Merge pull request #20 from Azure/kubeflow-v1.7

bumped version to kubeflow 1.7

.gitignore

@@ -1,3 +1,4 @@
 test.json
 ./AKS-Construction
-./manifests
+./manifests
+auth.md

.gitmodules

@@ -4,4 +4,4 @@
 [submodule "manifests"]
 	path = manifests
 	url = https://github.com/kubeflow/manifests.git
-	branch = v1.6-branch
+	branch = v1.7-branch

tls-manifest/certificate.yaml → deployments/tls/certificate.yaml

@@ -10,7 +10,7 @@ spec:
   #dnsNames:
   #  - uniquednsname.eastus.cloudapp.azure.com
   ipAddresses:
-    - 20.237.5.253
+    - {{IP_ADDRESS}}}
   isCA: true
   # Issuer references are always required.
   issuerRef:

tls-manifest/manifests/common/dex/base/config-map.yaml → deployments/tls/dex-config-map.yaml

@@ -16,17 +16,14 @@ data:
       format: text
     oauth2:
       skipApprovalScreen: true
-    enablePasswordDB: true
+    enablePasswordDB: true  
     staticPasswords:
     - email: [email protected]
-      hash: 
-      # https://github.com/dexidp/dex/pull/1601/commits
-      # FIXME: Use hashFromEnv instead
-      username: user
+      hash: $2a$10$aEO3ZBW0K03zZUCuKB.uK.0HbsQ166Ckzktg39rKx5nS.CD8l1eGq
+      username: [email protected]
       userID: "15841185641784"
     staticClients:
-    # https://github.com/dexidp/dex/pull/1664
     - idEnv: OIDC_CLIENT_ID
-      redirectURIs: ["/login/oidc"]
+      redirectURIs: ["/authservice/oidc/callback"]
       name: 'Dex Login Application'
       secretEnv: OIDC_CLIENT_SECRET

deployments/tls/istio-webhook-aks-patch.yaml

@@ -0,0 +1,6 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: istio-sidecar-injector
+  annotations: 
+    admissions.enforcer/disabled: "true"  

deployments/tls/kustomization.yaml

@@ -0,0 +1,107 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+sortOptions:
+  order: legacy
+  legacySortOptions:
+    orderFirst:
+    - Namespace
+    - ResourceQuota
+    - StorageClass
+    - CustomResourceDefinition
+    - MutatingWebhookConfiguration
+    - ServiceAccount
+    - PodSecurityPolicy
+    - Role
+    - ClusterRole
+    - RoleBinding
+    - ClusterRoleBinding
+    - ConfigMap
+    - Secret
+    - Endpoints
+    - Service
+    - LimitRange
+    - PriorityClass
+    - PersistentVolume
+    - PersistentVolumeClaim
+    - Deployment
+    - StatefulSet
+    - CronJob
+    - PodDisruptionBudget
+    orderLast:
+    - ValidatingWebhookConfiguration
+
+resources:
+# Cert-Manager
+- ../../manifests/common/cert-manager/cert-manager/base
+- ../../manifests/common/cert-manager/kubeflow-issuer/base
+# Istio
+- ../../manifests/common/istio-1-16/istio-crds/base
+- ../../manifests/common/istio-1-16/istio-namespace/base
+- ../../manifests/common/istio-1-16/istio-install/base
+# OIDC Authservice
+- ../../manifests/common/oidc-authservice/base
+# Dex
+- ../../manifests/common/dex/overlays/istio
+# KNative
+- ../../manifests/common/knative/knative-serving/overlays/gateways
+- ../../manifests/common/knative/knative-eventing/base
+- ../../manifests/common/istio-1-16/cluster-local-gateway/base
+# Kubeflow namespace
+- ../../manifests/common/kubeflow-namespace/base
+# Kubeflow Roles
+- ../../manifests/common/kubeflow-roles/base
+# Kubeflow Istio Resources
+- ../../manifests/common/istio-1-16/kubeflow-istio-resources/base
+
+
+# Kubeflow Pipelines
+- ../../manifests/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user
+# Katib
+- ../../manifests/apps/katib/upstream/installs/katib-with-kubeflow
+# Central Dashboard
+- ../../manifests/apps/centraldashboard/upstream/overlays/kserve
+# Admission Webhook
+- ../../manifests/apps/admission-webhook/upstream/overlays/cert-manager
+# Jupyter Web App
+- ../../manifests/apps/jupyter/jupyter-web-app/upstream/overlays/istio
+# Notebook Controller
+- ../apps/jupyter/notebook-controller/upstream/overlays/kubeflow
+# Profiles + KFAM
+- ../../manifests/apps/profiles/upstream/overlays/kubeflow
+# Volumes Web App
+- ../../manifests/apps/volumes-web-app/upstream/overlays/istio
+# Tensorboards Controller
+- ../../manifests/apps/tensorboard/tensorboard-controller/upstream/overlays/kubeflow
+# Tensorboard Web App
+- ../../manifests/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio
+# Training Operator
+- ../../manifests/apps/training-operator/upstream/overlays/kubeflow
+# User namespace
+- ../../manifests/common/user-namespace/base
+
+# KServe
+- ../../manifests/contrib/kserve/kserve
+- ../../manifests/contrib/kserve/models-web-app/overlays/kubeflow
+
+patches:
+- path: istio-webhook-aks-patch.yaml
+- path: kf-istio-resources.yaml
+- path: dex-config-map.yaml
+- patch: |-
+    - op: replace
+      path: "/spec/type"
+      value: LoadBalancer
+  target:
+    version: v1
+    kind: Service
+    name: istio-ingressgateway
+- patch: |-
+    - op: replace
+      path: "/apiVersion"
+      value: autoscaling/v2
+  target:
+    group: autoscaling
+    version: v2beta2
+    kind: HorizontalPodAutoscaler
+    name: '.*'

