From 2a536c32f8c8fc07b7debf2757c2ffed36e5df05 Mon Sep 17 00:00:00 2001 From: Suraj Kota Date: Fri, 5 Aug 2022 20:13:54 -0700 Subject: [PATCH] Cherry pick few more bug fixes to 1.5.1-1.0.1 (#316) * Set s3 endpoint in workflow-controller-configmap from pipeline-install-config (#291) * Added support for non-root EFS files ownership (#268) * Updated documentation about EFS permissions * Added gid & uid to auto efs script * Updated EFS CSI driver to v1.4.0 * feat/267 Updated documentation about EFS & added default value for uid & gid * Update kserve.md (#304) * update: Adding a missing preposition in cognito guide (#307) The preposition "to" was missing in cognito guide * add cdk support for private subnets detection (#295) Co-authored-by: rrrkharse <91350438+rrrkharse@users.noreply.github.com> Co-authored-by: Alexandre Brown <26939775+AlexandreBrown@users.noreply.github.com> Co-authored-by: Gitesh Shinde Co-authored-by: Jobin <76947418+kjvjobin@users.noreply.github.com> Co-authored-by: Theofilos Papapanagiotou --- awsconfigs/apps/pipeline/s3/config | 2 +- .../apps/pipeline/s3/kustomization.yaml | 8 +++++++ .../storage/efs/dynamic-provisioning/sc.yaml | 2 ++ tests/e2e/utils/auto-efs-setup.py | 24 +++++++++++++++++-- tests/e2e/utils/rds-s3/auto-rds-s3-setup.py | 5 ++++ .../en/docs/component-guides/kserve.md | 2 +- .../deployment/add-ons/storage/efs/guide.md | 7 ++++++ .../en/docs/deployment/cognito/guide.md | 4 ++-- 8 files changed, 48 insertions(+), 6 deletions(-) diff --git a/awsconfigs/apps/pipeline/s3/config b/awsconfigs/apps/pipeline/s3/config index ebf05538dc..80fb460a4b 100644 --- a/awsconfigs/apps/pipeline/s3/config +++ b/awsconfigs/apps/pipeline/s3/config @@ -4,7 +4,7 @@ artifactRepository: s3: { bucket: $(kfp-artifact-bucket-name), keyPrefix: artifacts, - endpoint: s3.amazonaws.com, + endpoint: $(kfp-artifact-storage-endpoint), insecure: true, accessKeySecret: { name: mlpipeline-minio-artifact, diff --git a/awsconfigs/apps/pipeline/s3/kustomization.yaml b/awsconfigs/apps/pipeline/s3/kustomization.yaml index 0e7f1cc0a7..ce99e7ae64 100644 --- a/awsconfigs/apps/pipeline/s3/kustomization.yaml +++ b/awsconfigs/apps/pipeline/s3/kustomization.yaml @@ -26,3 +26,11 @@ patchesStrategicMerge: # when application is deleted. commonLabels: application-crd-id: kubeflow-pipelines +vars: +- name: kfp-artifact-storage-endpoint + objref: + kind: ConfigMap + name: pipeline-install-config + apiVersion: v1 + fieldref: + fieldpath: data.minioServiceHost diff --git a/deployments/add-ons/storage/efs/dynamic-provisioning/sc.yaml b/deployments/add-ons/storage/efs/dynamic-provisioning/sc.yaml index d739eaee5e..45b7f47e3d 100644 --- a/deployments/add-ons/storage/efs/dynamic-provisioning/sc.yaml +++ b/deployments/add-ons/storage/efs/dynamic-provisioning/sc.yaml @@ -7,6 +7,8 @@ mountOptions: - tls parameters: directoryPerms: '700' + gid: '100' + uid: '1000' fileSystemId: provisioningMode: efs-ap provisioner: efs.csi.aws.com diff --git a/tests/e2e/utils/auto-efs-setup.py b/tests/e2e/utils/auto-efs-setup.py index eacfb9bc4c..df19f42348 100755 --- a/tests/e2e/utils/auto-efs-setup.py +++ b/tests/e2e/utils/auto-efs-setup.py @@ -149,7 +149,7 @@ def create_efs_iam_policy(): def get_efs_iam_policy_document(): - url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/v1.3.6/docs/iam-policy-example.json" + url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/v1.4.0/docs/iam-policy-example.json" response = urllib.request.urlopen(url) data = response.read() return data.decode("utf-8") @@ -197,7 +197,7 @@ def install_efs_driver(): print("Installing EFS