Update kubeflow/kfp-tekton manifests from v2.0.0

README.md

@@ -57,7 +57,7 @@ This repo periodically syncs all official Kubeflow components from their respect
 | KServe | contrib/kserve/kserve | [v0.10.0](https://github.com/kserve/kserve/tree/v0.10.0/install/v0.10.0) |
 | KServe Models Web App | contrib/kserve/models-web-app | [v0.10.0](https://github.com/kserve/models-web-app/tree/v0.10.0/config) |
 | Kubeflow Pipelines | apps/pipeline/upstream | [2.0.0-alpha.7](https://github.com/kubeflow/pipelines/tree/2.0.0-alpha.7/manifests/kustomize) |
-| Kubeflow Tekton Pipelines | apps/kfp-tekton/upstream | [v1.5.1](https://github.com/kubeflow/kfp-tekton/tree/v1.5.1/manifests/kustomize) |
+| Kubeflow Tekton Pipelines | apps/kfp-tekton/upstream | [v2.0.0](https://github.com/kubeflow/kfp-tekton/tree/v2.0.0/manifests/kustomize) |
 
 The following is also a matrix with versions from common components that are
 used from the different projects of Kubeflow:

apps/kfp-tekton/upstream/Makefile

@@ -1,6 +1,6 @@
 # This makefile is a quick test to verify all manifests can be hydrated.
 
-test: aws azure dev gcp platform-agnostic platform-agnostic-multi-user plain plain-multi-user
+test: aws azure dev gcp platform-agnostic platform-agnostic-multi-user
 
 aws: FORCE
 	kubectl kustomize env/aws
@@ -20,10 +20,4 @@ platform-agnostic: FORCE
 platform-agnostic-multi-user: FORCE
 	kustomize build --load-restrictor LoadRestrictionsNone env/platform-agnostic-multi-user
 
-plain: FORCE
-	kubectl kustomize env/plain
-
-plain-multi-user: FORCE
-	kustomize build --load-restrictor LoadRestrictionsNone env/plain-multi-user
-
 FORCE: ;

apps/kfp-tekton/upstream/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+ - Tomcli
+ - yhwang
+reviewers:
+ - Tomcli
+ - yhwang

apps/kfp-tekton/upstream/README.md

@@ -1,6 +1,6 @@
-# Install Kubeflow Pipelines Tekton Standalone using Kustomize Manifests
+# Install Kubeflow Pipelines Standalone using Kustomize Manifests
 
-This folder contains [Kubeflow Pipelines Standalone](https://www.kubeflow.org/docs/components/pipelines/installation/standalone-deployment/)
+This folder contains [Kubeflow Pipelines Standalone](https://www.kubeflow.org/docs/components/pipelines/installation/standalone-deployment/) 
 Kustomize manifests.
 
 Kubeflow Pipelines Standalone is one option to install Kubeflow Pipelines. You can review all other options in
@@ -14,8 +14,6 @@ There are environment specific installation instructions not covered in the offi
 
 ### (env/platform-agnostic) install on any Kubernetes cluster
 
-Note: `kubectl` client version `v1.20.0`+ to support the new kustomize plugins.
-
 Install:
 
 ```bash
@@ -29,18 +27,18 @@ kubectl port-forward -n kubeflow svc/ml-pipeline-ui 8080:80
 
 Now you can access Kubeflow Pipelines UI in your browser by <http://localhost:8080>.
 
-You can install them by changing `KFP_ENV` in above instructions to the variation you want.
+Customize:
 
-Data:
+There are two variations for platform-agnostic that uses different [argo workflow executors](https://argoproj.github.io/argo-workflows/workflow-executors/):
 
-Application data are persisted in in-cluster PersistentVolumeClaim storage.
+* env/platform-agnostic-emissary
+* env/platform-agnostic-pns
 
-### (env/ibm) install on IBM Cloud with in-cluster PersistentVolumeClaim storage
+You can install them by changing `KFP_ENV` in above instructions to the variation you want.
 
-IBM Cloud uses the NFS storage with UID support to make sure all pods can run as non-root users.
+Data:
 
-Please follow the [IKS group ID storage setup](https://www.kubeflow.org/docs/ibm/deploy/install-kubeflow-on-iks/#ibm-cloud-group-id-storage-setup)
-before running the above standalone install commands.
+Application data are persisted in in-cluster PersistentVolumeClaim storage.
 
 ### (env/gcp) install on Google Cloud with Cloud Storage and Cloud SQL
 
@@ -64,7 +62,7 @@ reinstall a newer version can reuse the data.
 ```bash
 ### 1. namespace scoped
 # Depends on how you installed it:
-kubectl kustomize env/platform-agnostic/ | kubectl delete -f -
+kubectl kustomize env/platform-agnostic | kubectl delete -f -
 # or
 kubectl kustomize env/dev | kubectl delete -f -
 # or

