Adding Openshift stack (kubeflow#1567)

* Adding owners files

* adding required openshift scc

* Adding istio

* Adding istio

* Fixing kustomize

* adding cert-manager

* Adding Argo

* Adding cert manager

* Adding jupyter web app

* adding profiles and nb controller

* Adding components

* Adding Seldon

* Adding kfdef for openshift

* Fixing the fsgrp issue with nb controller

* Adding a patch for jnakfour in metadatadb

* moving openshift-scc to top

* Adding namespace in profiles

* Disabling tls in destination rule for pipeline ui

* Adding route

* Moving profiles and pipeline to top kustomize

* Adding new line

* Adding custom profile image to disable istio injection

* Updating profile image and istio scc

* Switching pipeline to generic and pulling out to application

Co-authored-by: Juana Nakfour <nakfour>

kfdef/kfctl_openshift.v1.1.0.yaml

@@ -0,0 +1,103 @@
+apiVersion: kfdef.apps.kubeflow.org/v1
+kind: KfDef
+metadata:
+ name: kubeflow
+ namespace: kubeflow
+spec:
+ applications:
+# This needs to be first to set up permissions
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/openshift/openshift-scc
+ name: openshift-scc
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/istio-stack
+ name: istio-stack
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/istio
+ name: istio
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: application/v3
+ name: application
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: metacontroller/base
+ name: metacontroller
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/cert-manager-crds
+ name: cert-manager-crds
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/cert-manager-kube-system-resources
+ name: cert-manager-kube-system-resources
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/cert-manager
+ name: cert-manager
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/argo
+ name: argo
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/jupyter-web-app
+ name: jupyter-web-app
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/notebook-controller
+ name: notebook-controller
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/metadata
+ name: metadata
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/tf-job
+ name: tf-job
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/pytorch-job
+ name: pytorch-job
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/katib
+ name: katib
+ # commenting this out since it is included in kubeflow-apps
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/pipeline
+ name: pipeline
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift/application/seldon
+ name: seldon
+ - kustomizeConfig:
+ repoRef:
+ name: manifests
+ path: stacks/openshift
+ name: kubeflow-apps
+ repos:
+ - name: manifests
+ uri: https://github.com/kubeflow/manifests/archive/v1.1-branch.tar.gz
+ version: v1.0-branch

stacks/openshift/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- nakfour
+- vpavlin
+- crobby

stacks/openshift/application/argo/kustomization.yaml

@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../../../../argo/base_v3
+configMapGenerator:
+- name: workflow-controller-parameters
+ behavior: merge
+ literals:
+ - containerRuntimeExecutor=k8sapi
+- name: kubeflow-config
+ envs:
+ - ../../config/params.env
+# We need to define vars at the top level otherwise we will get
+# conflicts.
+vars:
+- fieldref:
+ fieldPath: data.clusterDomain
+ name: clusterDomain
+ objref:
+ apiVersion: v1
+ kind: ConfigMap
+ name: kubeflow-config
+- fieldref:
+ fieldPath: metadata.namespace
+ name: namespace
+ objref:
+ apiVersion: v1
+ kind: ConfigMap
+ name: kubeflow-config
+
+

stacks/openshift/application/cert-manager-crds/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+- ../../../../cert-manager/cert-manager-crds/base

stacks/openshift/application/cert-manager-kube-system-resources/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+- ../../../../cert-manager/cert-manager-kube-system-resources/base

stacks/openshift/application/cert-manager/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+commonLabels:
+ app.kubernetes.io/component: cert-manager
+ app.kubernetes.io/name: cert-manager
+ kustomize.component: cert-manager
+kind: Kustomization
+namespace: cert-manager
+resources:
+- ../../../../cert-manager/cert-manager/base
+- ../../../../cert-manager/cert-manager/overlays/application/application.yaml
+- ../../../../cert-manager/cert-manager/overlays/self-signed/cluster-issuer.yaml
+configurations:
+- ../../../../cert-manager/cert-manager/overlays/application/params.yaml

stacks/openshift/application/istio-stack/ingressgateway.route.yaml

@@ -0,0 +1,17 @@
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ labels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ release: istio
+spec:
+ to:
+ kind: Service
+ name: istio-ingressgateway
+ weight: 100
+ port:
+ targetPort: http2
+ wildcardPolicy: None

stacks/openshift/application/istio-stack/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+- ../../../../istio/istio-crds/base
+- ../../../../istio/istio-install/base
+- ingressgateway.route.yaml

stacks/openshift/application/istio/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../../../../istio/istio/base
+
+configMapGenerator:
+- name: istio-parameters
+ behavior: merge
+ envs:
+ - params.env
+configurations:
+- params.yaml