driver...") kubectl_kustomize_apply( - "https://github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=tags/v1.3.6" + "https://github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=tags/v1.4.0" ) print("EFS driver installed!") @@ -498,6 +498,8 @@ def edit_dynamic_provisioning_storage_class_fields( print("Editing storage class with appropriate values...") storage_class_file_yaml_content["parameters"]["fileSystemId"] = file_system_id + storage_class_file_yaml_content["parameters"]["gid"] = str(EFS_GID) + storage_class_file_yaml_content["parameters"]["uid"] = str(EFS_UID) with open(EFS_DYNAMIC_PROVISIONING_STORAGE_CLASS_FILE_PATH, "w") as file: file.write(yaml.dump(storage_class_file_yaml_content)) @@ -573,6 +575,22 @@ def footer(): help=f"Default is set to {EFS_THROUGHPUT_MODE_DEFAULT}", required=False, ) +EFS_GID_DEFAULT = 100 +parser.add_argument( + "--efs_gid", + type=int, + default=EFS_GID_DEFAULT, + help=f"POSIX group Id to be applied for Access Point root directory creation. Default is set to {EFS_GID_DEFAULT}", + required=False, +) +EFS_UID_DEFAULT = 1000 +parser.add_argument( + "--efs_uid", + type=int, + default=EFS_UID_DEFAULT, + help=f"POSIX user Id to be applied for Access Point root directory creation. Default is set to {EFS_UID_DEFAULT}", + required=False, +) DEFAULT_DIRECTORY_PATH = "" parser.add_argument( "--directory", @@ -591,6 +609,8 @@ def footer(): EFS_SECURITY_GROUP_NAME = args.efs_security_group_name EFS_FILE_SYSTEM_PERFORMANCE_MODE = args.efs_performance_mode EFS_FILE_SYSTEM_THROUGHPUT_MODE = args.efs_throughput_mode + EFS_GID = args.efs_gid + EFS_UID = args.efs_uid DIRECTORY_PATH = args.directory AWS_ACCOUNT_ID = boto3.client("sts").get_caller_identity()["Account"] diff --git a/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py b/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py index 441e090140..65c50584d1 100644 --- a/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py +++ b/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py @@ -232,8 +232,13 @@ def get_cluster_private_subnet_ids(eks_client, ec2_client): private_subnets = [] for subnet in subnets: for tags in subnet["Tags"]: + # eksctl generated clusters if "SubnetPrivate" in tags["Value"]: private_subnets.append(subnet) + # cdk generated clusters + if "aws-cdk:subnet-type" in tags["Key"]: + if "Private" in tags["Value"]: + private_subnets.append(subnet) def get_subnet_id(subnet): return subnet["SubnetId"] diff --git a/website/content/en/docs/component-guides/kserve.md b/website/content/en/docs/component-guides/kserve.md index 62cd5932c0..3e246e270e 100644 --- a/website/content/en/docs/component-guides/kserve.md +++ b/website/content/en/docs/component-guides/kserve.md @@ -176,7 +176,7 @@ export KUBEFLOW_DOMAIN="platform.example.com" Install dependencies for the script by running: ```bash cd tests/e2e -pip install requirements.txt +pip install -r requirements.txt ``` Run the sample python script to send an inference request based on your auth provider: diff --git a/website/content/en/docs/deployment/add-ons/storage/efs/guide.md b/website/content/en/docs/deployment/add-ons/storage/efs/guide.md index 54d4d4ee1c..ced0268002 100644 --- a/website/content/en/docs/deployment/add-ons/storage/efs/guide.md +++ b/website/content/en/docs/deployment/add-ons/storage/efs/guide.md @@ -239,6 +239,13 @@ yq e '.spec.template.spec.volumes[0].persistentVolumeClaim.claimName = env(CLAIM kubectl apply -f $GITHUB_STORAGE_DIR/notebook-sample/set-permission-job.yaml ``` +#### Dynamic provisioning default owner +For dynamic provisioning (manual and