apps/kfp-tekton/upstream/base/application/kustomization.yaml

@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - application.yaml
-

apps/kfp-tekton/upstream/base/cache-deployer/cluster-scoped/cache-deployer-clusterrole.yaml

@@ -32,4 +32,4 @@ rules:
   resourceNames:
   - kubernetes.io/*
   verbs:
-  - approve
+  - approve  

apps/kfp-tekton/upstream/base/cache-deployer/kustomization.yaml

@@ -1,7 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-bases:
-  - cluster-scoped
 resources:
   - cache-deployer-role.yaml
   - cache-deployer-rolebinding.yaml
@@ -10,4 +8,4 @@ commonLabels:
   app: cache-deployer
 images:
   - name: gcr.io/ml-pipeline/cache-deployer
-    newTag: 1.8.4
+    newTag: 2.0.0

apps/kfp-tekton/upstream/base/cache/cache-deployment.yaml

@@ -18,6 +18,16 @@ spec:
       - name: server
         image: gcr.io/ml-pipeline/cache-server:dummy
         env:
+          - name: DEFAULT_CACHE_STALENESS
+            valueFrom:
+              configMapKeyRef:
+                name: pipeline-install-config
+                key: DEFAULT_CACHE_STALENESS
+          - name: MAXIMUM_CACHE_STALENESS
+            valueFrom:
+              configMapKeyRef:
+                name: pipeline-install-config
+                key:  MAXIMUM_CACHE_STALENESS
           - name: CACHE_IMAGE
             valueFrom:
               configMapKeyRef:
@@ -59,13 +69,18 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          # If you update WEBHOOK_PORT, also change the value of the
+          # containerPort "webhook-api" to match.
+          - name: WEBHOOK_PORT
+            value: "8443"
         args: ["--db_driver=$(DBCONFIG_DRIVER)",
                "--db_host=$(DBCONFIG_HOST_NAME)",
                "--db_port=$(DBCONFIG_PORT)",
                "--db_name=$(DBCONFIG_DB_NAME)",
                "--db_user=$(DBCONFIG_USER)",
                "--db_password=$(DBCONFIG_PASSWORD)",
                "--namespace_to_watch=$(NAMESPACE_TO_WATCH)",
+               "--listen_port=$(WEBHOOK_PORT)",
               ]
         imagePullPolicy: Always
         ports:

apps/kfp-tekton/upstream/base/cache/cache-role.yaml

@@ -31,14 +31,3 @@ rules:
   - watch
   - update
   - patch
-- apiGroups:
-  - tekton.dev
-  resources:
-  - taskruns
-  - taskruns/status
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch

apps/kfp-tekton/upstream/base/cache/kustomization.yaml

@@ -10,5 +10,4 @@ commonLabels:
   app: cache-server
 images:
   - name: gcr.io/ml-pipeline/cache-server
-    newName: docker.io/aipipeline/cache-server
-    newTag: 1.5.1
+    newTag: 2.0.0

apps/kfp-tekton/upstream/base/installs/generic/kustomization.yaml

@@ -3,15 +3,11 @@ kind: Kustomization
 namespace: kubeflow
 bases:
 - ../../pipeline
-- ../../cache
-- ../../cache-deployer
-
+# - ../../cache
+# - ../../cache-deployer
 resources:
-  - pipeline-install-config.yaml
-  - mysql-secret.yaml
-
-
-# Used by Kustomize
+- pipeline-install-config.yaml
+- mysql-secret.yaml
 vars:
 - name: kfp-namespace
   objref:

apps/kfp-tekton/upstream/base/installs/generic/pipeline-install-config.yaml

@@ -11,19 +11,17 @@ data:
     until the changes take effect. A quick way to restart all deployments in a
     namespace: `kubectl rollout restart deployment -n <your-namespace>`.
   appName: pipeline
-  appVersion: 1.8.4
+  appVersion: 2.0.0
   dbHost: mysql
   dbPort: "3306"
   mlmdDb: metadb
   cacheDb: cachedb
   pipelineDb: mlpipeline
-  objectStoreHost: minio-service
-  objectStorePort: "9000"
   bucketName: mlpipeline
   ## defaultPipelineRoot: Optional. Default pipeline root in v2 compatible mode.
   ## https://www.kubeflow.org/docs/components/pipelines/sdk/v2/v2-compatibility/
   ##
-  ## If the field is not set, kfp-launcher configmaps won't be created and
+  ## If the field is not set, kfp-launcher configmaps won't be created and 
   ## v2 compatible mode defaults to minio://mlpipeline/v2/artifacts as pipeline
   ## root.
   ##
@@ -60,16 +58,31 @@ data:
   ## [Alpha](https://github.com/kubeflow/pipelines/blob/master/docs/release/feature-stages.md#alpha)
   cronScheduleTimezone: "UTC"
   ## cacheImage is the image that the mutating webhook will use to patch
-  ## cached steps with. Will be used to echo a message announcing that
-  ## the cached step result will be used. If not set it will default to
-  ## 'registry.access.redhat.com/ubi8/ubi-minimal'
-  cacheImage: "registry.access.redhat.com/ubi8/ubi-minimal"
+  ## cached steps with. Will be used to echo a message announcing that 
+  ## the cached step result will be used. If not set it will default to 
+  ## 'gcr.io/google-containers/busybox'
+  cacheImage: "gcr.io/google-containers/busybox"
   ## cacheNodeRestrictions the dummy container runing if output is cached
   ## will run with the same affinity and node selector as the default pipeline
-  ## step. This is defaulted to 'false' to allow the pod to be scheduled on
+  ## step. This is defaulted to 'false' to allow the pod to be scheduled on 
   ## any node and avoid defaulting to specific nodes. Allowed values are:
   ## 'false' and 'true'.
   cacheNodeRestrictions: "false"
+  ## MAXIMUM_CACHE_STALENESS configures caching according to
+  ## https://www.kubeflow.org/docs/components/pipelines/overview/caching/ and
+  ## https://www.kubeflow.org/docs/components/pipelines/overview/caching-v2/.
+  ## Larger than MAXIMUM_CACHE_STALENESS per pipeline user set values are 
+  ## reduced to MAXIMUM_CACHE_STALENESS.
+  ## The administrator of the storage backend can rely on it to delete old cache
+  ## artifacts.
+  MAXIMUM_CACHE_STALENESS: ""
+  ## MAXIMUM_CACHE_STALENESS: "P30D"
+  ## DEFAULT_CACHE_STALENESS configures caching according to
+  ## https://www.kubeflow.org/docs/components/pipelines/overview/caching/ and
+  ## https://www.kubeflow.org/docs/components/pipelines/overview/caching-v2/.
+  ## This value is used if the user did not set a value in the pipeline.
+  DEFAULT_CACHE_STALENESS: ""
+  ## DEFAULT_CACHE_STALENESS: "P7D"
   ## ConMaxLifeTime will set the connection max lifetime for MySQL
   ## this is very important to setup when using external databases.
   ## See this issue for more details: https://github.com/kubeflow/pipelines/issues/5329

apps/kfp-tekton/upstream/base/installs/multi-user/api-service/cluster-role.yaml

@@ -54,6 +54,7 @@ rules:
   - taskruns
   - conditions
   - runs
+  - customruns
   - tasks
   verbs:
   - create

apps/kfp-tekton/upstream/base/installs/multi-user/api-service/kustomization.yaml

@@ -5,5 +5,5 @@ resources:
 - cluster-role.yaml
 configMapGenerator:
 - name: pipeline-api-server-config
-  envs:
+  envs: 
   - params.env

