGroups: |
|||
- '*' |
|||
resources: |
|||
- '*' |
|||
verbs: |
|||
- get |
|||
- list |
|||
- update |
|||
- patch |
|||
- watch |
|||
- apiGroups: |
|||
- app.k8s.io |
|||
resources: |
|||
- '*' |
|||
verbs: |
|||
- '*' |
|||
@ -0,0 +1,29 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
resources: |
|||
- cluster-role.yaml |
|||
- cluster-role-binding.yaml |
|||
- service-account.yaml |
|||
- service.yaml |
|||
- stateful-set.yaml |
|||
namespace: kubeflow |
|||
nameprefix: application-controller- |
|||
configMapGenerator: |
|||
- name: parameters |
|||
env: params.env |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
images: |
|||
- name: gcr.io/kubeflow-images-public/kubernetes-sigs/application |
|||
newName: gcr.io/kubeflow-images-public/kubernetes-sigs/application |
|||
newTag: 1.0-beta |
|||
vars: |
|||
- name: project |
|||
objref: |
|||
kind: ConfigMap |
|||
name: parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.project |
|||
configurations: |
|||
- params.yaml |
|||
@ -0,0 +1 @@ |
|||
project= |
|||
@ -0,0 +1,3 @@ |
|||
varReference: |
|||
- path: spec/template/spec/containers/image |
|||
kind: StatefulSet |
|||
@ -0,0 +1,4 @@ |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: service-account |
|||
@ -0,0 +1,7 @@ |
|||
apiVersion: v1 |
|||
kind: Service |
|||
metadata: |
|||
name: service |
|||
spec: |
|||
ports: |
|||
- port: 443 |
|||
@ -0,0 +1,27 @@ |
|||
apiVersion: apps/v1 |
|||
kind: StatefulSet |
|||
metadata: |
|||
name: stateful-set |
|||
spec: |
|||
serviceName: service |
|||
selector: |
|||
matchLabels: |
|||
app: application-controller |
|||
template: |
|||
metadata: |
|||
labels: |
|||
app: application-controller |
|||
annotations: |
|||
sidecar.istio.io/inject: "false" |
|||
spec: |
|||
containers: |
|||
- name: manager |
|||
command: |
|||
- /root/manager |
|||
image: gcr.io/kubeflow-images-public/kubernetes-sigs/application |
|||
imagePullPolicy: Always |
|||
env: |
|||
- name: project |
|||
value: $(project) |
|||
serviceAccountName: service-account |
|||
volumeClaimTemplates: [] |
|||
@ -0,0 +1,14 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
commonLabels: |
|||
app.kubernetes.io/component: kubeflow |
|||
app.kubernetes.io/instance: kubeflow-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/name: kubeflow |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
kind: Kustomization |
|||
namespace: kubeflow |
|||
resources: |
|||
- overlays/application/application.yaml |
|||
@ -0,0 +1,34 @@ |
|||
apiVersion: app.k8s.io/v1beta1 |
|||
kind: Application |
|||
metadata: |
|||
name: kubeflow |
|||
spec: |
|||
selector: |
|||
matchLabels: |
|||
app.kubernetes.io/name: kubeflow |
|||
app.kubernetes.io/instance: kubeflow-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: kubeflow |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
componentKinds: |
|||
- group: app.k8s.io |
|||
kind: Application |
|||
descriptor: |
|||
type: kubeflow |
|||
version: v1beta1 |
|||
description: application that aggregates all kubeflow applications |
|||
maintainers: |
|||
- name: Jeremy Lewi |
|||
email: jlewi@google.com |
|||
- name: Kam Kasravi |
|||
email: kam.d.kasravi@intel.com |
|||
owners: |
|||
- name: Jeremy Lewi |
|||
email: jlewi@google.com |
|||
keywords: |
|||
- kubeflow |
|||
links: |
|||
- description: About |
|||
url: "https://kubeflow.org" |
|||
addOwnerRef: true |
|||
@ -0,0 +1,13 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- application.yaml |
|||
commonLabels: |
|||
app.kubernetes.io/name: kubeflow |
|||
app.kubernetes.io/instance: kubeflow-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: kubeflow |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
@ -0,0 +1,10 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
patchesStrategicMerge: |
|||
- stateful-set.yaml |
|||
images: |
|||
- name: gcr.io/$(project)/application-controller |
|||
newName: gcr.io/$(project)/application-controller |
|||
newTag: latest |
|||
@ -0,0 +1,25 @@ |
|||
apiVersion: apps/v1 |
|||
kind: StatefulSet |
|||
metadata: |
|||
name: stateful-set |
|||
spec: |
|||
template: |
|||
metadata: |
|||
annotations: |
|||
sidecar.istio.io/inject: "false" |
|||
spec: |
|||
containers: |
|||
- name: manager |
|||
image: gcr.io/$(project)/application-controller:latest |
|||
command: |
|||
- /go/bin/dlv |
|||
args: |
|||
- --listen=:2345 |
|||
- --headless=true |
|||
- --api-version=2 |
|||
- exec |
|||
- /go/src/github.com/kubernetes-sigs/application/manager |
|||
ports: |
|||
- containerPort: 2345 |
|||
securityContext: |
|||
privileged: true |
|||
@ -0,0 +1,29 @@ |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
labels: |
|||
app: argo |
|||
name: argo |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: argo |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: argo |
|||
namespace: kubeflow |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
labels: |
|||
app: argo-ui |
|||
name: argo-ui |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: argo-ui |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: argo-ui |
|||
@ -0,0 +1,79 @@ |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
labels: |
|||
app: argo |
|||
name: argo |
|||
rules: |
|||
- apiGroups: |
|||
- "" |
|||
resources: |
|||
- pods |
|||
- pods/exec |
|||
verbs: |
|||
- create |
|||
- get |
|||
- list |
|||
- watch |
|||
- update |
|||
- patch |
|||
- apiGroups: |
|||
- "" |
|||
resources: |
|||
- configmaps |
|||
verbs: |
|||
- get |
|||
- watch |
|||
- list |
|||
- apiGroups: |
|||
- "" |
|||
resources: |
|||
- persistentvolumeclaims |
|||
verbs: |
|||
- create |
|||
- delete |
|||
- apiGroups: |
|||
- argoproj.io |
|||
resources: |
|||
- workflows |
|||
- workflows/finalizers |
|||
verbs: |
|||
- get |
|||
- list |
|||
- watch |
|||
- update |
|||
- patch |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
labels: |
|||
app: argo |
|||
name: argo-ui |
|||
rules: |
|||
- apiGroups: |
|||
- "" |
|||
resources: |
|||
- pods |
|||
- pods/exec |
|||
- pods/log |
|||
verbs: |
|||
- get |
|||
- list |
|||
- watch |
|||
- apiGroups: |
|||
- "" |
|||
resources: |
|||
- secrets |
|||
verbs: |
|||
- get |
|||
- apiGroups: |
|||
- argoproj.io |
|||
resources: |
|||
- workflows |
|||
- workflows/finalizers |
|||
verbs: |
|||
- get |
|||
- list |
|||
- watch |
|||
@ -0,0 +1,29 @@ |
|||
apiVersion: v1 |
|||
kind: ConfigMap |
|||
metadata: |
|||
name: workflow-controller-configmap |
|||
namespace: kubeflow |
|||
data: |
|||
config: | |
|||
{ |
|||
executorImage: $(executorImage), |
|||
containerRuntimeExecutor: $(containerRuntimeExecutor), |
|||
artifactRepository: |
|||
{ |
|||
s3: { |
|||
bucket: $(artifactRepositoryBucket), |
|||
keyPrefix: $(artifactRepositoryKeyPrefix), |
|||
endpoint: $(artifactRepositoryEndpoint), |
|||
insecure: $(artifactRepositoryInsecure), |
|||
accessKeySecret: { |
|||
name: $(artifactRepositoryAccessKeySecretName), |
|||
key: $(artifactRepositoryAccessKeySecretKey) |
|||
}, |
|||
secretKeySecret: { |
|||
