Skip to content

Commit

Permalink
(knative, kfserving, cert-manager) Build working solution for kfservi…
Browse files Browse the repository at this point in the history 
…ng integration (#212)

* (knative, kfserving, cert-manager) Build working solution for kfserving integration

* (knative) kustomize knative using expanded manifest and namespace patch

* (cert-manager) Adjust cert-manager and kubeflow-issuer for v1.3
  • Loading branch information
@zijianjoy
zijianjoy authored Apr 21, 2021
1 parent bf3c450 commit 0505dd6
Show file tree
Hide file tree
Showing 16 changed files with 4,243 additions and 37 deletions.
71 changes: 52 additions & 19 deletions kubeflow/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,18 +73,9 @@ apply-kubeflow: validate-values check-name
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/namespaces ./common/kubeflow-namespace
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/namespaces

# Kubeflow kubeflow-istio
rm -rf $(BUILD_DIR)/kubeflow-istio && mkdir -p $(BUILD_DIR)/kubeflow-istio
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/kubeflow-istio ./common/istio
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/kubeflow-istio
$(MAKE) apply-istio

# Common cert-manager
rm -rf $(BUILD_DIR)/cert-manager && mkdir -p $(BUILD_DIR)/cert-manager
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/cert-manager ./common/cert-manager
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/cert-manager
kubectl --context=$(KFCTXT) -n cert-manager wait --for=condition=Available --timeout=600s deploy cert-manager-webhook
kubectl --context=$(KFCTXT) -n cert-manager wait --for=condition=Available --timeout=600s deploy cert-manager
kubectl --context=$(KFCTXT) -n cert-manager wait --for=condition=Available --timeout=600s deploy cert-manager-cainjector
$(MAKE) apply-cert-manager

# Contrib metacontroller
rm -rf $(BUILD_DIR)/metacontroller && mkdir -p $(BUILD_DIR)/metacontroller
Expand Down Expand Up @@ -161,10 +152,9 @@ apply-kubeflow: validate-values check-name
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/pipeline ./apps/pipeline
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/pipeline

# App kfserving
rm -rf $(BUILD_DIR)/kfserving && mkdir -p $(BUILD_DIR)/kfserving
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/kfserving ./apps/kfserving
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/kfserving
$(MAKE) apply-knative

$(MAKE) apply-kfserving

# Common user-namespace
rm -rf $(BUILD_DIR)/user-namespace && mkdir -p $(BUILD_DIR)/user-namespace
Expand All @@ -176,10 +166,7 @@ apply-kubeflow: validate-values check-name
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/katib ./apps/katib
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/katib

# Common cert-manager kubeflow-issuer
rm -rf $(BUILD_DIR)/kubeflow-issuer && mkdir -p $(BUILD_DIR)/kubeflow-issuer
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/kubeflow-issuer ./common/cert-manager/upstream/cert-manager/kubeflow-issuer
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/kubeflow-issuer
$(MAKE) apply-kubeflow-issuer

# Kick the IAP pod because we will reset the policy and need to patch it.
# TODO(https://github.com/kubeflow/gcp-blueprints/issues/14)
Expand All @@ -188,6 +175,52 @@ apply-kubeflow: validate-values check-name
# https://github.com/kubeflow/gcp-blueprints/issues/160
kubectl --context=$(KFCTXT) -n istio-system delete pods -l service=backend-updater

.PHONY: apply-knative
apply-knative:
# Common Knative
# It has error when trying to patch the resource downloaded from knative because it doesn't match kustomize requirement.
# Original release of knative manifest can not be patched by kustomize because of `already registered id`. For now we run kubectl directly.
rm -rf $(BUILD_DIR)/knative && mkdir -p $(BUILD_DIR)/knative
kustomize build -o $(BUILD_DIR)/knative ./common/knative
kubectl --context=${KFCTXT} apply -f ./$(BUILD_DIR)/knative/*v1_namespace_knative-serving.yaml
kubectl --context=$(KFCTXT) apply --recursive=true -f ./$(BUILD_DIR)/knative

.PHONY: apply-kfserving
apply-kfserving:
# App kfserving
rm -rf $(BUILD_DIR)/kfserving && mkdir -p $(BUILD_DIR)/kfserving
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/kfserving ./apps/kfserving
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/kfserving
kubectl --context=$(KFCTXT) patch cm config-domain --namespace knative-serving --type merge -p '{"data":{"$(NAME).endpoints.$(PROJECT).cloud.goog": ""}}'

.PHONY: apply-cert-manager
apply-cert-manager:
# Common cert-manager
rm -rf $(BUILD_DIR)/cert-manager && mkdir -p $(BUILD_DIR)/cert-manager
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/cert-manager ./common/cert-manager
# Try kpt live apply to simplify this steps.
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/cert-manager/*v1_namespace_cert-manager.yaml
kubectl --context=$(KFCTXT) apply --recursive=true -f ./$(BUILD_DIR)/cert-manager
kubectl --context=$(KFCTXT) -n cert-manager wait --for=condition=Available --timeout=600s deploy cert-manager-webhook
kubectl --context=$(KFCTXT) -n cert-manager wait --for=condition=Available --timeout=600s deploy cert-manager
kubectl --context=$(KFCTXT) -n cert-manager wait --for=condition=Available --timeout=600s deploy cert-manager-cainjector