apps/kfp-tekton/upstream/base/installs/multi-user/cache/cluster-role.yaml

@@ -29,14 +29,3 @@ rules:
   - watch
   - update
   - patch
-- apiGroups:
-  - tekton.dev
-  resources:
-  - taskruns
-  - taskruns/status
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch

apps/kfp-tekton/upstream/base/installs/multi-user/kustomization.yaml

@@ -5,6 +5,7 @@ commonLabels:
   app.kubernetes.io/name: kubeflow-pipelines
   app.kubernetes.io/component: ml-pipeline
 resources:
+- ../../pipeline/cluster-scoped
 - ../generic
 - view-edit-cluster-roles.yaml
 - api-service
@@ -13,8 +14,6 @@ resources:
 - scheduled-workflow
 - viewer-controller
 - persistence-agent
-- cache
-- metadata-writer
 - istio-authorization-config.yaml
 - virtual-service.yaml
 patchesStrategicMerge:
@@ -24,8 +23,6 @@ patchesStrategicMerge:
 - scheduled-workflow/deployment-patch.yaml
 - viewer-controller/deployment-patch.yaml
 - persistence-agent/deployment-patch.yaml
-- metadata-writer/deployment-patch.yaml
-- cache/deployment-patch.yaml
 
 configurations:
 - params.yaml

apps/kfp-tekton/upstream/base/installs/multi-user/metadata-writer/cluster-role.yaml

@@ -29,17 +29,3 @@ rules:
   - watch
   - update
   - patch
-- apiGroups:
-  - tekton.dev
-  resources:
-  - pipelineruns
-  - taskruns
-  - conditions
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete

apps/kfp-tekton/upstream/base/installs/multi-user/persistence-agent/cluster-role.yaml

@@ -19,17 +19,26 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ''
+  resources:
+  - namespaces
+  verbs:
+  - get
 - apiGroups:
   - tekton.dev
   resources:
   - pipelineruns
   - taskruns
   - conditions
+  - runs
+  - customruns
+  - tasks
   verbs:
   - create
   - get
   - list
   - watch
   - update
   - patch
-  - delete
+  - delete

apps/kfp-tekton/upstream/base/installs/multi-user/persistence-agent/deployment-patch.yaml

@@ -7,7 +7,14 @@ spec:
     spec:
       containers:
       - name: ml-pipeline-persistenceagent
+        envFrom:
+        - configMapRef:
+            name: persistenceagent-config
         env:
         - name: NAMESPACE
           value: ''
           valueFrom: null
+        - name: KUBEFLOW_USERID_HEADER
+          value: kubeflow-userid
+        - name: KUBEFLOW_USERID_PREFIX
+          value: ""

apps/kfp-tekton/upstream/base/installs/multi-user/persistence-agent/kustomization.yaml

@@ -3,3 +3,7 @@ kind: Kustomization
 resources:
 - cluster-role.yaml
 - cluster-role-binding.yaml
+configMapGenerator:
+- name: persistenceagent-config
+  envs:
+  - params.env

apps/kfp-tekton/upstream/base/installs/multi-user/persistence-agent/params.env

@@ -0,0 +1 @@
+MULTIUSER=true

apps/kfp-tekton/upstream/base/installs/multi-user/pipelines-profile-controller/composite-controller.yaml

@@ -1,4 +1,4 @@
-# Change resyncPeriodSeconds to 1 hour from insane 20 seconds
+# Change resyncPeriodSeconds to 1 hour from insane 20 seconds  
 # Only  sync namespaces with pipelines.kubeflow.org/enabled = "true"
 apiVersion: metacontroller.k8s.io/v1alpha1
 kind: CompositeController

apps/kfp-tekton/upstream/base/installs/multi-user/pipelines-profile-controller/sync.py

@@ -360,8 +360,8 @@ def sync(self, parent, children):
                     }
                 },
             ]
-            print('Received request:\n', json.dumps(parent, indent=2, sort_keys=True))
-            print('Desired resources except secrets:\n', json.dumps(desired_resources, indent=2, sort_keys=True))
+            print('Received request:\n', json.dumps(parent, sort_keys=True))
+            print('Desired resources except secrets:\n', json.dumps(desired_resources, sort_keys=True))
             # Moved after the print argument because this is sensitive data.
             desired_resources.append({
                 "apiVersion": "v1",