name: $(artifactRepositorySecretKeySecretName), |
|||
key: $(artifactRepositorySecretKeySecretKey) |
|||
} |
|||
} |
|||
} |
|||
} |
|||
|
|||
@ -0,0 +1,15 @@ |
|||
apiVersion: apiextensions.k8s.io/v1beta1 |
|||
kind: CustomResourceDefinition |
|||
metadata: |
|||
name: workflows.argoproj.io |
|||
spec: |
|||
group: argoproj.io |
|||
names: |
|||
kind: Workflow |
|||
listKind: WorkflowList |
|||
plural: workflows |
|||
shortNames: |
|||
- wf |
|||
singular: workflow |
|||
scope: Namespaced |
|||
version: v1alpha1 |
|||
@ -0,0 +1,111 @@ |
|||
--- |
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
labels: |
|||
app: argo-ui |
|||
name: argo-ui |
|||
namespace: kubeflow |
|||
spec: |
|||
progressDeadlineSeconds: 600 |
|||
replicas: 1 |
|||
revisionHistoryLimit: 10 |
|||
selector: |
|||
matchLabels: |
|||
app: argo-ui |
|||
strategy: |
|||
rollingUpdate: |
|||
maxSurge: 25% |
|||
maxUnavailable: 25% |
|||
type: RollingUpdate |
|||
template: |
|||
metadata: |
|||
creationTimestamp: null |
|||
labels: |
|||
app: argo-ui |
|||
annotations: |
|||
sidecar.istio.io/inject: "false" |
|||
spec: |
|||
containers: |
|||
- env: |
|||
- name: ARGO_NAMESPACE |
|||
valueFrom: |
|||
fieldRef: |
|||
apiVersion: v1 |
|||
fieldPath: metadata.namespace |
|||
- name: IN_CLUSTER |
|||
value: 'true' |
|||
- name: ENABLE_WEB_CONSOLE |
|||
value: 'false' |
|||
- name: BASE_HREF |
|||
value: /argo/ |
|||
image: argoproj/argoui:v2.3.0 |
|||
imagePullPolicy: IfNotPresent |
|||
name: argo-ui |
|||
resources: {} |
|||
terminationMessagePath: /dev/termination-log |
|||
terminationMessagePolicy: File |
|||
readinessProbe: |
|||
httpGet: |
|||
path: / |
|||
port: 8001 |
|||
dnsPolicy: ClusterFirst |
|||
restartPolicy: Always |
|||
schedulerName: default-scheduler |
|||
securityContext: {} |
|||
serviceAccount: argo-ui |
|||
serviceAccountName: argo-ui |
|||
terminationGracePeriodSeconds: 30 |
|||
--- |
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
labels: |
|||
app: workflow-controller |
|||
name: workflow-controller |
|||
namespace: kubeflow |
|||
spec: |
|||
progressDeadlineSeconds: 600 |
|||
replicas: 1 |
|||
revisionHistoryLimit: 10 |
|||
selector: |
|||
matchLabels: |
|||
app: workflow-controller |
|||
strategy: |
|||
rollingUpdate: |
|||
maxSurge: 25% |
|||
maxUnavailable: 25% |
|||
type: RollingUpdate |
|||
template: |
|||
metadata: |
|||
creationTimestamp: null |
|||
labels: |
|||
app: workflow-controller |
|||
annotations: |
|||
sidecar.istio.io/inject: "false" |
|||
spec: |
|||
containers: |
|||
- args: |
|||
- --configmap |
|||
- workflow-controller-configmap |
|||
command: |
|||
- workflow-controller |
|||
env: |
|||
- name: ARGO_NAMESPACE |
|||
valueFrom: |
|||
fieldRef: |
|||
apiVersion: v1 |
|||
fieldPath: metadata.namespace |
|||
image: argoproj/workflow-controller:v2.3.0 |
|||
imagePullPolicy: IfNotPresent |
|||
name: workflow-controller |
|||
resources: {} |
|||
terminationMessagePath: /dev/termination-log |
|||
terminationMessagePolicy: File |
|||
dnsPolicy: ClusterFirst |
|||
restartPolicy: Always |
|||
schedulerName: default-scheduler |
|||
securityContext: {} |
|||
serviceAccount: argo |
|||
serviceAccountName: argo |
|||
terminationGracePeriodSeconds: 30 |
|||
@ -0,0 +1,111 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
resources: |
|||
- cluster-role-binding.yaml |
|||
- cluster-role.yaml |
|||
- config-map.yaml |
|||
- crd.yaml |
|||
- deployment.yaml |
|||
- service-account.yaml |
|||
- service.yaml |
|||
commonLabels: |
|||
kustomize.component: argo |
|||
images: |
|||
- name: argoproj/argoui |
|||
newName: argoproj/argoui |
|||
newTag: v2.3.0 |
|||
- name: argoproj/workflow-controller |
|||
newName: argoproj/workflow-controller |
|||
newTag: v2.3.0 |
|||
configMapGenerator: |
|||
- name: workflow-controller-parameters |
|||
env: params.env |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
vars: |
|||
- name: executorImage |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.executorImage |
|||
- name: containerRuntimeExecutor |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.containerRuntimeExecutor |
|||
- name: artifactRepositoryBucket |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.artifactRepositoryBucket |
|||
- name: artifactRepositoryKeyPrefix |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.artifactRepositoryKeyPrefix |
|||
- name: artifactRepositoryEndpoint |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.artifactRepositoryEndpoint |
|||
- name: artifactRepositoryInsecure |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.artifactRepositoryInsecure |
|||
- name: artifactRepositoryAccessKeySecretName |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.artifactRepositoryAccessKeySecretName |
|||
- name: artifactRepositoryAccessKeySecretKey |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.artifactRepositoryAccessKeySecretKey |
|||
- name: artifactRepositorySecretKeySecretName |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.artifactRepositorySecretKeySecretName |
|||
- name: artifactRepositorySecretKeySecretKey |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.artifactRepositorySecretKeySecretKey |
|||
- name: namespace |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.namespace |
|||
- name: clusterDomain |
|||
objref: |
|||
kind: ConfigMap |
|||
name: workflow-controller-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.clusterDomain |
|||
configurations: |
|||
- params.yaml |
|||
@ -0,0 +1,12 @@ |
|||
namespace=kubeflow |
|||
executorImage=argoproj/argoexec:v2.3.0 |
|||
containerRuntimeExecutor=docker |
|||
artifactRepositoryBucket=mlpipeline |
|||
artifactRepositoryKeyPrefix=artifacts |
|||
artifactRepositoryEndpoint=minio-service.kubeflow:9000 |
|||
artifactRepositoryInsecure=true |
|||
artifactRepositoryAccessKeySecretName=mlpipeline-minio-artifact |
|||
artifactRepositoryAccessKeySecretKey=accesskey |
|||
artifactRepositorySecretKeySecretName=mlpipeline-minio-artifact |
|||
artifactRepositorySecretKeySecretKey=secretkey |
|||
clusterDomain=cluster.local |
|||
@ -0,0 +1,7 @@ |
|||
varReference: |
|||
- path: data/config |
|||
kind: ConfigMap |
|||
- path: data/config |
|||
kind: Deployment |
|||
- path: metadata/annotations/getambassador.io\/config |
|||
kind: Service |
|||
@ -0,0 +1,11 @@ |
|||
--- |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: argo |
|||
--- |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: argo-ui |
|||
namespace: kubeflow |
|||
@ -0,0 +1,23 @@ |
|||
apiVersion: v1 |
|||
kind: Service |
|||
metadata: |
|||
annotations: |
|||
getambassador.io/config: |- |
|||
--- |
|||
apiVersion: ambassador/v0 |
|||
kind: Mapping |
|||
name: argo-ui-mapping |
|||
prefix: /argo/ |
|||
service: argo-ui.$(namespace) |
|||
labels: |
|||
app: argo-ui |
|||
name: argo-ui |
|||
namespace: kubeflow |
|||
spec: |
|||
ports: |
|||
- port: 80 |
|||
targetPort: 8001 |
|||
selector: |
|||
app: argo-ui |
|||
sessionAffinity: None |
|||
type: NodePort |
|||
@ -0,0 +1,17 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