automated setup), we already set the default Kubeflow Notebook user (Jovyan) as owner of the EFS file system by default. +##### Changing the default values +You can always change the `uid` and `gid` used for the setup. +For the manual setup, you need to edit the `uid` and `gid` in the storage class inside `dynamic-provisioning/sc.yaml`. +For the automated setup, you can specify the `uid` and `gid` as arguments to the script, see [Advanced Customization](#advanced-customization) for more details on the different parameters that are available. + ### 3.4 Use existing EFS volume as workspace or data volume for a Notebook Spin up a new Kubeflow notebook server and specify the name of the PVC to be used as the workspace volume or the data volume and specify your desired mount point. We'll assume you created a PVC with the name `efs-claim` via Kubeflow Volumes UI or via the manual setup step [Static Provisioning](#4-option-2-static-provisioning). For our example here, we are using the AWS Optimized Tensorflow 2.6 CPU image provided in the Notebook configuration options (`public.ecr.aws/c9e4w0g3/notebook-servers/jupyter-tensorflow`). Additionally, use the existing `efs-claim` volume as the workspace volume at the default mount point `/home/jovyan`. The server might take a few minutes to come up. diff --git a/website/content/en/docs/deployment/cognito/guide.md b/website/content/en/docs/deployment/cognito/guide.md index 3a58275897..df770c9119 100644 --- a/website/content/en/docs/deployment/cognito/guide.md +++ b/website/content/en/docs/deployment/cognito/guide.md @@ -42,7 +42,7 @@ From this point onwards, we will be creating/updating the DNS records **only in 1. Substitute `example.com` in this URL - `https://kubeflow.platform.example.com/oauth2/idpresponse` with your domain and use it as the Callback URL(s). 2. Substitute `example.com` in this URL - `https://kubeflow.platform.example.com` with your domain and use it as the Sign out URL(s). 3. ![cognito-app-client-settings](https://raw.githubusercontent.com/awslabs/kubeflow-manifests/main/website/content/en/docs/images/cognito/cognito-app-client-settings.png) -1. Add a custom domain to the user pool. In order to add a custom domain to your user pool, you need specify a domain name, and provide a certificate managed with AWS Certificate Manager (ACM). +1. Add a custom domain to the user pool. In order to add a custom domain to your user pool, you need to specify a domain name, and provide a certificate managed with AWS Certificate Manager (ACM). 1. In order to use a custom domain, its root(i.e. `platform.example.com`) must have an valid A type record. Create a new record of type `A` in `platform.example.com` hosted zone with an arbitrary IP for now. Once we have ALB created, we will update this value. 1. Following is a screenshot of `platform.example.com` hosted zone. A record is shown. 1. ![subdomain-initial-A-record](https://raw.githubusercontent.com/awslabs/kubeflow-manifests/main/website/content/en/docs/images/cognito/subdomain-initial-A-record.png) @@ -217,4 +217,4 @@ From this point onwards, we will be creating/updating the DNS records **only in ## 7.0 Uninstall Kubeflow -To delete the resources created in this guide, refer to the [Uninstall section in Automated Cognito deployment guide]({{< ref "/docs/deployment/cognito/guide-automated.md#uninstall-kubeflow" >}}) \ No newline at end of file +To delete the resources created in this guide, refer to the [Uninstall section in Automated Cognito deployment guide]({{< ref "/docs/deployment/cognito/guide-automated.md#uninstall-kubeflow" >}})