deployments/vanilla/istio-webhook-aks-patch.yaml

@@ -0,0 +1,6 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: istio-sidecar-injector
+  annotations: 
+    admissions.enforcer/disabled: "true"  

deployments/vanilla/kustomization.yaml

@@ -0,0 +1,99 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+sortOptions:
+  order: legacy
+  legacySortOptions:
+    orderFirst:
+    - Namespace
+    - ResourceQuota
+    - StorageClass
+    - CustomResourceDefinition
+    - MutatingWebhookConfiguration
+    - ServiceAccount
+    - PodSecurityPolicy
+    - Role
+    - ClusterRole
+    - RoleBinding
+    - ClusterRoleBinding
+    - ConfigMap
+    - Secret
+    - Endpoints
+    - Service
+    - LimitRange
+    - PriorityClass
+    - PersistentVolume
+    - PersistentVolumeClaim
+    - Deployment
+    - StatefulSet
+    - CronJob
+    - PodDisruptionBudget
+    orderLast:
+    - ValidatingWebhookConfiguration
+
+resources:
+# Cert-Manager
+- ../../manifests/common/cert-manager/cert-manager/base
+- ../../manifests/common/cert-manager/kubeflow-issuer/base
+# Istio
+- ../../manifests/common/istio-1-16/istio-crds/base
+- ../../manifests/common/istio-1-16/istio-namespace/base
+- ../../manifests/common/istio-1-16/istio-install/base
+# OIDC Authservice
+- ../../manifests/common/oidc-authservice/base
+# Dex
+- ../../manifests/common/dex/overlays/istio
+# KNative
+- ../../manifests/common/knative/knative-serving/overlays/gateways
+- ../../manifests/common/knative/knative-eventing/base
+- ../../manifests/common/istio-1-16/cluster-local-gateway/base
+# Kubeflow namespace
+- ../../manifests/common/kubeflow-namespace/base
+# Kubeflow Roles
+- ../../manifests/common/kubeflow-roles/base
+# Kubeflow Istio Resources
+- ../../manifests/common/istio-1-16/kubeflow-istio-resources/base
+
+
+# Kubeflow Pipelines
+- ../../manifests/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user
+# Katib
+- ../../manifests/apps/katib/upstream/installs/katib-with-kubeflow
+# Central Dashboard
+- ../../manifests/apps/centraldashboard/upstream/overlays/kserve
+# Admission Webhook
+- ../../manifests/apps/admission-webhook/upstream/overlays/cert-manager
+# Jupyter Web App
+- ../../manifests/apps/jupyter/jupyter-web-app/upstream/overlays/istio
+# Notebook Controller
+- ../apps/jupyter/notebook-controller/upstream/overlays/kubeflow
+# Profiles + KFAM
+- ../../manifests/apps/profiles/upstream/overlays/kubeflow
+# Volumes Web App
+- ../../manifests/apps/volumes-web-app/upstream/overlays/istio
+# Tensorboards Controller
+- ../../manifests/apps/tensorboard/tensorboard-controller/upstream/overlays/kubeflow
+# Tensorboard Web App
+- ../../manifests/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio
+# Training Operator
+- ../../manifests/apps/training-operator/upstream/overlays/kubeflow
+# User namespace
+- ../../manifests/common/user-namespace/base
+
+# KServe
+- ../../manifests/contrib/kserve/kserve
+- ../../manifests/contrib/kserve/models-web-app/overlays/kubeflow
+
+patches:
+- path: istio-webhook-aks-patch.yaml
+
+patchesJson6902:
+  - target:
+      group: autoscaling
+      version: v2beta2
+      kind: 'HorizontalPodAutoscaler'
+      name: '.*'
+    patch: |-
+      - op: replace
+        path: "/apiVersion"
+        value: autoscaling/v2

docs-site/content/en/docs/Deployment Options/custom-password-tls/index.md

@@ -96,11 +96,11 @@ Please note that a self-signed certificate is used for demonstration purposes. D
 