commonLabels: |
|||
app.kubernetes.io/component: argo |
|||
app.kubernetes.io/instance: argo-v2.3.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/name: argo |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v2.3.0 |
|||
configurations: |
|||
- overlays/istio/params.yaml |
|||
kind: Kustomization |
|||
namespace: kubeflow |
|||
resources: |
|||
- overlays/istio/virtual-service.yaml |
|||
- overlays/application/application.yaml |
|||
@ -0,0 +1,38 @@ |
|||
apiVersion: app.k8s.io/v1beta1 |
|||
kind: Application |
|||
metadata: |
|||
name: argo |
|||
spec: |
|||
selector: |
|||
matchLabels: |
|||
app.kubernetes.io/name: argo |
|||
app.kubernetes.io/instance: argo-v2.3.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: argo |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v2.3.0 |
|||
componentKinds: |
|||
- group: core |
|||
kind: ConfigMap |
|||
- group: apps |
|||
kind: Deployment |
|||
- group: core |
|||
kind: ServiceAccount |
|||
- group: core |
|||
kind: Service |
|||
- group: networking.istio.io |
|||
kind: VirtualService |
|||
descriptor: |
|||
type: argo |
|||
version: v1beta1 |
|||
description: Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes |
|||
maintainers: [] |
|||
owners: [] |
|||
keywords: |
|||
- argo |
|||
- kubeflow |
|||
links: |
|||
- description: About |
|||
url: https://github.com/argoproj/argo |
|||
addOwnerRef: true |
|||
|
|||
@ -0,0 +1,13 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- application.yaml |
|||
commonLabels: |
|||
app.kubernetes.io/name: argo |
|||
app.kubernetes.io/instance: argo-v2.3.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: argo |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v2.3.0 |
|||
@ -0,0 +1,8 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- virtual-service.yaml |
|||
configurations: |
|||
- params.yaml |
|||
@ -0,0 +1,3 @@ |
|||
varReference: |
|||
- path: spec/http/route/destination/host |
|||
kind: VirtualService |
|||
@ -0,0 +1,20 @@ |
|||
apiVersion: networking.istio.io/v1alpha3 |
|||
kind: VirtualService |
|||
metadata: |
|||
name: argo-ui |
|||
spec: |
|||
gateways: |
|||
- kubeflow-gateway |
|||
hosts: |
|||
- '*' |
|||
http: |
|||
- match: |
|||
- uri: |
|||
prefix: /argo/ |
|||
rewrite: |
|||
uri: / |
|||
route: |
|||
- destination: |
|||
host: argo-ui.$(namespace).svc.$(clusterDomain) |
|||
port: |
|||
number: 80 |
|||
@ -0,0 +1,14 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
labels: |
|||
app: centraldashboard |
|||
name: centraldashboard |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: centraldashboard |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: centraldashboard |
|||
namespace: $(namespace) |
|||
@ -0,0 +1,17 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
labels: |
|||
app: centraldashboard |
|||
name: centraldashboard |
|||
rules: |
|||
- apiGroups: |
|||
- "" |
|||
resources: |
|||
- events |
|||
- namespaces |
|||
- nodes |
|||
verbs: |
|||
- get |
|||
- list |
|||
- watch |
|||
@ -0,0 +1,31 @@ |
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
labels: |
|||
app: centraldashboard |
|||
name: centraldashboard |
|||
spec: |
|||
replicas: 1 |
|||
selector: |
|||
matchLabels: |
|||
app: centraldashboard |
|||
template: |
|||
metadata: |
|||
labels: |
|||
app: centraldashboard |
|||
spec: |
|||
containers: |
|||
- image: gcr.io/kubeflow-images-public/centraldashboard |
|||
imagePullPolicy: IfNotPresent |
|||
name: centraldashboard |
|||
ports: |
|||
- containerPort: 8082 |
|||
protocol: TCP |
|||
env: |
|||
- name: USERID_HEADER |
|||
value: $(userid-header) |
|||
- name: USERID_PREFIX |
|||
value: $(userid-prefix) |
|||
- name: PROFILES_KFAM_SERVICE_HOST |
|||
value: profiles-kfam.kubeflow |
|||
serviceAccountName: centraldashboard |
|||
@ -0,0 +1,53 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
resources: |
|||
- clusterrole-binding.yaml |
|||
- clusterrole.yaml |
|||
- deployment.yaml |
|||
- role-binding.yaml |
|||
- role.yaml |
|||
- service-account.yaml |
|||
- service.yaml |
|||
namespace: kubeflow |
|||
commonLabels: |
|||
kustomize.component: centraldashboard |
|||
images: |
|||
- name: gcr.io/kubeflow-images-public/centraldashboard |
|||
newName: gcr.io/kubeflow-images-public/centraldashboard |
|||
newTag: vmaster-g6b987df8 |
|||
configMapGenerator: |
|||
- env: params.env |
|||
name: parameters |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
vars: |
|||
- fieldref: |
|||
fieldPath: metadata.namespace |
|||
name: namespace |
|||
objref: |
|||
apiVersion: v1 |
|||
kind: Service |
|||
name: centraldashboard |
|||
- fieldref: |
|||
fieldPath: data.clusterDomain |
|||
name: clusterDomain |
|||
objref: |
|||
apiVersion: v1 |
|||
kind: ConfigMap |
|||
name: parameters |
|||
- fieldref: |
|||
fieldPath: data.userid-header |
|||
name: userid-header |
|||
objref: |
|||
apiVersion: v1 |
|||
kind: ConfigMap |
|||
name: parameters |
|||
- fieldref: |
|||
fieldPath: data.userid-prefix |
|||
name: userid-prefix |
|||
objref: |
|||
apiVersion: v1 |
|||
kind: ConfigMap |
|||
name: parameters |
|||
configurations: |
|||
- params.yaml |
|||
@ -0,0 +1,3 @@ |
|||
clusterDomain=cluster.local |
|||
userid-header=kubeflow-userid |
|||
userid-prefix= |
|||
@ -0,0 +1,9 @@ |
|||
varReference: |
|||
- path: metadata/annotations/getambassador.io\/config |
|||
kind: Service |
|||
- path: spec/http/route/destination/host |
|||
kind: VirtualService |
|||
- path: spec/template/spec/containers/0/env/0/value |
|||
kind: Deployment |
|||
- path: spec/template/spec/containers/0/env/1/value |
|||
kind: Deployment |
|||
@ -0,0 +1,14 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: RoleBinding |
|||
metadata: |
|||
labels: |
|||
app: centraldashboard |
|||
name: centraldashboard |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: Role |
|||
name: centraldashboard |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: centraldashboard |
|||
namespace: $(namespace) |
|||
@ -0,0 +1,25 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: Role |
|||
metadata: |
|||
labels: |
|||
app: centraldashboard |
|||
name: centraldashboard |
|||
rules: |
|||
- apiGroups: |
|||
- "" |
|||
- "app.k8s.io" |
|||
resources: |
|||
- applications |
|||
- pods |
|||
- pods/exec |
|||
- pods/log |
|||
verbs: |
|||
- get |
|||
- list |
|||
- watch |
|||
- apiGroups: |
|||
- "" |
|||
resources: |
|||
- secrets |
|||
verbs: |
|||
- get |
|||
@ -0,0 +1,4 @@ |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: centraldashboard |
|||
@ -0,0 +1,24 @@ |
|||
apiVersion: v1 |
|||
kind: Service |
|||
metadata: |
|||
annotations: |
|||
getambassador.io/config: |- |
|||
--- |
|||
apiVersion: ambassador/v0 |
|||
kind: Mapping |
|||
name: centralui-mapping |
|||
prefix: / |
|||
rewrite: / |
|||
service: centraldashboard.$(namespace) |
|||
labels: |
|||
app: centraldashboard |
|||
name: centraldashboard |
|||
spec: |
|||
ports: |
|||
- port: 80 |
|||
protocol: TCP |
|||
targetPort: 8082 |
|||
selector: |
|||
app: centraldashboard |
