volvo-kustomize added

6 years ago · 2e7344a75f
474 changed files with 46362 additions and 0 deletions
--- a/kustomize/api-service/base/config-map.yaml
+++ b/kustomize/api-service/base/config-map.yaml
@ -0,0 +1,25 @@
 # The configuration for the ML pipelines APIServer
 # Based on https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/config/config.json
 apiVersion: v1
 data:
  # apiserver assumes the config is named config.json
  config.json: |
    {
      "DBConfig": {
        "DriverName": "mysql",
        "DataSourceName": "",
        "DBName": "mlpipeline"
      },
      "ObjectStoreConfig":{
        "AccessKey": "minio",
        "SecretAccessKey": "minio123",
        "BucketName": "mlpipeline"
      },
      "InitConnectionTimeout": "6m",
      "DefaultPipelineRunnerServiceAccount": "pipeline-runner",
      "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver",
      "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888
    }
 kind: ConfigMap
 metadata:
  name: ml-pipeline-config
--- a/kustomize/api-service/base/deployment.yaml
+++ b/kustomize/api-service/base/deployment.yaml
@ -0,0 +1,32 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ml-pipeline
 spec:
  template:
    spec:
      containers:
      - name: ml-pipeline-api-server
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: gcr.io/ml-pipeline/api-server
        imagePullPolicy: IfNotPresent
        command:
          - apiserver 
          - --config=/etc/ml-pipeline-config
          - --sampleconfig=/config/sample_config.json 
          - -logtostderr=true
        ports:
        - containerPort: 8888
        - containerPort: 8887
        volumeMounts:
        - name: config-volume
          mountPath: /etc/ml-pipeline-config
      serviceAccountName: ml-pipeline      
      volumes:
        - name: config-volume
          configMap:
            name: ml-pipeline-config
--- a/kustomize/api-service/base/kustomization.yaml
+++ b/kustomize/api-service/base/kustomization.yaml
@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 commonLabels:
  app: ml-pipeline
 resources:
 - config-map.yaml
 - deployment.yaml
 - role-binding.yaml
 - role.yaml
 - service-account.yaml
 - service.yaml
 images:
 - name: gcr.io/ml-pipeline/api-server
  newTag: 0.1.31
  newName: gcr.io/ml-pipeline/api-server
--- a/kustomize/api-service/base/role-binding.yaml
+++ b/kustomize/api-service/base/role-binding.yaml
@ -0,0 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: ml-pipeline
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ml-pipeline
 subjects:
 - kind: ServiceAccount
  name: ml-pipeline
--- a/kustomize/api-service/base/role.yaml
+++ b/kustomize/api-service/base/role.yaml
@ -0,0 +1,28 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: ml-pipeline
 rules:
 - apiGroups:
  - argoproj.io
  resources:
  - workflows
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - kubeflow.org
  resources:
  - scheduledworkflows
  verbs:
  - create
  - get
  - list
  - update
  - patch
  - delete
--- a/kustomize/api-service/base/service-account.yaml
+++ b/kustomize/api-service/base/service-account.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ml-pipeline
--- a/kustomize/api-service/base/service.yaml
+++ b/kustomize/api-service/base/service.yaml
@ -0,0 +1,14 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: ml-pipeline
 spec:
  ports:
  - name: http
    port: 8888
    protocol: TCP
    targetPort: 8888
  - name: grpc
    port: 8887
    protocol: TCP
    targetPort: 8887
--- a/kustomize/api-service/kustomization.yaml
+++ b/kustomize/api-service/kustomization.yaml
@ -0,0 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 commonLabels:
  app.kubernetes.io/component: api-service
  app.kubernetes.io/instance: api-service-0.1.31
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/name: api-service
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: 0.1.31
 kind: Kustomization
 namespace: kubeflow
 resources:
 - overlays/application/application.yaml
--- a/kustomize/api-service/overlays/application/application.yaml
+++ b/kustomize/api-service/overlays/application/application.yaml
@ -0,0 +1,31 @@
 apiVersion: app.k8s.io/v1beta1
 kind: Application
 metadata:
  name: api-service
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: api-service
      app.kubernetes.io/instance: api-service-0.1.31
      app.kubernetes.io/managed-by: kfctl
      app.kubernetes.io/component: api-service
      app.kubernetes.io/part-of: kubeflow
      app.kubernetes.io/version: 0.1.31
  componentKinds:
  - group: core
    kind: ConfigMap
  - group: apps
    kind: Deployment
  descriptor:
    type: api-service
    version: v1beta1
    description: ""
    maintainers: []
    owners: []
    keywords:
     - api-service
     - kubeflow
    links:
    - description: About
      url: ""
  addOwnerRef: true
--- a/kustomize/api-service/overlays/application/kustomization.yaml
+++ b/kustomize/api-service/overlays/application/kustomization.yaml
@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - application.yaml
 commonLabels:
  app.kubernetes.io/name: api-service
  app.kubernetes.io/instance: api-service-0.1.31
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/component: api-service
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: 0.1.31
--- a/kustomize/application-crds/base/crd.yaml
+++ b/kustomize/application-crds/base/crd.yaml
@ -0,0 +1,239 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  name: applications.app.k8s.io
 spec:
  group: app.k8s.io
  names:
    kind: Application
    plural: applications
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          type: string
        kind:
          type: string
        metadata:
          type: object
        spec:
          properties:
            addOwnerRef:
              type: boolean
            assemblyPhase:
              type: string
            componentKinds:
              items:
                type: object
              type: array
            descriptor:
              properties:
                description:
                  type: string
                icons:
                  items:
                    properties:
                      size:
                        type: string
                      src:
                        type: string
                      type:
                        type: string
                    required:
                    - src
                    type: object
                  type: array
                keywords:
                  items:
                    type: string
                  type: array
                links:
                  items:
                    properties:
                      description:
                        type: string
                      url:
                        type: string
                    type: object
                  type: array
                maintainers:
                  items:
                    properties:
                      email:
                        type: string
                      name:
                        type: string
                      url:
                        type: string
                    type: object
                  type: array
                notes:
                  type: string
                owners:
                  items:
                    properties:
                      email:
                        type: string
                      name:
                        type: string
                      url:
                        type: string
                    type: object
                  type: array
                type:
                  type: string
                version:
                  type: string
              type: object
            info:
              items:
                properties:
                  name:
                    type: string
                  type:
                    type: string
                  value:
                    type: string
                  valueFrom:
                    properties:
                      configMapKeyRef:
                        properties:
                          apiVersion:
                            type: string
