diff --git a/components/profile-controller/Dockerfile b/components/profile-controller/Dockerfile index fe22323b..27f19227 100644 --- a/components/profile-controller/Dockerfile +++ b/components/profile-controller/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.22 as builder +FROM golang:1.23 as builder WORKDIR /workspace # Copy the Go Modules manifests @@ -34,7 +34,6 @@ WORKDIR / COPY --from=builder /workspace/dash /bin/dash COPY third_party third_party COPY --from=builder /workspace/manager . -COPY --from=builder /go/pkg/mod/github.com/hashicorp third_party/library/ USER 65532:65532 diff --git a/components/profile-controller/controllers/profile_controller.go b/components/profile-controller/controllers/profile_controller.go index ed2a4617..c9da0b83 100644 --- a/components/profile-controller/controllers/profile_controller.go +++ b/components/profile-controller/controllers/profile_controller.go @@ -32,6 +32,7 @@ import ( "gopkg.in/fsnotify.v1" "gopkg.in/yaml.v2" istioSecurity "istio.io/api/security/v1beta1" + istioApi "istio.io/api/type/v1beta1" istioSecurityClient "istio.io/client-go/pkg/apis/security/v1beta1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -46,6 +47,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/reconcile" "sigs.k8s.io/controller-runtime/pkg/source" + gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) const AUTHZPOLICYISTIO = "ns-owner-access-istio" @@ -91,6 +93,10 @@ type ProfileReconciler struct { UserIdPrefix string WorkloadIdentity string DefaultNamespaceLabelsPath string + ServiceMeshMode string + WaypointName string + WaypointNamespace string + CreateWaypoint bool } // +kubebuilder:rbac:groups=core,resources=namespaces,verbs="*" @@ -127,14 +133,13 @@ func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) ns := &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{"owner": instance.Spec.Owner.Name}, - // inject istio sidecar to all pods in target namespace by default. - Labels: map[string]string{ - istioInjectionLabel: "enabled", - }, - Name: instance.Name, + Labels: map[string]string{}, + Name: instance.Name, }, } - setNamespaceLabels(ns, defaultKubeflowNamespaceLabels) + + // Set namespace labels and service mesh labels in one call + r.setNamespaceLabelsAndServiceMesh(ns, instance, defaultKubeflowNamespaceLabels) logger.Info("List of labels to be added to namespace", "labels", ns.Labels) if err := controllerutil.SetControllerReference(instance, ns, r.Scheme); err != nil { IncRequestErrorCounter("error setting ControllerReference", SEVERITY_MAJOR) @@ -178,8 +183,10 @@ func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) for k, v := range foundNs.Labels { oldLabels[k] = v } - setNamespaceLabels(foundNs, defaultKubeflowNamespaceLabels) - logger.Info("List of labels to be added to found namespace", "labels", ns.Labels) + + // Apply namespace labels and service mesh mode labels to existing namespace + r.setNamespaceLabelsAndServiceMesh(foundNs, instance, defaultKubeflowNamespaceLabels) + logger.Info("List of labels to be added to found namespace", "labels", foundNs.Labels) if !reflect.DeepEqual(oldLabels, foundNs.Labels) { err = r.Update(ctx, foundNs) if err != nil { @@ -205,6 +212,23 @@ func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) return reconcile.Result{}, err } + // Create waypoint and L4 AuthorizationPolicy in ambient mode + if r.ServiceMeshMode == "istio-ambient" { + if r.CreateWaypoint { + if err = r.createWaypoint(instance); err != nil { + logger.Error(err, "error creating waypoint", "namespace", instance.Name) + IncRequestErrorCounter("error creating waypoint", SEVERITY_MAJOR) + return reconcile.Result{}, err + } + } + + if err = r.updateL4AuthorizationPolicy(instance); err != nil { + logger.Error(err, "error updating L4 AuthorizationPolicy", "namespace", instance.Name) + IncRequestErrorCounter("error updating L4 AuthorizationPolicy", SEVERITY_MAJOR) + return reconcile.Result{}, err + } + } + // Update service accounts // Create service account "default-editor" in target namespace. // "default-editor" would have kubeflowEdit permission: edit all resources in target namespace except rbac. @@ -409,6 +433,10 @@ func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error { handler.EnqueueRequestsFromMapFunc(r.mapEventToRequest), ) + if r.ServiceMeshMode == "istio-ambient" { + c.Owns(&gatewayv1beta1.Gateway{}) + } + err = c.Complete(r) if err != nil { return err @@ -416,7 +444,7 @@ func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error { return nil } -func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile) istioSecurity.AuthorizationPolicy { +func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile) *istioSecurity.AuthorizationPolicy { nbControllerPrincipal := GetEnvDefault( "NOTEBOOK_CONTROLLER_PRINCIPAL", "cluster.local/ns/kubeflow/sa/notebook-controller-service-account") @@ -429,7 +457,11 @@ func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile "KFP_UI_PRINCIPAL", "cluster.local/ns/kubeflow/sa/ml-pipeline-ui") - return istioSecurity.AuthorizationPolicy{ + katibControllerPrincipal := GetEnvDefault( + "KATIB_CONTROLLER_PRINCIPAL", + "cluster.local/ns/kubeflow/sa/katib-controller") + + policy := &istioSecurity.AuthorizationPolicy{ Action: istioSecurity.AuthorizationPolicy_ALLOW, // Empty selector == match all workloads in namespace Selector: nil, @@ -480,6 +512,16 @@ func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile }, }, }, + { + // allow katib-controller to talk to suggestion server + From: []*istioSecurity.Rule_From{{ + Source: &istioSecurity.Source{ + Principals: []string{ + katibControllerPrincipal, + }, + }, + }}, + }, { // allow the notebook-controller in the kubeflow namespace to // access the api/kernels endpoint of the notebook servers. @@ -501,6 +543,20 @@ func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile }, }, } + + if r.ServiceMeshMode == "istio-ambient" { + targetRefs := []*istioApi.PolicyTargetReference{ + { + Kind: "Gateway", + Group: "gateway.networking.k8s.io", + Name: r.WaypointName, + }, + } + + policy.TargetRefs = targetRefs + } + + return policy } // updateIstioAuthorizationPolicy create or update Istio AuthorizationPolicy @@ -515,7 +571,7 @@ func (r *ProfileReconciler) updateIstioAuthorizationPolicy(profileIns *profilev1 Name: AUTHZPOLICYISTIO, Namespace: profileIns.Name, }, - Spec: r.getAuthorizationPolicy(profileIns), + Spec: *r.getAuthorizationPolicy(profileIns), } if err := controllerutil.SetControllerReference(profileIns, istioAuth, r.Scheme); err != nil { @@ -751,12 +807,14 @@ func removeString(slice []string, s string) (result []string) { return } -func setNamespaceLabels(ns *corev1.Namespace, newLabels map[string]string) { +// setServiceMeshLabels sets the appropriate service mesh labels based on the mode +func (r *ProfileReconciler) setNamespaceLabelsAndServiceMesh(ns *corev1.Namespace, profileIns *profilev1.Profile, defaultLabels map[string]string) { if ns.Labels == nil { ns.Labels = make(map[string]string) } - for k, v := range newLabels { + // Apply default Kubeflow namespace labels first + for k, v := range defaultLabels { _, ok := ns.Labels[k] if len(v) == 0 { // When there is an empty value, k should be removed. @@ -770,6 +828,29 @@ func setNamespaceLabels(ns *corev1.Namespace, newLabels map[string]string) { } } } + + // Apply service mesh specific labels + if r.ServiceMeshMode == "istio-ambient" { + // In ambient mode, disable sidecar injection but enable ambient mesh + ns.Labels[istioInjectionLabel] = "disabled" + ns.Labels["istio.io/dataplane-mode"] = "ambient" + // Add waypoint labels for ambient mode + waypointNamespace := r.WaypointNamespace + if waypointNamespace == "" { + waypointNamespace = profileIns.Name + } + ns.Labels["istio.io/use-waypoint"] = r.WaypointName + ns.Labels["istio.io/use-waypoint-namespace"] = waypointNamespace + ns.Labels["istio.io/ingress-use-waypoint"] = "true" + } else { + // In sidecar mode (default), inject istio sidecar to all pods in target namespace + ns.Labels[istioInjectionLabel] = "enabled" + // Remove ambient mode labels if they exist + delete(ns.Labels, "istio.io/dataplane-mode") + delete(ns.Labels, "istio.io/use-waypoint") + delete(ns.Labels, "istio.io/use-waypoint-namespace") + delete(ns.Labels, "istio.io/ingress-use-waypoint") + } } func (r *ProfileReconciler) readDefaultLabelsFromFile(path string) map[string]string { @@ -789,6 +870,141 @@ func (r *ProfileReconciler) readDefaultLabelsFromFile(path string) map[string]st return labels } +// createWaypoint creates a waypoint proxy in the profile namespace for ambient mode +func (r *ProfileReconciler) createWaypoint(profileIns *profilev1.Profile) error { + logger := r.Log.WithValues("profile", profileIns.Name) + + waypointNamespace := r.WaypointNamespace + if waypointNamespace == "" { + waypointNamespace = profileIns.Name + } + + // Create waypoint using Gateway API with waypoint gateway class + // This creates an Istio waypoint proxy that handles L7 policies in ambient mode + gatewayClassName := "istio-waypoint" + + waypoint := &gatewayv1beta1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: r.WaypointName, + Namespace: waypointNamespace, + Labels: map[string]string{ + "gateway.istio.io/managed": "Istio", + }, + }, + Spec: gatewayv1beta1.GatewaySpec{ + GatewayClassName: gatewayv1beta1.ObjectName(gatewayClassName), + Listeners: []gatewayv1beta1.Listener{ + { + Name: "mesh", + Port: 15008, + Protocol: "HBONE", + }, + }, + }, + } + + // Only set controller reference when the waypoint is not cross-namespace. + // Cross-namespace ownerReferences are not supported by Kubernetes and will cause + // the API server to reject the object. When using a shared/central waypoint + // (waypointNamespace != profileIns.Name), we intentionally skip setting the + // controller reference. + if waypointNamespace == "" || waypointNamespace == profileIns.Name { + if err := controllerutil.SetControllerReference(profileIns, waypoint, r.Scheme); err != nil { + return err + } + } + + // Check if the waypoint already exists + foundWaypoint := &gatewayv1beta1.Gateway{} + err := r.Get(context.TODO(), types.NamespacedName{Name: waypoint.Name, Namespace: waypoint.Namespace}, foundWaypoint) + if err != nil { + if apierrors.IsNotFound(err) { + logger.Info("Creating waypoint", "waypoint", waypoint.Name, "namespace", waypoint.Namespace) + err = r.Create(context.TODO(), waypoint) + if err != nil { + return fmt.Errorf("failed to create waypoint: %w", err) + } + } else { + return fmt.Errorf("failed to get waypoint: %w", err) + } + } else { + // Waypoint already exists, check if update is needed + if !reflect.DeepEqual(waypoint.Spec, foundWaypoint.Spec) { + logger.Info("Updating waypoint", "waypoint", waypoint.Name, "namespace", waypoint.Namespace) + foundWaypoint.Spec = waypoint.Spec + err = r.Update(context.TODO(), foundWaypoint) + if err != nil { + return fmt.Errorf("failed to update waypoint: %w", err) + } + } + } + + logger.Info("Waypoint reconciled successfully", "waypoint", r.WaypointName, "namespace", waypointNamespace) + return nil +} + +// updateL4AuthorizationPolicy creates L4 AuthorizationPolicy to allow traffic from waypoint to services +func (r *ProfileReconciler) updateL4AuthorizationPolicy(profileIns *profilev1.Profile) error { + logger := r.Log.WithValues("profile", profileIns.Name) + + waypointNamespace := r.WaypointNamespace + if waypointNamespace == "" { + waypointNamespace = profileIns.Name + } + + waypointPrincipal := fmt.Sprintf("cluster.local/ns/%s/sa/%s", waypointNamespace, r.WaypointName) + + l4Policy := &istioSecurityClient.AuthorizationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "waypoint-l4-access", + Namespace: profileIns.Name, + }, + Spec: istioSecurity.AuthorizationPolicy{ + Action: istioSecurity.AuthorizationPolicy_ALLOW, + Selector: nil, // Match all workloads in namespace + Rules: []*istioSecurity.Rule{ + { + From: []*istioSecurity.Rule_From{ + { + Source: &istioSecurity.Source{ + Principals: []string{waypointPrincipal}, + }, + }, + }, + }, + }, + }, + } + + if err := controllerutil.SetControllerReference(profileIns, l4Policy, r.Scheme); err != nil { + return err + } + + foundL4Policy := &istioSecurityClient.AuthorizationPolicy{} + err := r.Get(context.TODO(), types.NamespacedName{Name: l4Policy.Name, Namespace: l4Policy.Namespace}, foundL4Policy) + if err != nil { + if apierrors.IsNotFound(err) { + logger.Info("Creating L4 AuthorizationPolicy", "namespace", l4Policy.Namespace, "name", l4Policy.Name) + err = r.Create(context.TODO(), l4Policy) + if err != nil { + return err + } + } else { + return err + } + } else { + if !reflect.DeepEqual(*l4Policy.Spec.DeepCopy(), *foundL4Policy.Spec.DeepCopy()) { + foundL4Policy.Spec = *l4Policy.Spec.DeepCopy() + logger.Info("Updating L4 AuthorizationPolicy", "namespace", l4Policy.Namespace, "name", l4Policy.Name) + err = r.Update(context.TODO(), foundL4Policy) + if err != nil { + return err + } + } + } + return nil +} + func GetEnvDefault(variable string, defaultVal string) string { envVar := os.Getenv(variable) if len(envVar) == 0 { diff --git a/components/profile-controller/controllers/profile_controller_test.go b/components/profile-controller/controllers/profile_controller_test.go index 48336ba8..68bf9a21 100644 --- a/components/profile-controller/controllers/profile_controller_test.go +++ b/components/profile-controller/controllers/profile_controller_test.go @@ -9,6 +9,7 @@ import ( profilev1 "github.com/kubeflow/dashboard/components/profile-controller/api/v1" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" @@ -22,6 +23,25 @@ type namespaceLabelSuite struct { func TestEnforceNamespaceLabelsFromConfig(t *testing.T) { name := "test-namespace" + + // Create a minimal ProfileReconciler for testing + reconciler := &ProfileReconciler{ + ServiceMeshMode: "istio-sidecar", // Test sidecar mode + } + + // Create a minimal profile for testing + profile := &profilev1.Profile{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Spec: profilev1.ProfileSpec{ + Owner: rbacv1.Subject{ + Kind: "User", + Name: "test-user", + }, + }, + } + tests := []namespaceLabelSuite{ namespaceLabelSuite{ corev1.Namespace{ @@ -42,6 +62,7 @@ func TestEnforceNamespaceLabelsFromConfig(t *testing.T) { "serving.kubeflow.org/inferenceservice": "enabled", "pipelines.kubeflow.org/enabled": "true", "app.kubernetes.io/part-of": "kubeflow-profile", + "istio-injection": "enabled", // Added by service mesh logic }, Name: name, }, @@ -68,9 +89,10 @@ func TestEnforceNamespaceLabelsFromConfig(t *testing.T) { Labels: map[string]string{ "user-name": "Jim", "katib.kubeflow.org/metrics-collector-injection": "enabled", - "serving.kubeflow.org/inferenceservice": "disabled", + "serving.kubeflow.org/inferenceservice": "disabled", // Existing label preserved "pipelines.kubeflow.org/enabled": "true", "app.kubernetes.io/part-of": "kubeflow-profile", + "istio-injection": "enabled", // Added by service mesh logic }, Name: name, }, @@ -101,16 +123,57 @@ func TestEnforceNamespaceLabelsFromConfig(t *testing.T) { "serving.kubeflow.org/inferenceservice": "enabled", "pipelines.kubeflow.org/enabled": "true", "app.kubernetes.io/part-of": "kubeflow-profile", + "istio-injection": "enabled", // Added by service mesh logic + // "removal-label" should be removed due to empty value + }, + Name: name, + }, + }, + }, + // Test ambient mode + namespaceLabelSuite{ + corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + }, + map[string]string{ + "katib.kubeflow.org/metrics-collector-injection": "enabled", + "serving.kubeflow.org/inferenceservice": "enabled", + "pipelines.kubeflow.org/enabled": "true", + "app.kubernetes.io/part-of": "kubeflow-profile", + }, + corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "katib.kubeflow.org/metrics-collector-injection": "enabled", + "serving.kubeflow.org/inferenceservice": "enabled", + "pipelines.kubeflow.org/enabled": "true", + "app.kubernetes.io/part-of": "kubeflow-profile", + "istio-injection": "disabled", // Ambient mode disables sidecar + "istio.io/dataplane-mode": "ambient", + "istio.io/use-waypoint": "waypoint", + "istio.io/use-waypoint-namespace": name, + "istio.io/ingress-use-waypoint": "true", }, Name: name, }, }, }, } - for _, test := range tests { - setNamespaceLabels(&test.current, test.labels) + for i, test := range tests { + // Use ambient mode reconciler for the last test case + testReconciler := reconciler + if i == len(tests)-1 { // Last test case is ambient mode + testReconciler = &ProfileReconciler{ + ServiceMeshMode: "istio-ambient", + WaypointName: "waypoint", + WaypointNamespace: "", // Empty means use profile namespace + } + } + testReconciler.setNamespaceLabelsAndServiceMesh(&test.current, profile, test.labels) if !reflect.DeepEqual(&test.expected, &test.current) { - t.Errorf("Expect:\n%v; Output:\n%v", &test.expected, &test.current) + t.Errorf("Test case %d: Expect:\n%v; Output:\n%v", i, &test.expected, &test.current) } } } @@ -198,3 +261,108 @@ func createMockReconciler() *ProfileReconciler { } return reconciler } + +// Test waypoint creation in ambient mode +func TestCreateWaypointAmbientMode(t *testing.T) { + // This is a basic test to verify the waypoint creation logic + // In a real test environment, you would mock the Kubernetes client + + profile := &profilev1.Profile{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-profile", + }, + Spec: profilev1.ProfileSpec{ + Owner: rbacv1.Subject{ + Kind: "User", + Name: "test-user", + }, + }, + } + + // Test with waypoint in same namespace + reconciler := &ProfileReconciler{ + ServiceMeshMode: "istio-ambient", + WaypointName: "test-waypoint", + WaypointNamespace: "", // Empty means use profile namespace + CreateWaypoint: true, + } + + // Verify waypoint namespace defaults to profile namespace when empty + // This is just testing the field value, not the actual creation logic + // which would require mocking the Kubernetes client + _ = profile // Use profile to avoid unused variable error + if reconciler.WaypointNamespace != "" { + t.Errorf("Expected