|||
sessionAffinity: None |
|||
type: ClusterIP |
|||
@ -0,0 +1,17 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
commonLabels: |
|||
app.kubernetes.io/component: centraldashboard |
|||
app.kubernetes.io/instance: centraldashboard-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/name: centraldashboard |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
configurations: |
|||
- overlays/istio/params.yaml |
|||
kind: Kustomization |
|||
namespace: kubeflow |
|||
resources: |
|||
- overlays/istio/virtual-service.yaml |
|||
- overlays/application/application.yaml |
|||
@ -0,0 +1,54 @@ |
|||
apiVersion: app.k8s.io/v1beta1 |
|||
kind: Application |
|||
metadata: |
|||
name: centraldashboard |
|||
spec: |
|||
selector: |
|||
matchLabels: |
|||
app.kubernetes.io/name: centraldashboard |
|||
app.kubernetes.io/instance: centraldashboard-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: centraldashboard |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
componentKinds: |
|||
- group: core |
|||
kind: ConfigMap |
|||
- group: apps |
|||
kind: Deployment |
|||
- group: rbac.authorization.k8s.io |
|||
kind: RoleBinding |
|||
- group: rbac.authorization.k8s.io |
|||
kind: Role |
|||
- group: core |
|||
kind: ServiceAccount |
|||
- group: core |
|||
kind: Service |
|||
- group: networking.istio.io |
|||
kind: VirtualService |
|||
descriptor: |
|||
type: centraldashboard |
|||
version: v1beta1 |
|||
description: Provides a Dashboard UI for kubeflow |
|||
maintainers: |
|||
- name: Jason Prodonovich |
|||
email: prodonjs@gmail.com |
|||
- name: Apoorv Verma |
|||
email: apverma@google.com |
|||
- name: Adhita Selvaraj |
|||
email: adhita94@gmail.com |
|||
owners: |
|||
- name: Jason Prodonovich |
|||
email: prodonjs@gmail.com |
|||
- name: Apoorv Verma |
|||
email: apverma@google.com |
|||
- name: Adhita Selvaraj |
|||
email: adhita94@gmail.com |
|||
keywords: |
|||
- centraldashboard |
|||
- kubeflow |
|||
links: |
|||
- description: About |
|||
url: https://github.com/kubeflow/kubeflow/tree/master/components/centraldashboard |
|||
addOwnerRef: true |
|||
|
|||
@ -0,0 +1,13 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- application.yaml |
|||
commonLabels: |
|||
app.kubernetes.io/name: centraldashboard |
|||
app.kubernetes.io/instance: centraldashboard-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: centraldashboard |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
@ -0,0 +1,9 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- virtual-service.yaml |
|||
configurations: |
|||
- params.yaml |
|||
|
|||
@ -0,0 +1,3 @@ |
|||
varReference: |
|||
- path: spec/http/route/destination/host |
|||
kind: VirtualService |
|||
@ -0,0 +1,20 @@ |
|||
apiVersion: networking.istio.io/v1alpha3 |
|||
kind: VirtualService |
|||
metadata: |
|||
name: centraldashboard |
|||
spec: |
|||
gateways: |
|||
- kubeflow-gateway |
|||
hosts: |
|||
- '*' |
|||
http: |
|||
- match: |
|||
- uri: |
|||
prefix: / |
|||
rewrite: |
|||
uri: / |
|||
route: |
|||
- destination: |
|||
host: centraldashboard.$(namespace).svc.$(clusterDomain) |
|||
port: |
|||
number: 80 |
|||
File diff suppressed because it is too large
@ -0,0 +1,4 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
resources: |
|||
- crd.yaml |
|||
@ -0,0 +1,5 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
kind: Kustomization |
|||
namespace: cert-manager |
|||
@ -0,0 +1,23 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
namespace: kube-system |
|||
resources: |
|||
- role-binding.yaml |
|||
- role.yaml |
|||
commonLabels: |
|||
kustomize.component: cert-manager |
|||
configMapGenerator: |
|||
- name: cert-manager-kube-params-parameters |
|||
env: params.env |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
vars: |
|||
- name: certManagerNamespace |
|||
objref: |
|||
kind: ConfigMap |
|||
name: cert-manager-kube-params-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.certManagerNamespace |
|||
configurations: |
|||
- params.yaml |
|||
@ -0,0 +1 @@ |
|||
certManagerNamespace=cert-manager |
|||
@ -0,0 +1,3 @@ |
|||
varReference: |
|||
- path: subjects/namespace |
|||
kind: RoleBinding |
|||
@ -0,0 +1,58 @@ |
|||
# grant cert-manager permission to manage the leaderelection configmap in the |
|||
# leader election namespace |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: RoleBinding |
|||
metadata: |
|||
name: cert-manager-cainjector:leaderelection |
|||
labels: |
|||
app: cainjector |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: Role |
|||
name: cert-manager-cainjector:leaderelection |
|||
subjects: |
|||
- apiGroup: "" |
|||
kind: ServiceAccount |
|||
name: cert-manager-cainjector |
|||
namespace: $(certManagerNamespace) |
|||
|
|||
--- |
|||
|
|||
# grant cert-manager permission to manage the leaderelection configmap in the |
|||
# leader election namespace |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: RoleBinding |
|||
metadata: |
|||
name: cert-manager:leaderelection |
|||
labels: |
|||
app: cert-manager |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: Role |
|||
name: cert-manager:leaderelection |
|||
subjects: |
|||
- apiGroup: "" |
|||
kind: ServiceAccount |
|||
name: cert-manager |
|||
namespace: $(certManagerNamespace) |
|||
|
|||
--- |
|||
|
|||
# apiserver gets the ability to read authentication. This allows it to |
|||
# read the specific configmap that has the requestheader-* entries to |
|||
# api agg |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: RoleBinding |
|||
metadata: |
|||
name: cert-manager-webhook:webhook-authentication-reader |
|||
labels: |
|||
app: webhook |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: Role |
|||
name: extension-apiserver-authentication-reader |
|||
subjects: |
|||
- apiGroup: "" |
|||
kind: ServiceAccount |
|||
name: cert-manager-webhook |
|||
namespace: $(certManagerNamespace) |
|||
@ -0,0 +1,28 @@ |
|||
# leader election rules |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: Role |
|||
metadata: |
|||
name: cert-manager-cainjector:leaderelection |
|||
labels: |
|||
app: cainjector |
|||
rules: |
|||
# Used for leader election by the controller |
|||
# TODO: refine the permission to *just* the leader election configmap |
|||
- apiGroups: [""] |
|||
resources: ["configmaps"] |
|||
verbs: ["get", "create", "update", "patch"] |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: Role |
|||
metadata: |
|||
name: cert-manager:leaderelection |
|||
labels: |
|||
app: cert-manager |
|||
rules: |
|||
# Used for leader election by the controller |
|||
# TODO: refine the permission to *just* the leader election configmap |
|||
- apiGroups: [""] |
|||
resources: ["configmaps"] |
|||
verbs: ["get", "create", "update", "patch"] |
|||
@ -0,0 +1,5 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
kind: Kustomization |
|||
namespace: kube-system |
|||
@ -0,0 +1,16 @@ |
|||
apiVersion: apiregistration.k8s.io/v1beta1 |
|||
kind: APIService |
|||
metadata: |
|||
name: v1beta1.webhook.cert-manager.io |