                          fieldPath:
                            type: string
                          key:
                            type: string
                          kind:
                            type: string
                          name:
                            type: string
                          namespace:
                            type: string
                          resourceVersion:
                            type: string
                          uid:
                            type: string
                        type: object
                      ingressRef:
                        properties:
                          apiVersion:
                            type: string
                          fieldPath:
                            type: string
                          host:
                            type: string
                          kind:
                            type: string
                          name:
                            type: string
                          namespace:
                            type: string
                          path:
                            type: string
                          resourceVersion:
                            type: string
                          uid:
                            type: string
                        type: object
                      secretKeyRef:
                        properties:
                          apiVersion:
                            type: string
                          fieldPath:
                            type: string
                          key:
                            type: string
                          kind:
                            type: string
                          name:
                            type: string
                          namespace:
                            type: string
                          resourceVersion:
                            type: string
                          uid:
                            type: string
                        type: object
                      serviceRef:
                        properties:
                          apiVersion:
                            type: string
                          fieldPath:
                            type: string
                          kind:
                            type: string
                          name:
                            type: string
                          namespace:
                            type: string
                          path:
                            type: string
                          port:
                            format: int32
                            type: integer
                          resourceVersion:
                            type: string
                          uid:
                            type: string
                        type: object
                      type:
                        type: string
                    type: object
                type: object
              type: array
            selector:
              type: object
          type: object
        status:
          properties:
            components:
              items:
                properties:
                  group:
                    type: string
                  kind:
                    type: string
                  link:
                    type: string
                  name:
                    type: string
                  status:
                    type: string
                type: object
              type: array
            conditions:
              items:
                properties:
                  lastTransitionTime:
                    format: date-time
                    type: string
                  lastUpdateTime:
                    format: date-time
                    type: string
                  message:
                    type: string
                  reason:
                    type: string
                  status:
                    type: string
                  type:
                    type: string
                required:
                - type
                - status
                type: object
              type: array
            observedGeneration:
              format: int64
              type: integer
          type: object
  version: v1beta1
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/kustomize/application-crds/base/kustomization.yaml
+++ b/kustomize/application-crds/base/kustomization.yaml
@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - crd.yaml
--- a/kustomize/application-crds/kustomization.yaml
+++ b/kustomize/application-crds/kustomization.yaml
@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 kind: Kustomization
 namespace: kubeflow
--- a/kustomize/application/base/cluster-role-binding.yaml
+++ b/kustomize/application/base/cluster-role-binding.yaml
@ -0,0 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: cluster-role-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role
 subjects:
 - kind: ServiceAccount
  name: service-account
--- a/kustomize/application/base/cluster-role.yaml
+++ b/kustomize/application/base/cluster-role.yaml
@ -0,0 +1,21 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cluster-role
 rules:
 - apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - update
  - patch
  - watch
 - apiGroups:
  - app.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
--- a/kustomize/application/base/kustomization.yaml
+++ b/kustomize/application/base/kustomization.yaml
@ -0,0 +1,29 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cluster-role.yaml
 - cluster-role-binding.yaml
 - service-account.yaml
 - service.yaml
 - stateful-set.yaml
 namespace: kubeflow
 nameprefix: application-controller-
 configMapGenerator:
 - name: parameters
  env: params.env
 generatorOptions:
  disableNameSuffixHash: true
 images:
 - name: gcr.io/kubeflow-images-public/kubernetes-sigs/application
  newName: gcr.io/kubeflow-images-public/kubernetes-sigs/application
  newTag: 1.0-beta
 vars:
 - name: project
  objref:
    kind: ConfigMap
    name: parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.project
 configurations:
 - params.yaml
--- a/kustomize/application/base/params.env
+++ b/kustomize/application/base/params.env
@ -0,0 +1 @@
 project=
--- a/kustomize/application/base/params.yaml
+++ b/kustomize/application/base/params.yaml
@ -0,0 +1,3 @@
 varReference:
 - path: spec/template/spec/containers/image
  kind: StatefulSet
--- a/kustomize/application/base/service-account.yaml
+++ b/kustomize/application/base/service-account.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: service-account
--- a/kustomize/application/base/service.yaml
+++ b/kustomize/application/base/service.yaml
@ -0,0 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: service
 spec:
  ports:
  - port: 443
--- a/kustomize/application/base/stateful-set.yaml
+++ b/kustomize/application/base/stateful-set.yaml
@ -0,0 +1,27 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: stateful-set
 spec:
  serviceName: service
  selector:
    matchLabels:
      app: application-controller
  template:
    metadata:
      labels:
        app: application-controller
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - name: manager
        command:
        - /root/manager
        image: gcr.io/kubeflow-images-public/kubernetes-sigs/application
        imagePullPolicy: Always
        env:
        - name: project
          value: $(project)
      serviceAccountName: service-account
  volumeClaimTemplates: []
--- a/kustomize/application/kustomization.yaml
+++ b/kustomize/application/kustomization.yaml
@ -0,0 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 commonLabels:
  app.kubernetes.io/component: kubeflow
  app.kubernetes.io/instance: kubeflow-v0.7.0
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/name: kubeflow
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: v0.7.0
 kind: Kustomization
 namespace: kubeflow
 resources:
 - overlays/application/application.yaml
--- a/kustomize/application/overlays/application/application.yaml
+++ b/kustomize/application/overlays/application/application.yaml
@ -0,0 +1,34 @@