 1. The first step is to generate a new Hash/Password combination using bycrypt. There are many ways of doing this, eg by generating it [using python](https://github.com/kubeflow/manifests/blob/master/README.md#change-default-user-password). For simplicity we will be using coderstool's [Bycrypt Hash Generator](https://www.coderstool.com/bcrypt-hash-generator) for testing purposes. Do not do this for production workloads. In the plain text field, enter a password for your first user, then click on the "Generate Hash" button. You can generate multiple if you have multiple users.
     ![Generate password](./images/brypt-password-generation.png)
-1. Head to the tls-manifest/manifests/common/dex/base/config-map.yaml file and update the hash value there (around line 22) with the hash you just generated. You can also change the email address, username and userid. In addition, you can setup multiple users by adding more users to the array. Please update the default email address in the params file located at manifests\common\user-namespace\base\params.env file if changed from default.
+1. Head to the deployments/tls/dex-config-map.yaml file and update the hash value there (around line 22) with the hash you just generated. You can also change the email address, username and userid. In addition, you can setup multiple users by adding more users to the array. Please update the default email address in the params file located at manifests\common\user-namespace\base\params.env file if changed from default.
 1. Update your auth.md file with the new email address and password (plain text password not hash) or store the secrets in a more secure way
 1. Copy the contents of this newly updated manifests folder to the kubeflow manifests folder. This will update the files so the deployment includes your config changes.
     ```bash
-    cp -r tls-manifest/manifests .
+    cp -a deployments/tls manifests/tls
     ```
 1. cd to the manifests folder and install kubeflow
     ```bash
@@ -109,7 +109,7 @@ Please note that a self-signed certificate is used for demonstration purposes. D
     Install all of the components via a single command
 
     ```bash
-    while ! kustomize build example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; done
+    while ! kustomize build tls | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; done
     ```  
 1. Once the command has completed, check the pods are ready
 
@@ -129,16 +129,10 @@ Please note that a self-signed certificate is used for demonstration purposes. D
     ```
 1. Configure TLS. Start by getting IP address of istio gateway
     ```bash
-    IP=$(kubectl -n istio-system get service istio-ingressgateway --output jsonpath={.status.loadBalancer.ingress[0].ip})
+    kubectl -n istio-system get service istio-ingressgateway --output jsonpath={.status.loadBalancer.ingress[0].ip}
     ```
-    Replace the IP address in the tls-manifest/certificate.yaml file with the IP address of the istio gateway using the sed command below 
-    {{< alert color="warning" >}}⚠️ Warning: If you are using a mac you will need to change the command to `sed -i '' "s/192.168.0.5/$IP/" tls-manifest/certificate.yaml `.{{< /alert >}} 
-    {{< alert color="primary" >}}💡Note: If these sed commands don't work for any reason or if you don't have sed installed, you will need to update these files manually by replacing the placeholders in the files mentioned below.{{< /alert >}} 
-    ```bash
-    cd ..
-    sed -i  "s/192.168.0.5/$IP/" tls-manifest/certificate.yaml 
-    ```
-1. Please note that instead of providing the IP address like we did above, you could give the LoadBalancer an Azure sub-domain (via the annotation in tls-manifest/manifests/common/istio-1-14/istio-install/base/patches/service.yaml ) and use that too. Deploy the certificate manifest file.
+    Replace the IP address in the deployments/tls/certificate.yaml file (line 13) with the IP address of the istio gateway and save the file.
+1. Please note that instead of providing the IP address like we did above, you could give the LoadBalancer an Azure sub-domain (via the annotation in manifests/common/istio-1-16/istio-install/base/patches/service.yaml ) and use that too. Deploy the certificate manifest file.
     ```bash
     kubectl apply -f  tls-manifest/certificate.yaml 
     ```

docs-site/content/en/docs/Deployment Options/vanilla-installation/index.md

@@ -98,17 +98,20 @@ Next install kustomize using the [installation instructions](https://kubectl.doc
 
 This deployment option is for testing only. To deploy with TLS, and change default password, please click here: [Deploy kubeflow with TLS](./Deploy-with-tls.md).
 
-From the root of the repo, `cd` into kubeflow's  `manifests` directory and make sure you are in the `v1.6-branch`.
+From the root of the repo, `cd` into kubeflow's  `manifests` directory and make sure you are in the `v1.7-branch`.
 
 ```bash
 cd manifests/
-git checkout v1.6-branch
+git checkout v1.7-branch
+cd ..
 ```
 
 Install all of the components via a single command
 
 ```bash
-while ! kustomize build example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; done
+cp -a deployments/vanilla manifests/vanilla
+cd manifests/  
+while ! kustomize build vanilla | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; done
 ```
 
 Once the command has completed, check the pods are ready