|||
labels: |
|||
app: webhook |
|||
annotations: |
|||
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls" |
|||
spec: |
|||
group: webhook.cert-manager.io |
|||
groupPriorityMinimum: 1000 |
|||
versionPriority: 15 |
|||
service: |
|||
name: cert-manager-webhook |
|||
namespace: $(namespace) |
|||
version: v1beta1 |
|||
@ -0,0 +1,135 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cert-manager-controller-issuers |
|||
labels: |
|||
app: cert-manager |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: cert-manager-controller-issuers |
|||
subjects: |
|||
- name: cert-manager |
|||
namespace: $(namespace) |
|||
kind: ServiceAccount |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cert-manager-controller-clusterissuers |
|||
labels: |
|||
app: cert-manager |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: cert-manager-controller-clusterissuers |
|||
subjects: |
|||
- name: cert-manager |
|||
namespace: $(namespace) |
|||
kind: ServiceAccount |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cert-manager-controller-certificates |
|||
labels: |
|||
app: cert-manager |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: cert-manager-controller-certificates |
|||
subjects: |
|||
- name: cert-manager |
|||
namespace: $(namespace) |
|||
kind: ServiceAccount |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cert-manager-controller-orders |
|||
labels: |
|||
app: cert-manager |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: cert-manager-controller-orders |
|||
subjects: |
|||
- name: cert-manager |
|||
namespace: $(namespace) |
|||
kind: ServiceAccount |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cert-manager-controller-challenges |
|||
labels: |
|||
app: cert-manager |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: cert-manager-controller-challenges |
|||
subjects: |
|||
- name: cert-manager |
|||
namespace: $(namespace) |
|||
kind: ServiceAccount |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cert-manager-controller-ingress-shim |
|||
labels: |
|||
app: cert-manager |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: cert-manager-controller-ingress-shim |
|||
subjects: |
|||
- name: cert-manager |
|||
namespace: $(namespace) |
|||
kind: ServiceAccount |
|||
|
|||
--- |
|||
# apiserver gets the auth-delegator role to delegate auth decisions to |
|||
# the core apiserver |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cert-manager-webhook:auth-delegator |
|||
labels: |
|||
app: webhook |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: system:auth-delegator |
|||
subjects: |
|||
- apiGroup: "" |
|||
kind: ServiceAccount |
|||
name: cert-manager-webhook |
|||
namespace: $(namespace) |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: cert-manager-cainjector |
|||
labels: |
|||
app: cainjector |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: cert-manager-cainjector |
|||
subjects: |
|||
- name: cert-manager-cainjector |
|||
namespace: $(namespace) |
|||
kind: ServiceAccount |
|||
@ -0,0 +1,265 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-cainjector |
|||
labels: |
|||
app: cainjector |
|||
rules: |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["certificates"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["secrets"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["get", "create", "update", "patch"] |
|||
- apiGroups: ["admissionregistration.k8s.io"] |
|||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] |
|||
verbs: ["get", "list", "watch", "update"] |
|||
- apiGroups: ["apiregistration.k8s.io"] |
|||
resources: ["apiservices"] |
|||
verbs: ["get", "list", "watch", "update"] |
|||
- apiGroups: ["apiextensions.k8s.io"] |
|||
resources: ["customresourcedefinitions"] |
|||
verbs: ["get", "list", "watch", "update"] |
|||
|
|||
--- |
|||
|
|||
# Issuer controller role |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-controller-issuers |
|||
labels: |
|||
app: cert-manager |
|||
rules: |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["issuers", "issuers/status"] |
|||
verbs: ["update"] |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["issuers"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["secrets"] |
|||
verbs: ["get", "list", "watch", "create", "update", "delete"] |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["create", "patch"] |
|||
|
|||
--- |
|||
|
|||
# ClusterIssuer controller role |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-controller-clusterissuers |
|||
labels: |
|||
app: cert-manager |
|||
rules: |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["clusterissuers", "clusterissuers/status"] |
|||
verbs: ["update"] |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["clusterissuers"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["secrets"] |
|||
verbs: ["get", "list", "watch", "create", "update", "delete"] |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["create", "patch"] |
|||
|
|||
--- |
|||
|
|||
# Certificates controller role |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-controller-certificates |
|||
labels: |
|||
app: cert-manager |
|||
rules: |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] |
|||
verbs: ["update"] |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] |
|||
verbs: ["get", "list", "watch"] |
|||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement |
|||
# admission controller enabled: |
|||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["certificates/finalizers"] |
|||
verbs: ["update"] |
|||
- apiGroups: ["acme.cert-manager.io"] |
|||
resources: ["orders"] |
|||
verbs: ["create", "delete", "get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["secrets"] |
|||
verbs: ["get", "list", "watch", "create", "update", "delete"] |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["create", "patch"] |
|||
|
|||
--- |
|||
|
|||
# Orders controller role |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-controller-orders |
|||
labels: |
|||
app: cert-manager |
|||
rules: |
|||
- apiGroups: ["acme.cert-manager.io"] |
|||
resources: ["orders", "orders/status"] |
|||
verbs: ["update"] |
|||
- apiGroups: ["acme.cert-manager.io"] |
|||
resources: ["orders", "challenges"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["clusterissuers", "issuers"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: ["acme.cert-manager.io"] |
|||
resources: ["challenges"] |
|||
verbs: ["create", "delete"] |
|||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement |
|||
# admission controller enabled: |
|||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement |
|||
- apiGroups: ["acme.cert-manager.io"] |
|||
resources: ["orders/finalizers"] |
|||
verbs: ["update"] |
|||
- apiGroups: [""] |
|||
resources: ["secrets"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["create", "patch"] |
|||
|
|||
--- |
|||
|
|||
# Challenges controller role |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-controller-challenges |
|||
labels: |
|||