 apiVersion: app.k8s.io/v1beta1
 kind: Application
 metadata:
  name: kubeflow
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: kubeflow
      app.kubernetes.io/instance: kubeflow-v0.7.0
      app.kubernetes.io/managed-by: kfctl
      app.kubernetes.io/component: kubeflow
      app.kubernetes.io/part-of: kubeflow
      app.kubernetes.io/version: v0.7.0
  componentKinds:
    - group: app.k8s.io
      kind: Application
  descriptor: 
    type: kubeflow
    version: v1beta1
    description: application that aggregates all kubeflow applications
    maintainers:
    - name: Jeremy Lewi
      email: jlewi@google.com
    - name: Kam Kasravi
      email: kam.d.kasravi@intel.com
    owners:
    - name: Jeremy Lewi
      email: jlewi@google.com
    keywords:
     - kubeflow
    links:
    - description: About
      url: "https://kubeflow.org"
  addOwnerRef: true
--- a/kustomize/application/overlays/application/kustomization.yaml
+++ b/kustomize/application/overlays/application/kustomization.yaml
@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - application.yaml
 commonLabels:
  app.kubernetes.io/name: kubeflow
  app.kubernetes.io/instance: kubeflow-v0.7.0
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/component: kubeflow
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: v0.7.0
--- a/kustomize/application/overlays/debug/kustomization.yaml
+++ b/kustomize/application/overlays/debug/kustomization.yaml
@ -0,0 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 patchesStrategicMerge:
 - stateful-set.yaml
 images:
 - name: gcr.io/$(project)/application-controller
  newName: gcr.io/$(project)/application-controller
  newTag: latest
--- a/kustomize/application/overlays/debug/stateful-set.yaml
+++ b/kustomize/application/overlays/debug/stateful-set.yaml
@ -0,0 +1,25 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: stateful-set
 spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - name: manager
        image: gcr.io/$(project)/application-controller:latest
        command:
        - /go/bin/dlv
        args:
        - --listen=:2345
        - --headless=true
        - --api-version=2
        - exec
        - /go/src/github.com/kubernetes-sigs/application/manager
        ports:
        - containerPort: 2345
        securityContext:
          privileged: true
--- a/kustomize/argo/base/cluster-role-binding.yaml
+++ b/kustomize/argo/base/cluster-role-binding.yaml
@ -0,0 +1,29 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app: argo
  name: argo
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argo
 subjects:
 - kind: ServiceAccount
  name: argo
  namespace: kubeflow
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app: argo-ui
  name: argo-ui
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argo-ui
 subjects:
 - kind: ServiceAccount
  name: argo-ui
--- a/kustomize/argo/base/cluster-role.yaml
+++ b/kustomize/argo/base/cluster-role.yaml
@ -0,0 +1,79 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  labels:
    app: argo
  name: argo
 rules:
 - apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
 - apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
 - apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workflows/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  labels:
    app: argo
  name: argo-ui
 rules:
 - apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  - pods/log
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
 - apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workflows/finalizers
  verbs:
  - get
  - list
  - watch
--- a/kustomize/argo/base/config-map.yaml
+++ b/kustomize/argo/base/config-map.yaml
@ -0,0 +1,29 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: workflow-controller-configmap
  namespace: kubeflow
 data:
  config: |
    {
    executorImage: $(executorImage),
    containerRuntimeExecutor: $(containerRuntimeExecutor),
    artifactRepository:
    {
        s3: {
            bucket: $(artifactRepositoryBucket),
            keyPrefix: $(artifactRepositoryKeyPrefix),
            endpoint: $(artifactRepositoryEndpoint),
            insecure: $(artifactRepositoryInsecure),
            accessKeySecret: {
                name: $(artifactRepositoryAccessKeySecretName),
                key: $(artifactRepositoryAccessKeySecretKey)
            },
            secretKeySecret: {
                name: $(artifactRepositorySecretKeySecretName),
                key: $(artifactRepositorySecretKeySecretKey)
            }
        }
    }
    }
--- a/kustomize/argo/base/crd.yaml
+++ b/kustomize/argo/base/crd.yaml
@ -0,0 +1,15 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: workflows.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: Workflow
    listKind: WorkflowList
    plural: workflows
    shortNames:
    - wf
    singular: workflow
  scope: Namespaced
  version: v1alpha1
--- a/kustomize/argo/base/deployment.yaml
+++ b/kustomize/argo/base/deployment.yaml
@ -0,0 +1,111 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: argo-ui
  name: argo-ui
  namespace: kubeflow
 spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: argo-ui
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: argo-ui
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - env:
        - name: ARGO_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: IN_CLUSTER
          value: 'true'
        - name: ENABLE_WEB_CONSOLE
          value: 'false'
        - name: BASE_HREF
          value: /argo/
        image: argoproj/argoui:v2.3.0
        imagePullPolicy: IfNotPresent
        name: argo-ui
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        readinessProbe:
          httpGet:
            path: /
            port: 8001
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: argo-ui
      serviceAccountName: argo-ui
      terminationGracePeriodSeconds: 30
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: workflow-controller
  name: workflow-controller
  namespace: kubeflow
 spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: workflow-controller
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: workflow-controller
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - args:
        - --configmap
        - workflow-controller-configmap
        command:
        - workflow-controller
        env:
        - name: ARGO_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        image: argoproj/workflow-controller:v2.3.0
        imagePullPolicy: IfNotPresent
        name: workflow-controller
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: argo
      serviceAccountName: argo
      terminationGracePeriodSeconds: 30
--- a/kustomize/argo/base/kustomization.yaml
+++ b/kustomize/argo/base/kustomization.yaml
@ -0,0 +1,111 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cluster-role-binding.yaml
 - cluster-role.yaml
 - config-map.yaml
 - crd.yaml
 - deployment.yaml
 - service-account.yaml
 - service.yaml
 commonLabels:
  kustomize.component: argo
 images:
 - name: argoproj/argoui
  newName: argoproj/argoui
  newTag: v2.3.0
 - name: argoproj/workflow-controller
  newName: argoproj/workflow-controller
  newTag: v2.3.0
 configMapGenerator:
 - name: workflow-controller-parameters
  env: params.env
 generatorOptions:
  disableNameSuffixHash: true
 vars:
 - name: executorImage
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.executorImage
 - name: containerRuntimeExecutor
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.containerRuntimeExecutor
 - name: artifactRepositoryBucket
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.artifactRepositoryBucket
 - name: artifactRepositoryKeyPrefix
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.artifactRepositoryKeyPrefix
 - name: artifactRepositoryEndpoint
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.artifactRepositoryEndpoint
 - name: artifactRepositoryInsecure
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.artifactRepositoryInsecure
 - name: artifactRepositoryAccessKeySecretName
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.artifactRepositoryAccessKeySecretName
 - name: artifactRepositoryAccessKeySecretKey
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.artifactRepositoryAccessKeySecretKey