empty waypoint namespace to default to profile namespace") + } + + // Test with waypoint in different namespace + reconciler2 := &ProfileReconciler{ + ServiceMeshMode: "istio-ambient", + WaypointName: "shared-waypoint", + WaypointNamespace: "istio-system", + CreateWaypoint: true, + } + + if reconciler2.WaypointNamespace != "istio-system" { + t.Errorf("Expected waypoint namespace to be 'istio-system', got %s", reconciler2.WaypointNamespace) + } +} + +// Test getAuthorizationPolicy with ambient mode +func TestGetAuthorizationPolicyAmbientMode(t *testing.T) { + profile := &profilev1.Profile{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-profile", + }, + Spec: profilev1.ProfileSpec{ + Owner: rbacv1.Subject{ + Kind: "User", + Name: "test-user@example.com", + }, + }, + } + + // Test sidecar mode (default) + reconcilerSidecar := &ProfileReconciler{ + ServiceMeshMode: "istio-sidecar", + UserIdHeader: "x-goog-authenticated-user-email", + UserIdPrefix: "accounts.google.com:", + } + + policySidecar := reconcilerSidecar.getAuthorizationPolicy(profile) + + // In sidecar mode, TargetRefs should be nil + if policySidecar.TargetRefs != nil { + t.Errorf("Expected TargetRefs to be nil in sidecar mode, got %v", policySidecar.TargetRefs) + } + + // Test ambient mode + reconcilerAmbient := &ProfileReconciler{ + ServiceMeshMode: "istio-ambient", + WaypointName: "test-waypoint", + UserIdHeader: "x-goog-authenticated-user-email", + UserIdPrefix: "accounts.google.com:", + } + + policyAmbient := reconcilerAmbient.getAuthorizationPolicy(profile) + + // In ambient mode, TargetRefs should be set + if policyAmbient.TargetRefs == nil { + t.Errorf("Expected TargetRefs to be set in ambient mode") + } else { + if len(policyAmbient.TargetRefs) != 1 { + t.Errorf("Expected 1 TargetRef, got %d", len(policyAmbient.TargetRefs)) + } else { + targetRef := policyAmbient.TargetRefs[0] + if targetRef.Kind != "Gateway" { + t.Errorf("Expected TargetRef Kind to be 'Gateway', got %s", targetRef.Kind) + } + if targetRef.Group != "gateway.networking.k8s.io" { + t.Errorf("Expected TargetRef Group to be 'gateway.networking.k8s.io', got %s", targetRef.Group) + } + if targetRef.Name != "test-waypoint" { + t.Errorf("Expected TargetRef Name to be 'test-waypoint', got %s", targetRef.Name) + } + } + } +} diff --git a/components/profile-controller/go.mod b/components/profile-controller/go.mod index 12f52556..c25f8a64 100644 --- a/components/profile-controller/go.mod +++ b/components/profile-controller/go.mod @@ -1,11 +1,13 @@ module github.com/kubeflow/dashboard/components/profile-controller -go 1.22.12 +go 1.23.0 + +toolchain go1.24.11 require ( github.com/aws/aws-sdk-go v1.44.22 github.com/cenkalti/backoff v2.2.1+incompatible - github.com/go-logr/logr v1.2.0 + github.com/go-logr/logr v1.4.3 github.com/onsi/ginkgo v1.16.5 github.com/onsi/gomega v1.18.1 github.com/pkg/errors v0.9.1 @@ -13,16 +15,17 @@ require ( github.com/sirupsen/logrus v1.8.1 github.com/stretchr/testify v1.7.0 github.com/tidwall/gjson v1.14.1 - golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 + golang.org/x/oauth2 v0.30.0 google.golang.org/api v0.43.0 gopkg.in/fsnotify.v1 v1.4.7 gopkg.in/yaml.v2 v2.4.0 - istio.io/api v0.0.0-20220525153140-e3c48c9ac324 + istio.io/api v1.28.1 istio.io/client-go v1.13.4 - k8s.io/api v0.24.0 - k8s.io/apimachinery v0.24.0 - k8s.io/client-go v0.24.0 + k8s.io/api v0.24.1 + k8s.io/apimachinery v0.24.1 + k8s.io/client-go v0.24.1 sigs.k8s.io/controller-runtime v0.12.1 + sigs.k8s.io/gateway-api v0.5.1 ) require ( @@ -36,7 +39,7 @@ require ( github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.1.2 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful v2.9.5+incompatible // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect @@ -48,11 +51,11 @@ require ( github.com/go-openapi/swag v0.19.14 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.5 // indirect + github.com/google/go-cmp v0.7.0 // indirect github.com/google/gofuzz v1.1.0 // indirect - github.com/google/uuid v1.1.2 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/googleapis/gax-go/v2 v2.0.5 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect @@ -75,22 +78,22 @@ require ( go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.19.1 // indirect - golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect - golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect - golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect - golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/crypto v0.41.0 // indirect + golang.org/x/net v0.43.0 // indirect + golang.org/x/sys v0.35.0 // indirect + golang.org/x/term v0.34.0 // indirect + golang.org/x/text v0.28.0 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect - google.golang.org/grpc v1.42.0 // indirect - google.golang.org/protobuf v1.27.1 // indirect + google.golang.org/grpc v1.74.2 // indirect + google.golang.org/protobuf v1.36.