app: cert-manager |
|||
rules: |
|||
# Use to update challenge resource status |
|||
- apiGroups: ["acme.cert-manager.io"] |
|||
resources: ["challenges", "challenges/status"] |
|||
verbs: ["update"] |
|||
# Used to watch challenge resources |
|||
- apiGroups: ["acme.cert-manager.io"] |
|||
resources: ["challenges"] |
|||
verbs: ["get", "list", "watch"] |
|||
# Used to watch challenges, issuer and clusterissuer resources |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["issuers", "clusterissuers"] |
|||
verbs: ["get", "list", "watch"] |
|||
# Need to be able to retrieve ACME account private key to complete challenges |
|||
- apiGroups: [""] |
|||
resources: ["secrets"] |
|||
verbs: ["get", "list", "watch"] |
|||
# Used to create events |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["create", "patch"] |
|||
# HTTP01 rules |
|||
- apiGroups: [""] |
|||
resources: ["pods", "services"] |
|||
verbs: ["get", "list", "watch", "create", "delete"] |
|||
- apiGroups: ["extensions", "networking.k8s.io/v1"] |
|||
resources: ["ingresses"] |
|||
verbs: ["get", "list", "watch", "create", "delete", "update"] |
|||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement |
|||
# admission controller enabled: |
|||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement |
|||
- apiGroups: ["acme.cert-manager.io"] |
|||
resources: ["challenges/finalizers"] |
|||
verbs: ["update"] |
|||
# DNS01 rules (duplicated above) |
|||
- apiGroups: [""] |
|||
resources: ["secrets"] |
|||
verbs: ["get", "list", "watch"] |
|||
|
|||
--- |
|||
|
|||
# ingress-shim controller role |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-controller-ingress-shim |
|||
labels: |
|||
app: cert-manager |
|||
rules: |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["certificates", "certificaterequests"] |
|||
verbs: ["create", "update", "delete"] |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: ["networking.k8s.io/v1"] |
|||
resources: ["ingresses"] |
|||
verbs: ["get", "list", "watch"] |
|||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement |
|||
# admission controller enabled: |
|||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement |
|||
- apiGroups: ["networking.k8s.io/v1"] |
|||
resources: ["ingresses/finalizers"] |
|||
verbs: ["update"] |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["create", "patch"] |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-webhook:webhook-requester |
|||
labels: |
|||
app: webhook |
|||
rules: |
|||
- apiGroups: |
|||
- admission.cert-manager.io |
|||
resources: |
|||
- certificates |
|||
- certificaterequests |
|||
- issuers |
|||
- clusterissuers |
|||
verbs: |
|||
- create |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-view |
|||
labels: |
|||
app: cert-manager |
|||
rbac.authorization.k8s.io/aggregate-to-view: "true" |
|||
rbac.authorization.k8s.io/aggregate-to-edit: "true" |
|||
rbac.authorization.k8s.io/aggregate-to-admin: "true" |
|||
rules: |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["certificates", "certificaterequests", "issuers"] |
|||
verbs: ["get", "list", "watch"] |
|||
|
|||
--- |
|||
|
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: cert-manager-edit |
|||
labels: |
|||
app: cert-manager |
|||
rbac.authorization.k8s.io/aggregate-to-edit: "true" |
|||
rbac.authorization.k8s.io/aggregate-to-admin: "true" |
|||
rules: |
|||
- apiGroups: ["cert-manager.io"] |
|||
resources: ["certificates", "certificaterequests", "issuers"] |
|||
verbs: ["create", "delete", "deletecollection", "patch", "update"] |
|||
@ -0,0 +1,124 @@ |
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
name: cert-manager-cainjector |
|||
labels: |
|||
app: cainjector |
|||
spec: |
|||
replicas: 1 |
|||
selector: |
|||
matchLabels: |
|||
app: cainjector |
|||
template: |
|||
metadata: |
|||
labels: |
|||
app: cainjector |
|||
annotations: |
|||
spec: |
|||
serviceAccountName: cert-manager-cainjector |
|||
containers: |
|||
- name: cainjector |
|||
image: "quay.io/jetstack/cert-manager-cainjector:v0.11.0" |
|||
imagePullPolicy: IfNotPresent |
|||
args: |
|||
- --v=2 |
|||
- --leader-election-namespace=kube-system |
|||
env: |
|||
- name: POD_NAMESPACE |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: metadata.namespace |
|||
resources: |
|||
{} |
|||
|
|||
--- |
|||
|
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
name: cert-manager |
|||
labels: |
|||
app: cert-manager |
|||
spec: |
|||
replicas: 1 |
|||
selector: |
|||
matchLabels: |
|||
app: cert-manager |
|||
template: |
|||
metadata: |
|||
labels: |
|||
app: cert-manager |
|||
annotations: |
|||
prometheus.io/path: "/metrics" |
|||
prometheus.io/scrape: 'true' |
|||
prometheus.io/port: '9402' |
|||
spec: |
|||
serviceAccountName: cert-manager |
|||
containers: |
|||
- name: cert-manager |
|||
image: "quay.io/jetstack/cert-manager-controller:v0.11.0" |
|||
imagePullPolicy: IfNotPresent |
|||
args: |
|||
- --v=2 |
|||
- --cluster-resource-namespace=$(POD_NAMESPACE) |
|||
- --leader-election-namespace=kube-system |
|||
- --webhook-namespace=$(POD_NAMESPACE) |
|||
- --webhook-ca-secret=cert-manager-webhook-ca |
|||
- --webhook-serving-secret=cert-manager-webhook-tls |
|||
- --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.$(namespace),cert-manager-webhook.$(namespace).svc |
|||
ports: |
|||
- containerPort: 9402 |
|||
env: |
|||
- name: POD_NAMESPACE |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: metadata.namespace |
|||
resources: |
|||
requests: |
|||
cpu: 10m |
|||
memory: 32Mi |
|||
|
|||
--- |
|||
|
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
name: cert-manager-webhook |
|||
labels: |
|||
app: webhook |
|||
spec: |
|||
replicas: 1 |
|||
selector: |
|||
matchLabels: |
|||
app: webhook |
|||
template: |
|||
metadata: |
|||
labels: |
|||
app: webhook |
|||
annotations: |
|||
spec: |
|||
serviceAccountName: cert-manager-webhook |
|||
containers: |
|||
- name: cert-manager |
|||
image: "quay.io/jetstack/cert-manager-webhook:v0.11.0" |
|||
imagePullPolicy: IfNotPresent |
|||
args: |
|||
- --v=2 |
|||
- --secure-port=6443 |
|||
- --tls-cert-file=/certs/tls.crt |
|||
- --tls-private-key-file=/certs/tls.key |
|||
env: |
|||
- name: POD_NAMESPACE |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: metadata.namespace |
|||
resources: |
|||
{} |
|||
|
|||
volumeMounts: |
|||
- name: certs |
|||
mountPath: /certs |
|||
volumes: |
|||
- name: certs |
|||
secret: |
|||
secretName: cert-manager-webhook-tls |
|||
@ -0,0 +1,40 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
namespace: cert-manager |
|||
resources: |
|||
- namespace.yaml |
|||
- api-service.yaml |
|||
- cluster-role-binding.yaml |
|||
- cluster-role.yaml |
|||
- deployment.yaml |
|||
- mutating-webhook-configuration.yaml |
|||
- service-account.yaml |
|||
- service.yaml |
|||
- validating-webhook-configuration.yaml |
|||
commonLabels: |
|||
kustomize.component: cert-manager |
|||
images: |
|||
- name: quay.io/jetstack/cert-manager-controller |
|||