 - name: artifactRepositorySecretKeySecretName
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.artifactRepositorySecretKeySecretName
 - name: artifactRepositorySecretKeySecretKey
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.artifactRepositorySecretKeySecretKey
 - name: namespace
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.namespace
 - name: clusterDomain
  objref:
    kind: ConfigMap
    name: workflow-controller-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.clusterDomain
 configurations:
 - params.yaml
--- a/kustomize/argo/base/params.env
+++ b/kustomize/argo/base/params.env
@ -0,0 +1,12 @@
 namespace=kubeflow
 executorImage=argoproj/argoexec:v2.3.0
 containerRuntimeExecutor=docker
 artifactRepositoryBucket=mlpipeline
 artifactRepositoryKeyPrefix=artifacts
 artifactRepositoryEndpoint=minio-service.kubeflow:9000
 artifactRepositoryInsecure=true
 artifactRepositoryAccessKeySecretName=mlpipeline-minio-artifact
 artifactRepositoryAccessKeySecretKey=accesskey
 artifactRepositorySecretKeySecretName=mlpipeline-minio-artifact
 artifactRepositorySecretKeySecretKey=secretkey
 clusterDomain=cluster.local
--- a/kustomize/argo/base/params.yaml
+++ b/kustomize/argo/base/params.yaml
@ -0,0 +1,7 @@
 varReference:
 - path: data/config
  kind: ConfigMap
 - path: data/config
  kind: Deployment
 - path: metadata/annotations/getambassador.io\/config
  kind: Service
--- a/kustomize/argo/base/service-account.yaml
+++ b/kustomize/argo/base/service-account.yaml
@ -0,0 +1,11 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argo
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argo-ui
  namespace: kubeflow
--- a/kustomize/argo/base/service.yaml
+++ b/kustomize/argo/base/service.yaml
@ -0,0 +1,23 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    getambassador.io/config: |-
      ---
      apiVersion: ambassador/v0
      kind:  Mapping
      name: argo-ui-mapping
      prefix: /argo/
      service: argo-ui.$(namespace)
  labels:
    app: argo-ui
  name: argo-ui
  namespace: kubeflow
 spec:
  ports:
  - port: 80
    targetPort: 8001
  selector:
    app: argo-ui
  sessionAffinity: None
  type: NodePort
--- a/kustomize/argo/kustomization.yaml
+++ b/kustomize/argo/kustomization.yaml
@ -0,0 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 commonLabels:
  app.kubernetes.io/component: argo
  app.kubernetes.io/instance: argo-v2.3.0
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/name: argo
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: v2.3.0
 configurations:
 - overlays/istio/params.yaml
 kind: Kustomization
 namespace: kubeflow
 resources:
 - overlays/istio/virtual-service.yaml
 - overlays/application/application.yaml
--- a/kustomize/argo/overlays/application/application.yaml
+++ b/kustomize/argo/overlays/application/application.yaml
@ -0,0 +1,38 @@
 apiVersion: app.k8s.io/v1beta1
 kind: Application
 metadata:
  name: argo
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argo
      app.kubernetes.io/instance: argo-v2.3.0
      app.kubernetes.io/managed-by: kfctl
      app.kubernetes.io/component: argo
      app.kubernetes.io/part-of: kubeflow
      app.kubernetes.io/version: v2.3.0
  componentKinds:
  - group: core
    kind: ConfigMap
  - group: apps
    kind: Deployment
  - group: core
    kind: ServiceAccount
  - group: core
    kind: Service
  - group: networking.istio.io
    kind: VirtualService
  descriptor:
    type: argo
    version: v1beta1
    description: Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes
    maintainers: []
    owners: []
    keywords:
     - argo
     - kubeflow
    links:
    - description: About
      url: https://github.com/argoproj/argo
  addOwnerRef: true
--- a/kustomize/argo/overlays/application/kustomization.yaml
+++ b/kustomize/argo/overlays/application/kustomization.yaml
@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - application.yaml
 commonLabels:
  app.kubernetes.io/name: argo
  app.kubernetes.io/instance: argo-v2.3.0
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/component: argo
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: v2.3.0
--- a/kustomize/argo/overlays/istio/kustomization.yaml
+++ b/kustomize/argo/overlays/istio/kustomization.yaml
@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - virtual-service.yaml
 configurations:
 - params.yaml
--- a/kustomize/argo/overlays/istio/params.yaml
+++ b/kustomize/argo/overlays/istio/params.yaml
@ -0,0 +1,3 @@
 varReference:
 - path: spec/http/route/destination/host
  kind: VirtualService
--- a/kustomize/argo/overlays/istio/virtual-service.yaml
+++ b/kustomize/argo/overlays/istio/virtual-service.yaml
@ -0,0 +1,20 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
  name: argo-ui
 spec:
  gateways:
  - kubeflow-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /argo/
    rewrite:
      uri: /
    route:
    - destination:
        host: argo-ui.$(namespace).svc.$(clusterDomain)
        port:
          number: 80
--- a/kustomize/centraldashboard/base/clusterrole-binding.yaml
+++ b/kustomize/centraldashboard/base/clusterrole-binding.yaml
@ -0,0 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app: centraldashboard
  name: centraldashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: centraldashboard
 subjects:
 - kind: ServiceAccount
  name: centraldashboard
  namespace: $(namespace)
--- a/kustomize/centraldashboard/base/clusterrole.yaml
+++ b/kustomize/centraldashboard/base/clusterrole.yaml
@ -0,0 +1,17 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app: centraldashboard
  name: centraldashboard
 rules:
 - apiGroups:
  - ""
  resources:
  - events
  - namespaces
  - nodes
  verbs:
  - get
  - list
  - watch
--- a/kustomize/centraldashboard/base/deployment.yaml
+++ b/kustomize/centraldashboard/base/deployment.yaml
@ -0,0 +1,31 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: centraldashboard
  name: centraldashboard
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: centraldashboard
  template:
    metadata:
      labels:
        app: centraldashboard
    spec:
      containers:
      - image: gcr.io/kubeflow-images-public/centraldashboard
        imagePullPolicy: IfNotPresent
        name: centraldashboard
        ports:
        - containerPort: 8082
          protocol: TCP
        env:
        - name: USERID_HEADER
          value: $(userid-header)
        - name: USERID_PREFIX
          value: $(userid-prefix)
        - name: PROFILES_KFAM_SERVICE_HOST
          value: profiles-kfam.kubeflow
      serviceAccountName: centraldashboard
--- a/kustomize/centraldashboard/base/kustomization.yaml
+++ b/kustomize/centraldashboard/base/kustomization.yaml
@ -0,0 +1,53 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - clusterrole-binding.yaml
 - clusterrole.yaml
 - deployment.yaml
 - role-binding.yaml
 - role.yaml
 - service-account.yaml
 - service.yaml
 namespace: kubeflow
 commonLabels:
  kustomize.component: centraldashboard
 images:
 - name: gcr.io/kubeflow-images-public/centraldashboard
  newName: gcr.io/kubeflow-images-public/centraldashboard
  newTag: vmaster-g6b987df8
 configMapGenerator:
 - env: params.env
  name: parameters
 generatorOptions:
  disableNameSuffixHash: true
 vars:
 - fieldref:
    fieldPath: metadata.namespace
  name: namespace
  objref:
    apiVersion: v1
    kind: Service
    name: centraldashboard
 - fieldref:
    fieldPath: data.clusterDomain
  name: clusterDomain
  objref:
    apiVersion: v1
    kind: ConfigMap
    name: parameters
 - fieldref:
    fieldPath: data.userid-header
  name: userid-header
  objref:
    apiVersion: v1
    kind: ConfigMap
    name: parameters
 - fieldref:
    fieldPath: data.userid-prefix
  name: userid-prefix
  objref:
    apiVersion: v1
    kind: ConfigMap
    name: parameters
 configurations:
 - params.yaml
--- a/kustomize/centraldashboard/base/params.env
+++ b/kustomize/centraldashboard/base/params.env
@ -0,0 +1,3 @@
 clusterDomain=cluster.local
 userid-header=kubeflow-userid
 userid-prefix=
--- a/kustomize/centraldashboard/base/params.yaml
+++ b/kustomize/centraldashboard/base/params.yaml
@ -0,0 +1,9 @@
 varReference:
 - path: metadata/annotations/getambassador.io\/config
  kind: Service
