Merge pull request #47 from gmfrasca/remove-dbs3-creds

chore(manifests): Remove configuration objects from manifests
red-hat-data-services · Oct 11, 2022 · 847b570 · 847b570
2 parents 06b4f35 + dc82a8d
commit 847b570
Show file tree

Hide file tree

Showing 14 changed files with 131 additions and 23 deletions.
diff --git a/init/ds-pipeline-config-templates.yaml b/init/ds-pipeline-config-templates.yaml
@@ -0,0 +1,104 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: ds-pipelines-db-template
+objects:
+  - apiVersion: v1
+    data:
+      apply_tekton_custom_resource: "true"
+      archive_logs: "false"
+      artifact_bucket: ${S3_BUCKET}
+      artifact_endpoint: ${S3_ENDPOINT}
+      artifact_endpoint_scheme: http://
+      artifact_image: quay.io/opendatahub/ml-pipelines-artifact-manager:latest
+      artifact_script: |-
+        #!/usr/bin/env sh
+        push_artifact() {
+            if [ -f "$2" ]; then
+                tar -cvzf $1.tgz $2
+                aws s3 --endpoint ${ARTIFACT_ENDPOINT_SCHEME}${ARTIFACT_ENDPOINT} cp $1.tgz s3://$ARTIFACT_BUCKET/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz
+            else
+                echo "$2 file does not exist. Skip artifact tracking for $1"
+            fi
+        }
+        push_log() {
+            cat /var/log/containers/$PODNAME*$NAMESPACE*step-main*.log > step-main.log
+            push_artifact main-log step-main.log
+        }
+        strip_eof() {
+            if [ -f "$2" ]; then
+                awk 'NF' $2 | head -c -1 > $1_temp_save && cp $1_temp_save $2
+            fi
+        }
+      inject_default_script: "true"
+      strip_eof: "true"
+      terminate_status: Cancelled
+      track_artifacts: "true"
+    kind: ConfigMap
+    metadata:
+      labels:
+        application-crd-id: data-science-pipelines
+      name: ds-pipeline-config
+  - apiVersion: v1
+    data:
+      ConMaxLifeTimeSec: "120"
+      appName: pipeline
+      appVersion: 1.7.0
+      autoUpdatePipelineDefaultVersion: "true"
+      bucketName: ${S3_BUCKET}
+      cacheDb: ${DB_DATABASE}
+      cacheImage: registry.access.redhat.com/ubi8/ubi-minimal
+      cacheNodeRestrictions: "false"
+      cronScheduleTimezone: UTC
+      dbHost: ${DB_HOST}
+      dbPort: "${DB_PORT}"
+      defaultPipelineRoot: ""
+      mlmdDb: ${DB_DATABASE}
+      pipelineDb: ${DB_DATABASE}
+      warning: |
+        1. Do not use kubectl to edit this configmap, because some values are used
+        during kustomize build. Instead, change the configmap and apply the entire
+        kustomize manifests again.
+        2. After updating the configmap, some deployments may need to be restarted
+        until the changes take effect. A quick way to restart all deployments in a
+        namespace: `kubectl rollout restart deployment -n <your-namespace>`.
+    kind: ConfigMap
+    metadata:
+      labels:
+        application-crd-id: data-science-pipelines
+      name: pipeline-install-config
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: mysql-secret
+    stringData:
+      username: ${DB_USERNAME}
+      password: ${DB_PASSWORD}
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: mlpipeline-minio-artifact
+      labels:
+        application-crd-id: data-science-pipelines
+    stringData:
+      accesskey: ${S3_ACCESS_KEY}
+      secretkey: ${S3_SECRET_KEY}
+parameters:
+  - name: S3_ENDPOINT
+    value: "minio-service:9000"
+  - name: S3_ACCESS_KEY
+    value: minio
+  - name: S3_SECRET_KEY
+    value: minio123
+  - name: S3_BUCKET
+    value: mlpipeline
+  - name: DB_HOST
+    value: mysql
+  - name: DB_PORT
+    value: "3306"
+  - name: DB_USERNAME
+    value: mlpipeline
+  - name: DB_PASSWORD
+    value: mlpipeline
+  - name: DB_DATABASE
+    value: mlpipeline
diff --git a/init/setup-ds-pipeline-configs.sh b/init/setup-ds-pipeline-configs.sh
@@ -0,0 +1,14 @@
+app_namespace=${1:-odh-applications}
+
+config_params=""
+# Check defaultable envvars to print info message
+defaultable_envvars="S3_ENDPOINT S3_ACCESS_KEY S3_SECRET_KEY DB_HOST DB_PORT DB_USERNAME DB_PASSWORD DB_DATABASE S3_BUCKET"
+for envvar in $defaultable_envvars; do
+    if [[ -z "${!envvar}" ]]; then
+        echo "Environment Variable '${envvar}' not set, using default value."
+    else
+        config_params="${config_params} -p ${envvar}=${!envvar}"
+    fi
+done
+
+oc process -f ../manifests/ds-pipelines-config-templates.yaml ${config_params} | oc apply  -n ${app_namespace} -f -
diff --git a/...ds-pipeline-persistenceagent-binding.yaml → ...-persistenceagent-clusterrolebinding.yaml b/...ds-pipeline-persistenceagent-binding.yaml → ...-persistenceagent-clusterrolebinding.yaml
@@ -1,13 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   labels:
     application-crd-id: data-science-pipelines
-  name: ds-pipeline-persistenceagent-binding
+  name: ds-pipeline-persistenceagent-clusterrolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ds-pipeline-persistenceagent-role
+  kind: ClusterRole
+  name: ds-pipeline-persistenceagent-clusterrole
 subjects:
   - kind: ServiceAccount
     name: ds-pipeline-persistenceagent
diff --git a/...es/ds-pipeline-persistenceagent-role.yaml → ...ipeline-persistenceagent-clusterrole.yaml b/...es/ds-pipeline-persistenceagent-role.yaml → ...ipeline-persistenceagent-clusterrole.yaml
@@ -1,9 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
   labels:
     application-crd-id: data-science-pipelines
-  name: ds-pipeline-persistenceagent-role
+  name: ds-pipeline-persistenceagent-clusterrole
 rules:
   - apiGroups:
       - argoproj.io