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect - k8s.io/apiextensions-apiserver v0.24.0 // indirect - k8s.io/component-base v0.24.0 // indirect + k8s.io/apiextensions-apiserver v0.24.1 // indirect + k8s.io/component-base v0.24.1 // indirect k8s.io/klog/v2 v2.60.1 // indirect k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect diff --git a/components/profile-controller/go.sum b/components/profile-controller/go.sum index 59bb3eb4..f7421fe3 100644 --- a/components/profile-controller/go.sum +++ b/components/profile-controller/go.sum @@ -93,8 +93,9 @@ github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6 github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -167,8 +168,11 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.0 h1:n4JnPI1T3Qq1SFEi/F8rwLrZERp2bso19PJZDB9dayk= github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= @@ -220,8 +224,9 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= @@ -239,8 +244,9 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -260,8 +266,9 @@ github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= @@ -509,17 +516,29 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= +go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= +go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= +go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE= +go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs= go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= +go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs= +go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY= go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= +go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= +go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= +go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w= +go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= @@ -547,8 +566,9 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE= golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4= +golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -634,8 +654,9 @@ golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= +golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -649,8 +670,9 @@ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= +golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -727,12 +749,14 @@ golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= +golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= +golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -741,8 +765,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= +golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -812,7 +837,6 @@ golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= @@ -915,8 +939,9 @@ google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.42.0 h1:XT2/MFpuPFsEX2fWh3YQtHkZ+WYZFQRfaUgLZYj/p6A= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4= +google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -929,8 +954,9 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A= +google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -972,28 +998,28 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= istio.io/api v0.0.0-20220512212136-561ffec82582/go.mod h1:8ZZgyVgYrHhsFQarEgTfPnMGpdgTDZbxSjYhdwTUuAQ= -istio.io/api v0.0.0-20220525153140-e3c48c9ac324 h1:/mnoykmdJfAuauJ91A2bVorwd5tlMpbU4yDaBTEcaAo= -istio.io/api v0.0.0-20220525153140-e3c48c9ac324/go.mod h1:00myJeQGWma4Y5pboJ+MM4P2uqEWulKA1duC8kYN5Wo= +istio.io/api v1.28.1 h1:A1DzBrL6PUmDDT8uvs43wxmlg6FvdKNiZvZC1PdA50M= +istio.io/api v1.28.1/go.mod h1:BD3qv/ekm16kvSgvSpuiDawgKhEwG97wx849CednJSg= istio.io/client-go v1.13.4 h1:QJBFBkOaplyL/uBL7xo75mdE5G0i1uR6BR0u9/Wuo1E= istio.io/client-go v1.13.4/go.mod h1:kM3WH/HCojq7BhCD894SZuaAXUKMswT+VQRaEEhTGj0= istio.io/gogo-genproto v0.0.0-20211208193508-5ab4acc9eb1e/go.mod h1:vJDAniIqryf/z///fgZqVPKJ7N2lBk7Gg8DCTB7oCfU= k8s.io/api v0.23.0/go.mod h1:8wmDdLBHBNxtOIytwLstXt5E9PddnZb0GaMcqsvDBpg= k8s.io/api v0.23.1/go.mod h1:WfXnOnwSqNtG62Y1CdjoMxh7r7u9QXGCkA1u0na2jgo= -k8s.io/api v0.24.0 h1:J0hann2hfxWr1hinZIDefw7Q96wmCBx6SSB8IY0MdDg= -k8s.io/api