 - path: spec/http/route/destination/host
  kind: VirtualService
 - path: spec/template/spec/containers/0/env/0/value
  kind: Deployment
 - path: spec/template/spec/containers/0/env/1/value
  kind: Deployment
--- a/kustomize/centraldashboard/base/role-binding.yaml
+++ b/kustomize/centraldashboard/base/role-binding.yaml
@ -0,0 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app: centraldashboard
  name: centraldashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: centraldashboard
 subjects:
 - kind: ServiceAccount
  name: centraldashboard
  namespace: $(namespace)
--- a/kustomize/centraldashboard/base/role.yaml
+++ b/kustomize/centraldashboard/base/role.yaml
@ -0,0 +1,25 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app: centraldashboard
  name: centraldashboard
 rules:
 - apiGroups:
  - ""
  - "app.k8s.io"
  resources:
  - applications
  - pods
  - pods/exec
  - pods/log
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
--- a/kustomize/centraldashboard/base/service-account.yaml
+++ b/kustomize/centraldashboard/base/service-account.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: centraldashboard
--- a/kustomize/centraldashboard/base/service.yaml
+++ b/kustomize/centraldashboard/base/service.yaml
@ -0,0 +1,24 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    getambassador.io/config: |-
      ---
      apiVersion: ambassador/v0
      kind:  Mapping
      name: centralui-mapping
      prefix: /
      rewrite: /
      service: centraldashboard.$(namespace)
  labels:
    app: centraldashboard
  name: centraldashboard
 spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 8082
  selector:
    app: centraldashboard
  sessionAffinity: None
  type: ClusterIP
--- a/kustomize/centraldashboard/kustomization.yaml
+++ b/kustomize/centraldashboard/kustomization.yaml
@ -0,0 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 commonLabels:
  app.kubernetes.io/component: centraldashboard
  app.kubernetes.io/instance: centraldashboard-v0.7.0
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/name: centraldashboard
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: v0.7.0
 configurations:
 - overlays/istio/params.yaml
 kind: Kustomization
 namespace: kubeflow
 resources:
 - overlays/istio/virtual-service.yaml
 - overlays/application/application.yaml
--- a/kustomize/centraldashboard/overlays/application/application.yaml
+++ b/kustomize/centraldashboard/overlays/application/application.yaml
@ -0,0 +1,54 @@
 apiVersion: app.k8s.io/v1beta1
 kind: Application
 metadata:
  name: centraldashboard
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: centraldashboard
      app.kubernetes.io/instance: centraldashboard-v0.7.0
      app.kubernetes.io/managed-by: kfctl
      app.kubernetes.io/component: centraldashboard
      app.kubernetes.io/part-of: kubeflow
      app.kubernetes.io/version: v0.7.0
  componentKinds:
  - group: core
    kind: ConfigMap
  - group: apps
    kind: Deployment
  - group: rbac.authorization.k8s.io
    kind: RoleBinding
  - group: rbac.authorization.k8s.io
    kind: Role
  - group: core
    kind: ServiceAccount
  - group: core
    kind: Service
  - group: networking.istio.io
    kind: VirtualService
  descriptor:
    type: centraldashboard
    version: v1beta1
    description: Provides a Dashboard UI for kubeflow
    maintainers:
    - name: Jason Prodonovich
      email: prodonjs@gmail.com
    - name: Apoorv Verma
      email: apverma@google.com
    - name: Adhita Selvaraj
      email: adhita94@gmail.com
    owners:
    - name: Jason Prodonovich
      email: prodonjs@gmail.com
    - name: Apoorv Verma
      email: apverma@google.com
    - name: Adhita Selvaraj
      email: adhita94@gmail.com
    keywords:
     - centraldashboard
     - kubeflow
    links:
    - description: About
      url: https://github.com/kubeflow/kubeflow/tree/master/components/centraldashboard
  addOwnerRef: true
--- a/kustomize/centraldashboard/overlays/application/kustomization.yaml
+++ b/kustomize/centraldashboard/overlays/application/kustomization.yaml
@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - application.yaml
 commonLabels:
  app.kubernetes.io/name: centraldashboard
  app.kubernetes.io/instance: centraldashboard-v0.7.0
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/component: centraldashboard
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: v0.7.0
--- a/kustomize/centraldashboard/overlays/istio/kustomization.yaml
+++ b/kustomize/centraldashboard/overlays/istio/kustomization.yaml
@ -0,0 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - virtual-service.yaml
 configurations:
 - params.yaml
--- a/kustomize/centraldashboard/overlays/istio/params.yaml
+++ b/kustomize/centraldashboard/overlays/istio/params.yaml
@ -0,0 +1,3 @@
 varReference:
 - path: spec/http/route/destination/host
  kind: VirtualService
--- a/kustomize/centraldashboard/overlays/istio/virtual-service.yaml
+++ b/kustomize/centraldashboard/overlays/istio/virtual-service.yaml
@ -0,0 +1,20 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
  name: centraldashboard
 spec:
  gateways:
  - kubeflow-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /
    rewrite:
      uri: /
    route:
    - destination:
        host: centraldashboard.$(namespace).svc.$(clusterDomain)
        port:
          number: 80
--- a/kustomize/cert-manager-crds/base/crd.yaml
+++ b/kustomize/cert-manager-crds/base/crd.yaml
--- a/kustomize/cert-manager-crds/base/kustomization.yaml
+++ b/kustomize/cert-manager-crds/base/kustomization.yaml
@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - crd.yaml
--- a/kustomize/cert-manager-crds/kustomization.yaml
+++ b/kustomize/cert-manager-crds/kustomization.yaml
@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 kind: Kustomization
 namespace: cert-manager
--- a/kustomize/cert-manager-kube-system-resources/base/kustomization.yaml
+++ b/kustomize/cert-manager-kube-system-resources/base/kustomization.yaml
@ -0,0 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kube-system
 resources:
 - role-binding.yaml
 - role.yaml
 commonLabels:
  kustomize.component: cert-manager
 configMapGenerator:
 - name: cert-manager-kube-params-parameters
  env: params.env
 generatorOptions:
  disableNameSuffixHash: true
 vars:
 - name: certManagerNamespace
  objref:
    kind: ConfigMap
    name: cert-manager-kube-params-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.certManagerNamespace
 configurations:
 - params.yaml
--- a/kustomize/cert-manager-kube-system-resources/base/params.env
+++ b/kustomize/cert-manager-kube-system-resources/base/params.env
@ -0,0 +1 @@
 certManagerNamespace=cert-manager
--- a/kustomize/cert-manager-kube-system-resources/base/params.yaml
+++ b/kustomize/cert-manager-kube-system-resources/base/params.yaml
@ -0,0 +1,3 @@
 varReference:
 - path: subjects/namespace
  kind: RoleBinding
--- a/kustomize/cert-manager-kube-system-resources/base/role-binding.yaml
+++ b/kustomize/cert-manager-kube-system-resources/base/role-binding.yaml
@ -0,0 +1,58 @@
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-cainjector:leaderelection
  labels:
    app: cainjector
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-cainjector:leaderelection
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-cainjector
  namespace: $(certManagerNamespace)
 ---
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager:leaderelection
  labels:
    app: cert-manager
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager:leaderelection
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager
  namespace: $(certManagerNamespace)
 ---
 # apiserver gets the ability to read authentication. This allows it to
 # read the specific configmap that has the requestheader-* entries to
 # api agg
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-webhook:webhook-authentication-reader
  labels:
    app: webhook
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: $(certManagerNamespace)
--- a/kustomize/cert-manager-kube-system-resources/base/role.yaml
+++ b/kustomize/cert-manager-kube-system-resources/base/role.yaml
@ -0,0 +1,28 @@
 # leader election rules
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager-cainjector:leaderelection
  labels:
    app: cainjector
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager:leaderelection
  labels:
    app: cert-manager
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
--- a/kustomize/cert-manager-kube-system-resources/kustomization.yaml
+++ b/kustomize/cert-manager-kube-system-resources/kustomization.yaml
@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 kind: Kustomization
 namespace: kube-system
--- a/kustomize/cert-manager/base/api-service.yaml
+++ b/kustomize/cert-manager/base/api-service.yaml
@ -0,0 +1,16 @@
 apiVersion: apiregistration.k8s.io/v1beta1
 kind: APIService
 metadata:
  name: v1beta1.webhook.cert-manager.io
  labels:
    app: webhook
  annotations:
    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"
 spec:
  group: webhook.cert-manager.io
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: cert-manager-webhook
    namespace: $(namespace)
  version: v1beta1
--- a/kustomize/cert-manager/base/cluster-role-binding.yaml
+++ b/kustomize/cert-manager/base/cluster-role-binding.yaml
@ -0,0 +1,135 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-issuers
 subjects:
 - name: cert-manager
  namespace: $(namespace)
  kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-clusterissuers
 subjects:
 - name: cert-manager
  namespace: $(namespace)
  kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-certificates
 subjects:
 - name: cert-manager
  namespace: $(namespace)
  kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-orders
 subjects:
 - name: cert-manager
  namespace: $(namespace)
  kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-challenges
 subjects:
 - name: cert-manager
  namespace: $(namespace)
  kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-ingress-shim
 subjects:
 - name: cert-manager
  namespace: $(namespace)
  kind: ServiceAccount
 ---
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-webhook:auth-delegator
  labels:
    app: webhook
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: $(namespace)
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-cainjector
 subjects:
 - name: cert-manager-cainjector
  namespace: $(namespace)
  kind: ServiceAccount
--- a/kustomize/cert-manager/base/cluster-role.yaml
+++ b/kustomize/cert-manager/base/cluster-role.yaml
@ -0,0 +1,265 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update"]
 ---
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 # ClusterIssuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 # Certificates controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/finalizers"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders"]
    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 # Orders controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
 rules:
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "challenges"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 # Challenges controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
 rules:
  # Use to update challenge resource status
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update"]
  # Used to watch challenge resources
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["get", "list", "watch"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["extensions", "networking.k8s.io/v1"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
 ---
 # ingress-shim controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io/v1"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["networking.k8s.io/v1"]
    resources: ["ingresses/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-webhook:webhook-requester
  labels:
    app: webhook
 rules:
 - apiGroups:
  - admission.cert-manager.io
  resources:
  - certificates
  - certificaterequests
  - issuers
  - clusterissuers
  verbs:
  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-view
  labels:
    app: cert-manager
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
 - apiGroups: ["cert-manager.io"]
  resources: ["certificates", "certificaterequests", "issuers"]
  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-edit
  labels:
    app: cert-manager
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
 - apiGroups: ["cert-manager.io"]
  resources: ["certificates", "certificaterequests", "issuers"]
  verbs: ["create", "delete", "deletecollection", "patch", "update"]
--- a/kustomize/cert-manager/base/deployment.yaml
+++ b/kustomize/cert-manager/base/deployment.yaml
@ -0,0 +1,124 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cainjector
  template:
    metadata:
      labels:
        app: cainjector
      annotations:
    spec:
      serviceAccountName: cert-manager-cainjector
      containers:
        - name: cainjector
          image: "quay.io/jetstack/cert-manager-cainjector:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --leader-election-namespace=kube-system
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager
  labels:
    app: cert-manager
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cert-manager
  template:
    metadata:
      labels:
        app: cert-manager
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
    spec:
      serviceAccountName: cert-manager
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-controller:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --leader-election-namespace=kube-system
          - --webhook-namespace=$(POD_NAMESPACE)
          - --webhook-ca-secret=cert-manager-webhook-ca
          - --webhook-serving-secret=cert-manager-webhook-tls
          - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.$(namespace),cert-manager-webhook.$(namespace).svc
          ports:
          - containerPort: 9402
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 10m
              memory: 32Mi
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: webhook
  template:
    metadata:
      labels:
        app: webhook
      annotations:
    spec:
      serviceAccountName: cert-manager-webhook
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-webhook:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --secure-port=6443
          - --tls-cert-file=/certs/tls.crt
          - --tls-private-key-file=/certs/tls.key
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
          volumeMounts:
          - name: certs
            mountPath: /certs
      volumes:
      - name: certs
        secret:
          secretName: cert-manager-webhook-tls
--- a/kustomize/cert-manager/base/kustomization.yaml
+++ b/kustomize/cert-manager/base/kustomization.yaml
@ -0,0 +1,40 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: cert-manager
 resources:
 - namespace.yaml
 - api-service.yaml
 - cluster-role-binding.yaml
 - cluster-role.yaml
 - deployment.yaml
 - mutating-webhook-configuration.yaml
 - service-account.yaml
 - service.yaml
 - validating-webhook-configuration.yaml
 commonLabels:
  kustomize.component: cert-manager
 images:
 - name: quay.io/jetstack/cert-manager-controller
  newName: quay.io/jetstack/cert-manager-controller
  newTag: v0.11.0
 - name: quay.io/jetstack/cert-manager-webhook
  newName: quay.io/jetstack/cert-manager-webhook
  newTag: v0.11.0
 - name: quay.io/jetstack/cert-manager-cainjector
  newName: quay.io/jetstack/cert-manager-cainjector
  newTag: v0.11.0
 configMapGenerator:
 - name: cert-manager-parameters
  env: params.env
 generatorOptions:
  disableNameSuffixHash: true
 vars:
 - name: namespace
  objref:
    kind: ConfigMap
    name: cert-manager-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.namespace
 configurations:
 - params.yaml
--- a/kustomize/cert-manager/base/mutating-webhook-configuration.yaml
+++ b/kustomize/cert-manager/base/mutating-webhook-configuration.yaml
@ -0,0 +1,32 @@
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
  annotations:
    cert-manager.io/inject-apiserver-ca: "true"
 webhooks:
  - name: webhook.cert-manager.io
    rules:
      - apiGroups:
          - "cert-manager.io"
        apiVersions:
          - v1alpha2
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
          - issuers
          - clusterissuers
          - orders
          - challenges
          - certificaterequests
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/webhook.cert-manager.io/v1beta1/mutations