newName: quay.io/jetstack/cert-manager-controller |
|||
newTag: v0.11.0 |
|||
- name: quay.io/jetstack/cert-manager-webhook |
|||
newName: quay.io/jetstack/cert-manager-webhook |
|||
newTag: v0.11.0 |
|||
- name: quay.io/jetstack/cert-manager-cainjector |
|||
newName: quay.io/jetstack/cert-manager-cainjector |
|||
newTag: v0.11.0 |
|||
configMapGenerator: |
|||
- name: cert-manager-parameters |
|||
env: params.env |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
vars: |
|||
- name: namespace |
|||
objref: |
|||
kind: ConfigMap |
|||
name: cert-manager-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.namespace |
|||
configurations: |
|||
- params.yaml |
|||
@ -0,0 +1,32 @@ |
|||
apiVersion: admissionregistration.k8s.io/v1beta1 |
|||
kind: MutatingWebhookConfiguration |
|||
metadata: |
|||
name: cert-manager-webhook |
|||
labels: |
|||
app: webhook |
|||
annotations: |
|||
cert-manager.io/inject-apiserver-ca: "true" |
|||
webhooks: |
|||
- name: webhook.cert-manager.io |
|||
rules: |
|||
- apiGroups: |
|||
- "cert-manager.io" |
|||
apiVersions: |
|||
- v1alpha2 |
|||
operations: |
|||
- CREATE |
|||
- UPDATE |
|||
resources: |
|||
- certificates |
|||
- issuers |
|||
- clusterissuers |
|||
- orders |
|||
- challenges |
|||
- certificaterequests |
|||
failurePolicy: Fail |
|||
clientConfig: |
|||
service: |
|||
name: kubernetes |
|||
namespace: default |
|||
path: /apis/webhook.cert-manager.io/v1beta1/mutations |
|||
caBundle: "" |
|||
@ -0,0 +1,4 @@ |
|||
apiVersion: v1 |
|||
kind: Namespace |
|||
metadata: |
|||
name: $(namespace) |
|||
@ -0,0 +1 @@ |
|||
namespace=cert-manager |
|||
@ -0,0 +1,9 @@ |
|||
varReference: |
|||
- path: subjects/namespace |
|||
kind: ClusterRoleBinding |
|||
- path: spec/template/spec/containers/args |
|||
kind: Deployment |
|||
- path: metadata/name |
|||
kind: Namespace |
|||
- path: spec/service/namespace |
|||
kind: APIService |
|||
@ -0,0 +1,25 @@ |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: cert-manager-cainjector |
|||
labels: |
|||
app: cainjector |
|||
|
|||
--- |
|||
|
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: cert-manager |
|||
annotations: |
|||
labels: |
|||
app: cert-manager |
|||
|
|||
--- |
|||
|
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: cert-manager-webhook |
|||
labels: |
|||
app: webhook |
|||
@ -0,0 +1,30 @@ |
|||
apiVersion: v1 |
|||
kind: Service |
|||
metadata: |
|||
name: cert-manager |
|||
labels: |
|||
app: cert-manager |
|||
spec: |
|||
type: ClusterIP |
|||
ports: |
|||
- protocol: TCP |
|||
port: 9402 |
|||
targetPort: 9402 |
|||
selector: |
|||
app: cert-manager |
|||
|
|||
--- |
|||
apiVersion: v1 |
|||
kind: Service |
|||
metadata: |
|||
name: cert-manager-webhook |
|||
labels: |
|||
app: webhook |
|||
spec: |
|||
type: ClusterIP |
|||
ports: |
|||
- name: https |
|||
port: 443 |
|||
targetPort: 6443 |
|||
selector: |
|||
app: webhook |
|||
@ -0,0 +1,31 @@ |
|||
apiVersion: admissionregistration.k8s.io/v1beta1 |
|||
kind: ValidatingWebhookConfiguration |
|||
metadata: |
|||
name: cert-manager-webhook |
|||
labels: |
|||
app: webhook |
|||
annotations: |
|||
cert-manager.io/inject-apiserver-ca: "true" |
|||
webhooks: |
|||
- name: webhook.certmanager.k8s.io |
|||
rules: |
|||
- apiGroups: |
|||
- "cert-manager.io" |
|||
apiVersions: |
|||
- v1alpha2 |
|||
operations: |
|||
- CREATE |
|||
- UPDATE |
|||
resources: |
|||
- certificates |
|||
- issuers |
|||
- clusterissuers |
|||
- certificaterequests |
|||
failurePolicy: Fail |
|||
sideEffects: None |
|||
clientConfig: |
|||
service: |
|||
name: kubernetes |
|||
namespace: default |
|||
path: /apis/webhook.cert-manager.io/v1beta1/validations |
|||
caBundle: "" |
|||
@ -0,0 +1,18 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
commonLabels: |
|||
app.kubernetes.io/component: cert-manager |
|||
app.kubernetes.io/instance: cert-manager-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/name: cert-manager |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
kustomize.component: cert-manager |
|||
configurations: |
|||
- overlays/application/params.yaml |
|||
kind: Kustomization |
|||
namespace: cert-manager |
|||
resources: |
|||
- overlays/self-signed/cluster-issuer.yaml |
|||
- overlays/application/application.yaml |
|||
@ -0,0 +1,35 @@ |
|||
apiVersion: app.k8s.io/v1beta1 |
|||
kind: Application |
|||
metadata: |
|||
name: cert-manager |
|||
spec: |
|||
selector: |
|||
matchLabels: |
|||
app.kubernetes.io/name: cert-manager |
|||
app.kubernetes.io/instance: cert-manager-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: cert-manager |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
componentKinds: |
|||
- group: rbac |
|||
kind: ClusterRole |
|||
- group: rbac |
|||
kind: ClusterRoleBinding |
|||
- group: core |
|||
kind: Namespace |
|||
- group: core |
|||
kind: Service |
|||
- group: apps |
|||
kind: Deployment |
|||
- group: core |
|||
kind: ServiceAccount |
|||
descriptor: |
|||
type: "" |
|||
version: "v0.10.0" |
|||
description: "Automatically provision and manage TLS certificates in Kubernetes https://jetstack.io." |
|||
keywords: |
|||
- cert-manager |
|||
links: |
|||
- description: About |
|||
url: "https://github.com/jetstack/cert-manager" |
|||
@ -0,0 +1,15 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- application.yaml |
|||
configurations: |
|||
- params.yaml |
|||
commonLabels: |
|||
app.kubernetes.io/name: cert-manager |
|||
app.kubernetes.io/instance: cert-manager-v0.7.0 |
|||
app.kubernetes.io/managed-by: kfctl |
|||
app.kubernetes.io/component: cert-manager |
|||
app.kubernetes.io/part-of: kubeflow |
|||
app.kubernetes.io/version: v0.7.0 |
|||
@ -0,0 +1,11 @@ |
|||
varReference: |
|||
- path: metadata/name |
|||
kind: Application |
|||
- path: spec/selector/matchLabels/app.kubernetes.io\/instance |
|||
kind: Application |
|||
- path: spec/template/metadata/labels/app.kubernetes.io\/instance |
|||
kind: Deployment |
|||
- path: spec/selector/matchLabels/app.kubernetes.io\/instance |
|||
kind: Deployment |
|||
- path: spec/selector/app.kubernetes.io\/instance |
|||
kind: Service |
|||
@ -0,0 +1,11 @@ |
|||
apiVersion: cert-manager.io/v1alpha2 |
|||
kind: ClusterIssuer |
|||
metadata: |
|||
name: letsencrypt-prod |
|||
spec: |
|||
acme: |
|||
email: $(acmeEmail) |
|||
http01: {} |
|||
privateKeySecretRef: |
|||
name: letsencrypt-prod-secret |
|||
server: $(acmeUrl) |
|||
@ -0,0 +1,32 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
namespace: cert-manager |
|||
resources: |
|||
- cluster-issuer.yaml |
|||
commonLabels: |
|||
kustomize.component: cert-manager |
|||
configMapGenerator: |
|||
- name: cert-manager-parameters |
|||
behavior: merge |
|||
env: params.env |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
vars: |
|||
- name: acmeEmail |
|||
objref: |
|||
kind: ConfigMap |
|||
name: cert-manager-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.acmeEmail |
|||
- name: acmeUrl |
|||
objref: |
|||
kind: ConfigMap |
|||
name: cert-manager-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.acmeUrl |