v0.24.0/go.mod h1:5Jl90IUrJHUJYEMANRURMiVvJ0g7Ax7r3R1bqO8zx8I= -k8s.io/apiextensions-apiserver v0.24.0 h1:JfgFqbA8gKJ/uDT++feAqk9jBIwNnL9YGdQvaI9DLtY= -k8s.io/apiextensions-apiserver v0.24.0/go.mod h1:iuVe4aEpe6827lvO6yWQVxiPSpPoSKVjkq+MIdg84cM= +k8s.io/api v0.24.1 h1:BjCMRDcyEYz03joa3K1+rbshwh1Ay6oB53+iUx2H8UY= +k8s.io/api v0.24.1/go.mod h1:JhoOvNiLXKTPQ60zh2g0ewpA+bnEYf5q44Flhquh4vQ= +k8s.io/apiextensions-apiserver v0.24.1 h1:5yBh9+ueTq/kfnHQZa0MAo6uNcPrtxPMpNQgorBaKS0= +k8s.io/apiextensions-apiserver v0.24.1/go.mod h1:A6MHfaLDGfjOc/We2nM7uewD5Oa/FnEbZ6cD7g2ca4Q= k8s.io/apimachinery v0.23.0/go.mod h1:fFCTTBKvKcwTPFzjlcxp91uPFZr+JA0FubU4fLzzFYc= k8s.io/apimachinery v0.23.1/go.mod h1:SADt2Kl8/sttJ62RRsi9MIV4o8f5S3coArm0Iu3fBno= -k8s.io/apimachinery v0.24.0 h1:ydFCyC/DjCvFCHK5OPMKBlxayQytB8pxy8YQInd5UyQ= -k8s.io/apimachinery v0.24.0/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM= -k8s.io/apiserver v0.24.0/go.mod h1:WFx2yiOMawnogNToVvUYT9nn1jaIkMKj41ZYCVycsBA= +k8s.io/apimachinery v0.24.1 h1:ShD4aDxTQKN5zNf8K1RQ2u98ELLdIW7jEnlO9uAMX/I= +k8s.io/apimachinery v0.24.1/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM= +k8s.io/apiserver v0.24.1/go.mod h1:dQWNMx15S8NqJMp0gpYfssyvhYnkilc1LpExd/dkLh0= k8s.io/client-go v0.23.1/go.mod h1:6QSI8fEuqD4zgFK0xbdwfB/PthBsIxCJMa3s17WlcO0= -k8s.io/client-go v0.24.0 h1:lbE4aB1gTHvYFSwm6eD3OF14NhFDKCejlnsGYlSJe5U= -k8s.io/client-go v0.24.0/go.mod h1:VFPQET+cAFpYxh6Bq6f4xyMY80G6jKKktU6G0m00VDw= -k8s.io/code-generator v0.24.0/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w= -k8s.io/component-base v0.24.0 h1:h5jieHZQoHrY/lHG+HyrSbJeyfuitheBvqvKwKHVC0g= -k8s.io/component-base v0.24.0/go.mod h1:Dgazgon0i7KYUsS8krG8muGiMVtUZxG037l1MKyXgrA= +k8s.io/client-go v0.24.1 h1:w1hNdI9PFrzu3OlovVeTnf4oHDt+FJLd9Ndluvnb42E= +k8s.io/client-go v0.24.1/go.mod h1:f1kIDqcEYmwXS/vTbbhopMUbhKp2JhOeVTfxgaCIlF8= +k8s.io/code-generator v0.24.1/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w= +k8s.io/component-base v0.24.1 h1:APv6W/YmfOWZfo+XJ1mZwep/f7g7Tpwvdbo9CQLDuts= +k8s.io/component-base v0.24.1/go.mod h1:DW5vQGYVCog8WYpNob3PMmmsY8A3L9QZNg4j/dV3s38= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= @@ -1014,6 +1040,8 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= sigs.k8s.io/controller-runtime v0.12.1 h1:4BJY01xe9zKQti8oRjj/NeHKRXthf1YkYJAgLONFFoI= sigs.k8s.io/controller-runtime v0.12.1/go.mod h1:BKhxlA4l7FPK4AQcsuL4X6vZeWnKDXez/vp1Y8dxTU0= +sigs.k8s.io/gateway-api v0.5.1 h1:EqzgOKhChzyve9rmeXXbceBYB6xiM50vDfq0kK5qpdw= +sigs.k8s.io/gateway-api v0.5.1/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= diff --git a/components/profile-controller/main.go b/components/profile-controller/main.go index a071bf88..5cba7fee 100644 --- a/components/profile-controller/main.go +++ b/components/profile-controller/main.go @@ -31,6 +31,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + gwapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" profilev1 "github.com/kubeflow/dashboard/components/profile-controller/api/v1" kubefloworgv1beta1 "github.com/kubeflow/dashboard/components/profile-controller/api/v1beta1" @@ -42,6 +43,10 @@ const USERIDHEADER = "userid-header" const USERIDPREFIX = "userid-prefix" const WORKLOADIDENTITY = "workload-identity" const DEFAULTNAMESPACELABELSPATH = "namespace-labels-path" +const SERVICEMESHMODE = "service-mesh-mode" +const WAYPOINTNAME = "waypoint-name" +const WAYPOINTNAMESPACE = "waypoint-namespace" +const CREATEWAYPOINT = "create-waypoint" var ( scheme = runtime.NewScheme() @@ -54,6 +59,7 @@ func init() { utilruntime.Must(profilev1.AddToScheme(scheme)) utilruntime.Must(istioSecurityClient.AddToScheme(scheme)) utilruntime.Must(kubefloworgv1beta1.AddToScheme(scheme)) + utilruntime.Must(gwapiv1beta1.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } @@ -65,6 +71,10 @@ func main() { var userIdPrefix string var workloadIdentity string var defaultNamespaceLabelsPath string + var serviceMeshMode string + var waypointName string + var waypointNamespace string + var createWaypoint bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":9876", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, @@ -74,6 +84,10 @@ func main() { flag.StringVar(&userIdPrefix, USERIDPREFIX, "accounts.google.com:", "Request header user id common prefix") flag.StringVar(&workloadIdentity, WORKLOADIDENTITY, "", "Default identity (GCP service account) for workload_identity plugin") flag.StringVar(&defaultNamespaceLabelsPath, DEFAULTNAMESPACELABELSPATH, "/etc/profile-controller/namespace-labels.yaml", "A