.PHONY: apply-kubeflow-issuer
apply-kubeflow-issuer:
# Common kubeflow-issuer for cert-manager
rm -rf $(BUILD_DIR)/kubeflow-issuer && mkdir -p $(BUILD_DIR)/kubeflow-issuer
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/kubeflow-issuer ./common/cert-manager/cert-manager-1-3/cert-manager/kubeflow-issuer
# kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/kubeflow-issuer ./common/cert-manager/upstream/cert-manager/kubeflow-issuer
kubectl --context=$(KFCTXT) apply --recursive=true -f ./$(BUILD_DIR)/kubeflow-issuer


.PHONY: apply-istio
apply-istio:
# Kubeflow kubeflow-istio
rm -rf $(BUILD_DIR)/kubeflow-istio && mkdir -p $(BUILD_DIR)/kubeflow-istio
kustomize build --load-restrictor LoadRestrictionsNone -o $(BUILD_DIR)/kubeflow-istio ./common/istio
kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/kubeflow-istio

.PHONY: apply-v2
apply-v2: clean-build check-name check-iap apply-gcp wait-gcp create-ctxt apply-asm iap-secret apply-kubeflow
ifeq ($(PRIVATE_GKE),true)
Expand Down
16 changes: 16 additions & 0 deletions kubeflow/common/cert-manager/cert-manager-1-3/cert-manager/base/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- https://github.com/jetstack/cert-manager/releases/download/v1.3.0/cert-manager.yaml

images:
- name: quay.io/jetstack/cert-manager-controller
newName: quay.io/jetstack/cert-manager-controller
newTag: v1.3.0
- name: quay.io/jetstack/cert-manager-cainjector
newName: quay.io/jetstack/cert-manager-cainjector
newTag: v1.3.0
- name: quay.io/jetstack/cert-manager-webhook
newName: quay.io/jetstack/cert-manager-webhook
newTag: v1.3.0
6 changes: 6 additions & 0 deletions ...low/common/cert-manager/cert-manager-1-3/cert-manager/kubeflow-issuer/cluster-issuer.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: kubeflow-self-signing-issuer
spec:
selfSigned: {}
10 changes: 10 additions & 0 deletions ...flow/common/cert-manager/cert-manager-1-3/cert-manager/kubeflow-issuer/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Define the self-signed issuer for Kubeflow
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager
commonLabels:
kustomize.component: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
resources:
- cluster-issuer.yaml
11 changes: 11 additions & 0 deletions ...ommon/cert-manager/cert-manager-1-3/cert-manager/overlays/letsencrypt/cluster-issuer.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: $(acmeEmail)
http01: {}
privateKeySecretRef:
name: letsencrypt-prod-secret
server: $(acmeUrl)
35 changes: 35 additions & 0 deletions ...common/cert-manager/cert-manager-1-3/cert-manager/overlays/letsencrypt/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
- ../../base
namespace: cert-manager
resources:
- cluster-issuer.yaml
commonLabels:
kustomize.component: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
configMapGenerator:
- name: cert-manager-parameters
behavior: merge
envs:
- params.env
generatorOptions:
disableNameSuffixHash: true
vars:
- name: acmeEmail
objref:
kind: ConfigMap
name: cert-manager-parameters
apiVersion: v1
fieldref:
fieldpath: data.acmeEmail
- name: acmeUrl
objref:
kind: ConfigMap
name: cert-manager-parameters
apiVersion: v1
fieldref:
fieldpath: data.acmeUrl
configurations:
- params.yaml
2 changes: 2 additions & 0 deletions kubeflow/common/cert-manager/cert-manager-1-3/cert-manager/overlays/letsencrypt/params.env
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
acmeEmail=
acmeUrl=https://acme-v02.api.letsencrypt.org/directory
5 changes: 5 additions & 0 deletions kubeflow/common/cert-manager/cert-manager-1-3/cert-manager/overlays/letsencrypt/params.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
varReference:
- path: spec/acme/email
kind: ClusterIssuer
- path: spec/acme/server
kind: ClusterIssuer
13 changes: 13 additions & 0 deletions ...common/cert-manager/cert-manager-1-3/cert-manager/overlays/self-signed/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# TODO(https://github.com/kubeflow/manifests/issues/1052) clean up
# the manifests after the refactor is done. We should move
# cluster-issuer into the kubeflow-issuer package.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
- ../../base
resources:
- ../../kubeflow-issuer
commonLabels:
kustomize.component: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
7 changes: 4 additions & 3 deletions kubeflow/common/cert-manager/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./application # {"$kpt-set":"cert-manager-cert-manager-v3"}
- ./upstream/cert-manager-crds/base
- ./upstream/cert-manager-kube-system-resources/base # {"$kpt-set":"cert-manager-cert-manager-kube-system-resources-base"}
# - ./application # {"$kpt-set":"cert-manager-cert-manager-v3"}
# - ./upstream/cert-manager-crds/base
# - ./upstream/cert-manager-kube-system-resources/base # {"$kpt-set":"cert-manager-cert-manager-kube-system-resources-base"}
- ./cert-manager-1-3/cert-manager/base
Loading

0 comments on commit 0505dd6

Please sign in to comment.