|||
configurations: |
|||
- params.yaml |
|||
@ -0,0 +1,2 @@ |
|||
acmeEmail= |
|||
acmeUrl=https://acme-v02.api.letsencrypt.org/directory |
|||
@ -0,0 +1,5 @@ |
|||
varReference: |
|||
- path: spec/acme/email |
|||
kind: ClusterIssuer |
|||
- path: spec/acme/server |
|||
kind: ClusterIssuer |
|||
@ -0,0 +1,6 @@ |
|||
apiVersion: cert-manager.io/v1alpha2 |
|||
kind: ClusterIssuer |
|||
metadata: |
|||
name: kubeflow-self-signing-issuer |
|||
spec: |
|||
selfSigned: {} |
|||
@ -0,0 +1,8 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- cluster-issuer.yaml |
|||
commonLabels: |
|||
kustomize.component: cert-manager |
|||
@ -0,0 +1,30 @@ |
|||
--- |
|||
apiVersion: v1 |
|||
kind: ConfigMap |
|||
metadata: |
|||
name: dex |
|||
data: |
|||
config.yaml: | |
|||
issuer: $(issuer) |
|||
storage: |
|||
type: kubernetes |
|||
config: |
|||
inCluster: true |
|||
web: |
|||
http: 0.0.0.0:5556 |
|||
logger: |
|||
level: "debug" |
|||
format: text |
|||
oauth2: |
|||
skipApprovalScreen: true |
|||
enablePasswordDB: true |
|||
staticPasswords: |
|||
- email: $(static_email) |
|||
hash: $(static_password_hash) |
|||
username: $(static_username) |
|||
userID: $(static_user_id) |
|||
staticClients: |
|||
- id: $(client_id) |
|||
redirectURIs: $(oidc_redirect_uris) |
|||
name: 'Dex Login Application' |
|||
secret: $(application_secret) |
|||
@ -0,0 +1,45 @@ |
|||
--- |
|||
apiVersion: apiextensions.k8s.io/v1beta1 |
|||
kind: CustomResourceDefinition |
|||
metadata: |
|||
name: authcodes.dex.coreos.com |
|||
spec: |
|||
group: dex.coreos.com |
|||
names: |
|||
kind: AuthCode |
|||
listKind: AuthCodeList |
|||
plural: authcodes |
|||
singular: authcode |
|||
scope: Namespaced |
|||
version: v1 |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: dex |
|||
rules: |
|||
- apiGroups: ["dex.coreos.com"] # API group created by dex |
|||
resources: ["*"] |
|||
verbs: ["*"] |
|||
- apiGroups: ["apiextensions.k8s.io"] |
|||
resources: ["customresourcedefinitions"] |
|||
verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions. |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: dex |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: dex |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: dex # Service account assigned to the dex pod. |
|||
namespace: auth # The namespace dex is running in. |
|||
--- |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: dex |
|||
namespace: auth |
|||
@ -0,0 +1,34 @@ |
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
labels: |
|||
app: dex |
|||
name: dex |
|||
spec: |
|||
replicas: 1 |
|||
selector: |
|||
matchLabels: |
|||
app: dex |
|||
template: |
|||
metadata: |
|||
labels: |
|||
app: dex |
|||
spec: |
|||
serviceAccountName: dex |
|||
containers: |
|||
- image: quay.io/coreos/dex:v2.9.0 |
|||
name: dex |
|||
command: ["dex", "serve", "/etc/dex/cfg/config.yaml"] |
|||
ports: |
|||
- name: http |
|||
containerPort: 5556 |
|||
volumeMounts: |
|||
- name: config |
|||
mountPath: /etc/dex/cfg |
|||
volumes: |
|||
- name: config |
|||
configMap: |
|||
name: dex |
|||
items: |
|||
- key: config.yaml |
|||
path: config.yaml |
|||
@ -0,0 +1,84 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
namespace: auth |
|||
resources: |
|||
- namespace.yaml |
|||
- config-map.yaml |
|||
- crds.yaml |
|||
- deployment.yaml |
|||
- service.yaml |
|||
configMapGenerator: |
|||
- name: dex-parameters |
|||
env: params.env |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
vars: |
|||
- name: dex_domain |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.dex_domain |
|||
- name: issuer |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.issuer |
|||
- name: static_email |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.static_email |
|||
- name: static_password_hash |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.static_password_hash |
|||
- name: static_username |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.static_username |
|||
- name: static_user_id |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.static_user_id |
|||
- name: client_id |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.client_id |
|||
- name: oidc_redirect_uris |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.oidc_redirect_uris |
|||
- name: application_secret |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.application_secret |
|||
configurations: |
|||
- params.yaml |
|||
images: |
|||
- name: quay.io/coreos/dex |
|||
newName: gcr.io/arrikto/dexidp/dex |
|||
newTag: 4bede5eb80822fc3a7fc9edca0ed2605cd339d17 |
|||
@ -0,0 +1,4 @@ |
|||
apiVersion: v1 |
|||
kind: Namespace |
|||
metadata: |
|||
name: auth |
|||
@ -0,0 +1,11 @@ |
|||
# Dex Server Parameters (some params are shared with client) |
|||
dex_domain=dex.example.com |
|||
# Set issuer to https if tls is enabled |
|||
issuer=http://dex.auth.svc.cluster.local:5556/dex |
|||
static_email=leonard.aukea@volvocars.com |
|||
static_password_hash=$2y$12$ruoM7FqXrpVgaol44eRZW.4HWS8SAvg6KYVVSCIwKQPBmTpCm.EeO |
|||
static_username=admin |
|||
static_user_id=08a8684b-db88-4b73-90a9-3cd1661f5466 |
|||
client_id=kubeflow-oidc-authservice |
|||
oidc_redirect_uris=["/login/oidc"] |
|||
application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok |
|||
@ -0,0 +1,5 @@ |
|||
varReference: |
|||
- path: spec/template/spec/volumes/secret/secretName |
|||
kind: Deployment |
|||
- path: data/config.yaml |
|||
kind: ConfigMap |
|||
@ -0,0 +1,14 @@ |
|||
apiVersion: v1 |
|||
kind: Service |
|||
metadata: |
|||
name: dex |
|||
spec: |
|||
type: NodePort |
|||
ports: |
|||
- name: dex |
|||
port: 5556 |
|||
protocol: TCP |
|||
targetPort: 5556 |
|||
nodePort: 32000 |
|||
selector: |
|||
app: dex |
|||
@ -0,0 +1,23 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
bases: |
|||
- base |
|||
configMapGenerator: |
|||
- behavior: merge |
|||
env: overlays/istio/params.env |
|||
name: dex-parameters |
|||
configurations: |
|||
- overlays/istio/params.yaml |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
kind: Kustomization |
|||
namespace: auth |
|||
resources: |
|||
- overlays/istio/virtual-service.yaml |
|||
vars: |
|||
- fieldref: |
|||
fieldPath: data.namespace |
|||
name: namespace |
|||
objref: |
|||
apiVersion: v1 |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
@ -0,0 +1,23 @@ |
|||
apiVersion: kustomize.config.k8s.io/v1beta1 |
|||
kind: Kustomization |
|||
bases: |
|||
- ../../base |
|||
resources: |
|||
- virtual-service.yaml |
|||
|
|||
configMapGenerator: |
|||
- name: dex-parameters |
|||
behavior: merge |
|||
env: params.env |
|||
generatorOptions: |
|||
disableNameSuffixHash: true |
|||
vars: |
|||
- name: namespace |
|||
objref: |
|||
kind: ConfigMap |
|||
name: dex-parameters |
|||
apiVersion: v1 |
|||
fieldref: |
|||
fieldpath: data.namespace |
|||
configurations: |
|||
- params.yaml |
|||
@ -0,0 +1 @@ |
|||
namespace=auth |
|||
Some files were not shown because too many files changed in this diff
Loading…
Reference in new issue