This repository has been archived by the owner on Nov 8, 2024. It is now read-only.
fix: resolves ns in init-job #22
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bartoszmajsak
commented
Jun 28, 2023
bartoszmajsak
commented
- looks up ns names (both app and istio) so we don't rely on hardcoded names anymore
- fixes recreation of the secret
- trim roles needed for the job and split them by to read/write Role resource files
cam-garrison
approved these changes
Jun 28, 2023
There was a problem hiding this comment.
Can we remove the explicit references to istio-system here? They should be are overwritten by KfDef parameters regardless.
Comment on lines
-11
to
-12
| - pods/log | ||
| - pods/exec |
There was a problem hiding this comment.
Are these not needed to ensure that istio-ingressgateway has secrets mounted and restart if it does not?
There was a problem hiding this comment.
Funny enough the job seems to work but that's because of how the if was written :) I fixed both in 83ea2e6
removes ns from kustomize resources as it will be anyway replaced when running the job
bartoszmajsak
added a commit
to bartoszmajsak/odh-manifests
that referenced
this pull request
Sep 6, 2023
* feat(mvp): enabling service mesh for ODH Co-authored-by: Bartosz Majsak <[email protected]> Co-authored-by: Cameron Garrison <[email protected]> Co-authored-by: Wambugu “Innocent” Kironji <[email protected]> This PR implements our MVP of enabling service mesh with ODH, using Authorino combined with service mesh to facilitate authorization to ODH components. To deploy ODH with Service Mesh, follow along with our instructions found in `enabling_ossm.md` to find a reference KfDef along with other steps. Notes: - Current implementation relies on some hardcoded namespaces: using `opendatahub` for the KfDef namespace, and `istio-system` + `auth-provider` for the OSSM SMCP and Authorino resources respectively. Ideally we would not be hardcoding `opendatahub`, we are looking for suggestions on how to avoid this. - We use an initJob to dynamically create resources based on cluster configuration + to allow for secret propagation between requisite resources. In the future, this will ideally be implemented by a more sophisticated controller/control plane to create and reconcile these resources. - We do not support a migration path for pre-existing ODH deployments yet. - We do not use the opendatahub-operator `secret-generator` to create our `OauthClient` resource as we need the secret to be propagated to another resource - in the future, we may extend the `secret-generator` to perform this functionality rather than handle it in our initJob or in a controller. Is this something that folks well-versed in the operator think could be possible? - We configure our service mesh deployment to use `autoInject`, injecting to all pods found in the mesh namespaces by default for convenience. This may cause problems if future components not yet considered should not be in the mesh, so this may be something to revisit. * chore: re-add mistakenly removed cert secret (maistra#11) re-add mistakenly removed cert secret * fix: move secret to correct kustomization section (maistra#14) move secret to correct kustomization section * update OWNERS, add aslak * fix: update jq download link (maistra#15) fix jq download link * use service-mesh-integration branch for kfdef * fix: corrects kfdef file name in the docs * fix(manifests): switches to use patches and overlays (maistra#18) Co-authored-by: Cameron Garrison <[email protected]> * fix: create hmac and token secrets as secrets rather than cfgmap (maistra#19) Change from creating hmac and token secrets for oauth2 secrets * chore(init-job): adds annotation to root namespace (maistra#21) * feat: adds service-mesh env variables They are optionally fetched from a config map, otherwise controller uses defaults * chore: creates service-mesh specific OWNERS file * fix: resolves ns in init-job (maistra#22) * fix: extracts port and raw host (maistra#23) * fix(job): defaults OAUTH_PORT to 443 if not defined in issuer * chore: removes obsolete route (maistra#24) * feat: basic support of ModelMesh (maistra#17) * feat: migrate existing DS project namespaces to enable SM (maistra#25) * add ds proj migration to init job * feat: patches SMCP instead of creating one (maistra#26) Co-authored-by: Cameron Garrison <[email protected]> * fix: specifies host in ODH dashboard gateway and virtualservice (maistra#27) --------- Co-authored-by: Bartosz Majsak <[email protected]> Co-authored-by: Edgar Hernández <[email protected]>
bartoszmajsak
added a commit
that referenced
this pull request
Sep 13, 2023
* feat(mvp): enabling service mesh for ODH Co-authored-by: Bartosz Majsak <[email protected]> Co-authored-by: Cameron Garrison <[email protected]> Co-authored-by: Wambugu “Innocent” Kironji <[email protected]> This PR implements our MVP of enabling service mesh with ODH, using Authorino combined with service mesh to facilitate authorization to ODH components. To deploy ODH with Service Mesh, follow along with our instructions found in `enabling_ossm.md` to find a reference KfDef along with other steps. Notes: - Current implementation relies on some hardcoded namespaces: using `opendatahub` for the KfDef namespace, and `istio-system` + `auth-provider` for the OSSM SMCP and Authorino resources respectively. Ideally we would not be hardcoding `opendatahub`, we are looking for suggestions on how to avoid this. - We use an initJob to dynamically create resources based on cluster configuration + to allow for secret propagation between requisite resources. In the future, this will ideally be implemented by a more sophisticated controller/control plane to create and reconcile these resources. - We do not support a migration path for pre-existing ODH deployments yet. - We do not use the opendatahub-operator `secret-generator` to create our `OauthClient` resource as we need the secret to be propagated to another resource - in the future, we may extend the `secret-generator` to perform this functionality rather than handle it in our initJob or in a controller. Is this something that folks well-versed in the operator think could be possible? - We configure our service mesh deployment to use `autoInject`, injecting to all pods found in the mesh namespaces by default for convenience. This may cause problems if future components not yet considered should not be in the mesh, so this may be something to revisit. * chore: re-add mistakenly removed cert secret (#11) re-add mistakenly removed cert secret * fix: move secret to correct kustomization section (#14) move secret to correct kustomization section * update OWNERS, add aslak * fix: update jq download link (#15) fix jq download link * use service-mesh-integration branch for kfdef * fix: corrects kfdef file name in the docs * fix(manifests): switches to use patches and overlays (#18) Co-authored-by: Cameron Garrison <[email protected]> * fix: create hmac and token secrets as secrets rather than cfgmap (#19) Change from creating hmac and token secrets for oauth2 secrets * chore(init-job): adds annotation to root namespace (#21) * feat: adds service-mesh env variables They are optionally fetched from a config map, otherwise controller uses defaults * chore: creates service-mesh specific OWNERS file * fix: resolves ns in init-job (#22) * fix: extracts port and raw host (#23) * fix(job): defaults OAUTH_PORT to 443 if not defined in issuer * chore: removes obsolete route (#24) * feat: basic support of ModelMesh (#17) * feat: migrate existing DS project namespaces to enable SM (#25) * add ds proj migration to init job * feat: patches SMCP instead of creating one (#26) Co-authored-by: Cameron Garrison <[email protected]> * fix: specifies host in ODH dashboard gateway and virtualservice (#27) --------- Co-authored-by: Bartosz Majsak <[email protected]> Co-authored-by: Edgar Hernández <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.