diff --git a/manifests/opendatahub/base/deployments/ds-pipeline-persistenceagent.yaml b/manifests/opendatahub/base/deployments/ds-pipeline-persistenceagent.yaml
@@ -30,7 +30,6 @@ spec:
           command:
             - persistence_agent
             - "--logtostderr=true"
-            - "--namespace=$(namespace)"
             - "--ttlSecondsAfterWorkflowFinish=86400"
             - "--numWorker=2"
             - "--mlPipelineAPIServerName=ds-pipeline"

diff --git a/manifests/opendatahub/base/kustomization.yaml b/manifests/opendatahub/base/kustomization.yaml
@@ -3,10 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  # Configmaps
-  - ./configmaps/ds-pipeline-config.yaml
-  - ./configmaps/pipeline-install-config.yaml
-
   # CustomResourceDefinitions
   - ./customresourcedefinitions/viewers.yaml
   - ./customresourcedefinitions/scheduledworkflows.yaml
@@ -19,19 +15,23 @@ resources:
   - ./deployments/ds-pipeline.yaml
 
   # Rolebindings
-  - ./rolebindings/ds-pipeline-persistenceagent-binding.yaml
   - ./rolebindings/ds-pipeline-scheduledworkflow-binding.yaml
   - ./rolebindings/ds-pipeline-viewer-crd-binding.yaml
   - ./rolebindings/ds-pipeline.yaml
   - ./rolebindings/pipeline-runner-binding.yaml
 