      caBundle: ""
--- a/kustomize/cert-manager/base/namespace.yaml
+++ b/kustomize/cert-manager/base/namespace.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: $(namespace)
--- a/kustomize/cert-manager/base/params.env
+++ b/kustomize/cert-manager/base/params.env
@ -0,0 +1 @@
 namespace=cert-manager
--- a/kustomize/cert-manager/base/params.yaml
+++ b/kustomize/cert-manager/base/params.yaml
@ -0,0 +1,9 @@
 varReference:
 - path: subjects/namespace
  kind: ClusterRoleBinding
 - path: spec/template/spec/containers/args
  kind: Deployment
 - path: metadata/name
  kind: Namespace
 - path: spec/service/namespace
  kind: APIService
--- a/kustomize/cert-manager/base/service-account.yaml
+++ b/kustomize/cert-manager/base/service-account.yaml
@ -0,0 +1,25 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager
  annotations:
  labels:
    app: cert-manager
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
--- a/kustomize/cert-manager/base/service.yaml
+++ b/kustomize/cert-manager/base/service.yaml
@ -0,0 +1,30 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager
  labels:
    app: cert-manager
 spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      port: 9402
      targetPort: 9402
  selector:
    app: cert-manager
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
 spec:
  type: ClusterIP
  ports:
  - name: https
    port: 443
    targetPort: 6443
  selector:
    app: webhook
--- a/kustomize/cert-manager/base/validating-webhook-configuration.yaml
+++ b/kustomize/cert-manager/base/validating-webhook-configuration.yaml
@ -0,0 +1,31 @@
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
  annotations:
    cert-manager.io/inject-apiserver-ca: "true"
 webhooks:
  - name: webhook.certmanager.k8s.io
    rules:
      - apiGroups:
          - "cert-manager.io"
        apiVersions:
          - v1alpha2
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
          - issuers
          - clusterissuers
          - certificaterequests
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/webhook.cert-manager.io/v1beta1/validations
      caBundle: ""
--- a/kustomize/cert-manager/kustomization.yaml
+++ b/kustomize/cert-manager/kustomization.yaml
@ -0,0 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 commonLabels:
  app.kubernetes.io/component: cert-manager
  app.kubernetes.io/instance: cert-manager-v0.7.0
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/name: cert-manager
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: v0.7.0
  kustomize.component: cert-manager
 configurations:
 - overlays/application/params.yaml
 kind: Kustomization
 namespace: cert-manager
 resources:
 - overlays/self-signed/cluster-issuer.yaml
 - overlays/application/application.yaml
--- a/kustomize/cert-manager/overlays/application/application.yaml
+++ b/kustomize/cert-manager/overlays/application/application.yaml
@ -0,0 +1,35 @@
 apiVersion: app.k8s.io/v1beta1
 kind: Application
 metadata:
  name: cert-manager
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance: cert-manager-v0.7.0
      app.kubernetes.io/managed-by: kfctl
      app.kubernetes.io/component: cert-manager
      app.kubernetes.io/part-of: kubeflow
      app.kubernetes.io/version: v0.7.0
  componentKinds:
  - group: rbac
    kind: ClusterRole
  - group: rbac
    kind: ClusterRoleBinding
  - group: core
    kind: Namespace
  - group: core
    kind: Service
  - group: apps
    kind: Deployment
  - group: core
    kind: ServiceAccount
  descriptor:
    type: ""
    version: "v0.10.0"
    description: "Automatically provision and manage TLS certificates in Kubernetes https://jetstack.io."
    keywords:
    - cert-manager
    links:
    - description: About
      url: "https://github.com/jetstack/cert-manager"
--- a/kustomize/cert-manager/overlays/application/kustomization.yaml
+++ b/kustomize/cert-manager/overlays/application/kustomization.yaml
@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - application.yaml
 configurations:
 - params.yaml
 commonLabels:
  app.kubernetes.io/name: cert-manager
  app.kubernetes.io/instance: cert-manager-v0.7.0
  app.kubernetes.io/managed-by: kfctl
  app.kubernetes.io/component: cert-manager
  app.kubernetes.io/part-of: kubeflow
  app.kubernetes.io/version: v0.7.0
--- a/kustomize/cert-manager/overlays/application/params.yaml
+++ b/kustomize/cert-manager/overlays/application/params.yaml
@ -0,0 +1,11 @@
 varReference:
 - path: metadata/name
  kind: Application
 - path: spec/selector/matchLabels/app.kubernetes.io\/instance
  kind: Application
 - path: spec/template/metadata/labels/app.kubernetes.io\/instance
  kind: Deployment
 - path: spec/selector/matchLabels/app.kubernetes.io\/instance
  kind: Deployment
 - path: spec/selector/app.kubernetes.io\/instance
  kind: Service
--- a/kustomize/cert-manager/overlays/letsencrypt/cluster-issuer.yaml
+++ b/kustomize/cert-manager/overlays/letsencrypt/cluster-issuer.yaml
@ -0,0 +1,11 @@
 apiVersion: cert-manager.io/v1alpha2
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-prod
 spec:
  acme:
    email: $(acmeEmail)
    http01: {}
    privateKeySecretRef:
      name: letsencrypt-prod-secret
    server: $(acmeUrl)
--- a/kustomize/cert-manager/overlays/letsencrypt/kustomization.yaml
+++ b/kustomize/cert-manager/overlays/letsencrypt/kustomization.yaml
@ -0,0 +1,32 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 namespace: cert-manager
 resources:
 - cluster-issuer.yaml
 commonLabels:
  kustomize.component: cert-manager
 configMapGenerator:
 - name: cert-manager-parameters
  behavior: merge
  env: params.env
 generatorOptions:
  disableNameSuffixHash: true
 vars:
 - name: acmeEmail
  objref:
    kind: ConfigMap
    name: cert-manager-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.acmeEmail
 - name: acmeUrl
  objref:
    kind: ConfigMap
    name: cert-manager-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.acmeUrl
 configurations:
 - params.yaml
--- a/kustomize/cert-manager/overlays/letsencrypt/params.env
+++ b/kustomize/cert-manager/overlays/letsencrypt/params.env
@ -0,0 +1,2 @@
 acmeEmail=
 acmeUrl=https://acme-v02.api.letsencrypt.org/directory
--- a/kustomize/cert-manager/overlays/letsencrypt/params.yaml
+++ b/kustomize/cert-manager/overlays/letsencrypt/params.yaml
@ -0,0 +1,5 @@
 varReference:
 - path: spec/acme/email
  kind: ClusterIssuer
 - path: spec/acme/server
  kind: ClusterIssuer
--- a/kustomize/cert-manager/overlays/self-signed/cluster-issuer.yaml
+++ b/kustomize/cert-manager/overlays/self-signed/cluster-issuer.yaml
@ -0,0 +1,6 @@
 apiVersion: cert-manager.io/v1alpha2
 kind: ClusterIssuer
 metadata:
  name: kubeflow-self-signing-issuer
 spec:
  selfSigned: {}
--- a/kustomize/cert-manager/overlays/self-signed/kustomization.yaml
+++ b/kustomize/cert-manager/overlays/self-signed/kustomization.yaml
@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - cluster-issuer.yaml
 commonLabels:
  kustomize.component: cert-manager
--- a/kustomize/dex/base/config-map.yaml
+++ b/kustomize/dex/base/config-map.yaml
@ -0,0 +1,30 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: dex
 data:
  config.yaml: |
    issuer: $(issuer)
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      http: 0.0.0.0:5556
    logger:
      level: "debug"
      format: text
    oauth2:
      skipApprovalScreen: true
    enablePasswordDB: true
    staticPasswords:
    - email: $(static_email)
      hash: $(static_password_hash)
      username: $(static_username)
      userID: $(static_user_id)
    staticClients:
    - id: $(client_id)
      redirectURIs: $(oidc_redirect_uris)
      name: 'Dex Login Application'
      secret: $(application_secret)
--- a/kustomize/dex/base/crds.yaml
+++ b/kustomize/dex/base/crds.yaml
@ -0,0 +1,45 @@
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: authcodes.dex.coreos.com
 spec:
  group: dex.coreos.com
  names:
    kind: AuthCode
    listKind: AuthCodeList
    plural: authcodes
    singular: authcode
  scope: Namespaced
  version: v1
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: dex
 rules:
 - apiGroups: ["dex.coreos.com"] # API group created by dex
  resources: ["*"]
  verbs: ["*"]
 - apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions.