stacks/openshift/application/istio/params.env

@@ -0,0 +1 @@
+clusterRbacConfig=OFF

stacks/openshift/application/istio/params.yaml

@@ -0,0 +1,3 @@
+varReference:
+- path: spec/mode
+ kind: ClusterRbacConfig

stacks/openshift/application/jupyter-web-app/configs/spawner_ui_config.yaml

@@ -0,0 +1,125 @@
+# Configuration file for the Jupyter UI.
+#
+# Each Jupyter UI option is configured by two keys: 'value' and 'readOnly'
+# - The 'value' key contains the default value
+# - The 'readOnly' key determines if the option will be available to users
+#
+# If the 'readOnly' key is present and set to 'true', the respective option
+# will be disabled for users and only set by the admin. Also when a
+# Notebook is POSTED to the API if a necessary field is not present then
+# the value from the config will be used.
+#
+# If the 'readOnly' key is missing (defaults to 'false'), the respective option
+# will be available for users to edit.
+#
+# Note that some values can be templated. Such values are the names of the
+# Volumes as well as their StorageClass
+spawnerFormDefaults:
+ image:
+ # The container Image for the user's Jupyter Notebook
+ # If readonly, this value must be a member of the list below
+ value: quay.io/kubeflow/tf-notebook-image:v0.7.0
+ # The list of available standard container Images
+ options:
+ - quay.io/kubeflow/tf-notebook-image:v0.7.0
+ # By default, custom container Images are allowed
+ # Uncomment the following line to only enable standard container Images
+ readOnly: false
+ cpu:
+ # CPU for user's Notebook
+ value: '0.5'
+ readOnly: false
+ memory:
+ # Memory for user's Notebook
+ value: 1.0Gi
+ readOnly: false
+ workspaceVolume:
+ # Workspace Volume to be attached to user's Notebook
+ # Each Workspace Volume is declared with the following attributes:
+ # Type, Name, Size, MountPath and Access Mode
+ value:
+ type:
+ # The Type of the Workspace Volume
+ # Supported values: 'New', 'Existing'
+ value: New
+ name:
+ # The Name of the Workspace Volume
+ # Note that this is a templated value. Special values:
+ # {notebook-name}: Replaced with the name of the Notebook. The frontend
+ # will replace this value as the user types the name
+ value: 'workspace-{notebook-name}'
+ size:
+ # The Size of the Workspace Volume (in Gi)
+ value: '10Gi'
+ mountPath:
+ # The Path that the Workspace Volume will be mounted
+ value: /home/jovyan
+ accessModes:
+ # The Access Mode of the Workspace Volume
+ # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany'
+ value: ReadWriteOnce
+ class:
+ # The StrageClass the PVC will use if type is New. Special values are:
+ # {none}: default StorageClass
+ # {empty}: empty string ""
+ value: '{none}'
+ readOnly: false
+ dataVolumes:
+ # List of additional Data Volumes to be attached to the user's Notebook
+ value: []
+ # Each Data Volume is declared with the following attributes:
+ # Type, Name, Size, MountPath and Access Mode
+ #
+ # For example, a list with 2 Data Volumes:
+ # value:
+ # - value:
+ # type:
+ # value: New
+ # name:
+ # value: '{notebook-name}-vol-1'
+ # size:
+ # value: '10Gi'
+ # class:
+ # value: standard
+ # mountPath:
+ # value: /home/jovyan/vol-1
+ # accessModes:
+ # value: ReadWriteOnce
+ # class:
+ # value: {none}
+ # - value:
+ # type:
+ # value: New
+ # name:
+ # value: '{notebook-name}-vol-2'
+ # size:
+ # value: '10Gi'
+ # mountPath:
+ # value: /home/jovyan/vol-2
+ # accessModes:
+ # value: ReadWriteMany
+ # class:
+ # value: {none}
+ readOnly: false
+ gpus:
+ # Number of GPUs to be assigned to the Notebook Container
+ value:
+ # values: "none", "1", "2", "4", "8"
+ num: "none"
+ # Determines what the UI will show and send to the backend
+ vendors:
+ - limitsKey: "nvidia.com/gpu"
+ uiName: "NVIDIA"
+ # Values: "" or a `limits-key` from the vendors list
+ vendor: ""
+ readOnly: false
+ shm:
+ value: true
+ readOnly: false
+ configurations:
+ # List of labels to be selected, these are the labels from PodDefaults
+ # value:
+ # - add-gcp-secret
+ # - default-editor
+ value: []
+ readOnly: false

stacks/openshift/application/jupyter-web-app/kustomization.yaml

@@ -0,0 +1,36 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+- ../../../../jupyter/jupyter-web-app/base_v3
+configMapGenerator:
+- name: jupyter-web-app-config
+ behavior: merge
+ files:
+ - ./configs/spawner_ui_config.yaml
+- name: kubeflow-config
+ envs:
+ - ../../config/params.env
+# We need to define vars at the top level otherwise we will get
+# conflicts.
+vars:
+- fieldref:
+ fieldPath: data.clusterDomain
+ name: clusterDomain
+ objref:
+ apiVersion: v1
+ kind: ConfigMap
+ name: kubeflow-config
+- fieldref:
+ fieldPath: metadata.namespace
+ name: namespace
+ objref:
+ apiVersion: v1
+ kind: ConfigMap
+ name: kubeflow-config
+
+images:
+- name: gcr.io/kubeflow-images-public/jupyter-web-app
+ newTag: v1.0.0
+ newName: quay.io/kubeflow/jupyter-web-app
+

stacks/openshift/application/katib/katib-controller-deployment.yaml

@@ -0,0 +1,3 @@
+- op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: '--webhook-inject-securitycontext=true'