   # Roles
-  - ./roles/ds-pipeline-persistenceagent-role.yaml
   - ./roles/ds-pipeline-scheduledworkflow-role.yaml
   - ./roles/ds-pipeline-viewer-controller-role.yaml
   - ./roles/ds-pipeline.yaml
   - ./roles/pipeline-runner.yaml
 
+  # ClusterRoleBindings
+  - ./clusterrolebindings/ds-pipeline-persistenceagent-clusterrolebinding.yaml
+
+  # ClusterRoles
+  - ./clusterroles/ds-pipeline-persistenceagent-clusterrole.yaml
+
   # ServiceAccounts
   - ./serviceaccounts/ds-pipeline-container-builder.yaml
   - ./serviceaccounts/ds-pipeline-persistenceagent.yaml
@@ -92,6 +92,7 @@ vars:
       apiVersion: v1
     fieldref:
       fieldpath: data.ds_pipelines_ui_configuration
+
 configurations:
   - params.yaml
 

diff --git a/...b/base/configmaps/ds-pipeline-config.yaml → ...onfigs/configmaps/ds-pipeline-config.yaml b/...b/base/configmaps/ds-pipeline-config.yaml → ...onfigs/configmaps/ds-pipeline-config.yaml
diff --git a/...e/configmaps/pipeline-install-config.yaml → ...s/configmaps/pipeline-install-config.yaml b/...e/configmaps/pipeline-install-config.yaml → ...s/configmaps/pipeline-install-config.yaml
diff --git a/...io/secrets/mlpipeline-minio-artifact.yaml → ...gs/secrets/mlpipeline-minio-artifact.yaml b/...io/secrets/mlpipeline-minio-artifact.yaml → ...gs/secrets/mlpipeline-minio-artifact.yaml
diff --git a/...a-store-mariadb/secrets/mysql-secret.yaml → ...default-configs/secrets/mysql-secret.yaml b/...a-store-mariadb/secrets/mysql-secret.yaml → ...default-configs/secrets/mysql-secret.yaml
diff --git a/manifests/opendatahub/overlays/metadata-store-mariadb/kustomization.yaml b/manifests/opendatahub/overlays/metadata-store-mariadb/kustomization.yaml
@@ -9,9 +9,6 @@ resources:
   # ServiceAccounts
   - ./serviceaccounts/mysql.yaml
 
-  # Secrets
-  - ./secrets/mysql-secret.yaml
-
   # PersistentVolumeClaims
   - ./persistentvolumeclaims/mariadb-pv-claim.yaml
 

diff --git a/manifests/opendatahub/overlays/metadata-store-mysql/kustomization.yaml b/manifests/opendatahub/overlays/metadata-store-mysql/kustomization.yaml
@@ -9,9 +9,6 @@ resources:
   # ServiceAccounts
   - ./serviceaccounts/mysql.yaml
 
-  # Secrets
-  - ./secrets/mysql-secret.yaml
-
   # PersistentVolumeClaims
   - ./persistentvolumeclaims/mysql-pv-claim.yaml
 

diff --git a/manifests/opendatahub/overlays/metadata-store-postgresql/kustomization.yaml b/manifests/opendatahub/overlays/metadata-store-postgresql/kustomization.yaml
@@ -9,9 +9,6 @@ resources:
   # ServiceAccounts
   - ./serviceaccounts/postgresql.yaml
 
-  # Secrets
-  - ./secrets/postgresql-secret.yaml
-
   # PersistentVolumeClaims
   - ./persistentvolumeclaims/postgresql-pv-claim.yaml
 

diff --git a/manifests/opendatahub/overlays/object-store-minio/kustomization.yaml b/manifests/opendatahub/overlays/object-store-minio/kustomization.yaml
@@ -6,7 +6,6 @@ bases:
   - ../../base
 
 resources:
-  - ./secrets/mlpipeline-minio-artifact.yaml
   - ./deployments/minio.yaml
   - ./persistentvolumeclaims/minio-pvc.yaml
   - ./services/minio-service.yaml