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: dex
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dex
 subjects:
 - kind: ServiceAccount
  name: dex                 # Service account assigned to the dex pod.
  namespace: auth           # The namespace dex is running in.
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dex
  namespace: auth
--- a/kustomize/dex/base/deployment.yaml
+++ b/kustomize/dex/base/deployment.yaml
@ -0,0 +1,34 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: dex
  name: dex
 spec:
  replicas: 1
  selector:
    matchLabels:
        app: dex
  template:
    metadata:
      labels:
        app: dex
    spec:
      serviceAccountName: dex
      containers:
      - image: quay.io/coreos/dex:v2.9.0
        name: dex
        command: ["dex", "serve", "/etc/dex/cfg/config.yaml"]
        ports:
        - name: http
          containerPort: 5556
        volumeMounts:
        - name: config
          mountPath: /etc/dex/cfg
      volumes:
      - name: config
        configMap:
          name: dex
          items:
          - key: config.yaml
            path: config.yaml
--- a/kustomize/dex/base/kustomization.yaml
+++ b/kustomize/dex/base/kustomization.yaml
@ -0,0 +1,84 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: auth
 resources:
 - namespace.yaml
 - config-map.yaml
 - crds.yaml
 - deployment.yaml
 - service.yaml
 configMapGenerator:
 - name: dex-parameters
  env: params.env
 generatorOptions:
  disableNameSuffixHash: true
 vars:
 - name: dex_domain
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.dex_domain
 - name: issuer
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.issuer
 - name: static_email
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.static_email
 - name: static_password_hash
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.static_password_hash
 - name: static_username
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.static_username
 - name: static_user_id
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.static_user_id
 - name: client_id
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.client_id
 - name: oidc_redirect_uris
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.oidc_redirect_uris
 - name: application_secret
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.application_secret
 configurations:
 - params.yaml
 images:
 - name: quay.io/coreos/dex
  newName: gcr.io/arrikto/dexidp/dex
  newTag: 4bede5eb80822fc3a7fc9edca0ed2605cd339d17
--- a/kustomize/dex/base/namespace.yaml
+++ b/kustomize/dex/base/namespace.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: auth
--- a/kustomize/dex/base/params.env
+++ b/kustomize/dex/base/params.env
@ -0,0 +1,11 @@
 # Dex Server Parameters (some params are shared with client)
 dex_domain=dex.example.com
 # Set issuer to https if tls is enabled
 issuer=http://dex.auth.svc.cluster.local:5556/dex
 static_email=leonard.aukea@volvocars.com
 static_password_hash=$2y$12$ruoM7FqXrpVgaol44eRZW.4HWS8SAvg6KYVVSCIwKQPBmTpCm.EeO
 static_username=admin
 static_user_id=08a8684b-db88-4b73-90a9-3cd1661f5466
 client_id=kubeflow-oidc-authservice
 oidc_redirect_uris=["/login/oidc"]
 application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
--- a/kustomize/dex/base/params.yaml
+++ b/kustomize/dex/base/params.yaml
@ -0,0 +1,5 @@
 varReference:
 - path: spec/template/spec/volumes/secret/secretName
  kind: Deployment
 - path: data/config.yaml
  kind: ConfigMap
--- a/kustomize/dex/base/service.yaml
+++ b/kustomize/dex/base/service.yaml
@ -0,0 +1,14 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: dex
 spec:
  type: NodePort
  ports:
  - name: dex
    port: 5556
    protocol: TCP
    targetPort: 5556
    nodePort: 32000
  selector:
    app: dex
--- a/kustomize/dex/kustomization.yaml
+++ b/kustomize/dex/kustomization.yaml
@ -0,0 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 bases:
 - base
 configMapGenerator:
 - behavior: merge
  env: overlays/istio/params.env
  name: dex-parameters
 configurations:
 - overlays/istio/params.yaml
 generatorOptions:
  disableNameSuffixHash: true
 kind: Kustomization
 namespace: auth
 resources:
 - overlays/istio/virtual-service.yaml
 vars:
 - fieldref:
    fieldPath: data.namespace
  name: namespace
  objref:
    apiVersion: v1
    kind: ConfigMap
    name: dex-parameters
--- a/kustomize/dex/overlays/istio/kustomization.yaml
+++ b/kustomize/dex/overlays/istio/kustomization.yaml
@ -0,0 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
 - ../../base
 resources:
 - virtual-service.yaml
 configMapGenerator:
 - name: dex-parameters
  behavior: merge
  env: params.env
 generatorOptions:
  disableNameSuffixHash: true
 vars:
 - name: namespace
  objref:
    kind: ConfigMap
    name: dex-parameters
    apiVersion: v1
  fieldref:
    fieldpath: data.namespace
 configurations:
 - params.yaml
--- a/kustomize/dex/overlays/istio/params.env
+++ b/kustomize/dex/overlays/istio/params.env
@ -0,0 +1 @@
 namespace=auth
	`@ -0,0 +1,2 @@`
					`acmeEmail=`
					`acmeUrl=https://acme-v02.api.letsencrypt.org/directory`