YAML file with a map of labels to be set on every Profile namespace") + flag.StringVar(&serviceMeshMode, SERVICEMESHMODE, "istio-sidecar", "Service mesh mode: 'istio-sidecar' or 'istio-ambient' (default: istio-sidecar)") + flag.StringVar(&waypointName, WAYPOINTNAME, "waypoint", "Name of the waypoint proxy to use in ambient mode") + flag.StringVar(&waypointNamespace, WAYPOINTNAMESPACE, "", "Namespace of the waypoint (optional, defaults to profile namespace)") + flag.BoolVar(&createWaypoint, CREATEWAYPOINT, false, "Create waypoint proxy in profile namespace if it doesn't exist") opts := zap.Options{ Development: true, } @@ -102,6 +116,10 @@ func main() { UserIdPrefix: userIdPrefix, WorkloadIdentity: workloadIdentity, DefaultNamespaceLabelsPath: defaultNamespaceLabelsPath, + ServiceMeshMode: serviceMeshMode, + WaypointName: waypointName, + WaypointNamespace: waypointNamespace, + CreateWaypoint: createWaypoint, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "Profile") os.Exit(1) diff --git a/components/profile-controller/manifests/kustomize/components/istio-ambient/httproute.yaml b/components/profile-controller/manifests/kustomize/components/istio-ambient/httproute.yaml new file mode 100644 index 00000000..dc01fa3d --- /dev/null +++ b/components/profile-controller/manifests/kustomize/components/istio-ambient/httproute.yaml @@ -0,0 +1,27 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: profiles-kfam +spec: + parentRefs: + - name: kubeflow-gateway + rules: + - matches: + - path: + type: PathPrefix + value: /kfam/ + filters: + - type: RequestHeaderModifier + requestHeaderModifier: + add: + - name: x-forwarded-prefix + value: /kfam/ + - type: URLRewrite + urlRewrite: + path: + type: ReplacePrefixMatch + replacePrefixMatch: /kfam/ + backendRefs: + - name: KFAM_SERVICE_NAME + namespace: KFAM_SERVICE_NAMESPACE + port: 8081 diff --git a/components/profile-controller/manifests/kustomize/components/istio-ambient/kustomization.yaml b/components/profile-controller/manifests/kustomize/components/istio-ambient/kustomization.yaml new file mode 100644 index 00000000..54d0a858 --- /dev/null +++ b/components/profile-controller/manifests/kustomize/components/istio-ambient/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: + - httproute.yaml diff --git a/components/profile-controller/manifests/kustomize/components/istio/authorizationpolicy.yaml b/components/profile-controller/manifests/kustomize/components/istio-common/authorizationpolicy.yaml similarity index 100% rename from components/profile-controller/manifests/kustomize/components/istio/authorizationpolicy.yaml rename to components/profile-controller/manifests/kustomize/components/istio-common/authorizationpolicy.yaml diff --git a/components/profile-controller/manifests/kustomize/components/istio/kustomization.yaml b/components/profile-controller/manifests/kustomize/components/istio-common/kustomization.yaml similarity index 80% rename from components/profile-controller/manifests/kustomize/components/istio/kustomization.yaml rename to components/profile-controller/manifests/kustomize/components/istio-common/kustomization.yaml index 2d524738..46df18d6 100644 --- a/components/profile-controller/manifests/kustomize/components/istio/kustomization.yaml +++ b/components/profile-controller/manifests/kustomize/components/istio-common/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: - - virtual-service.yaml - authorizationpolicy.yaml diff --git a/components/profile-controller/manifests/kustomize/components/istio-sidecar/kustomization.yaml b/components/profile-controller/manifests/kustomize/components/istio-sidecar/kustomization.yaml new file mode 100644 index 00000000..aec7939c --- /dev/null +++ b/components/profile-controller/manifests/kustomize/components/istio-sidecar/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: + - virtual-service.yaml diff --git a/components/profile-controller/manifests/kustomize/components/istio/virtual-service.yaml b/components/profile-controller/manifests/kustomize/components/istio-sidecar/virtual-service.yaml similarity index 100% rename from components/profile-controller/manifests/kustomize/components/istio/virtual-service.yaml rename to components/profile-controller/manifests/kustomize/components/istio-sidecar/virtual-service.yaml diff --git a/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/kustomization.yaml b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/kustomization.yaml new file mode 100644 index 00000000..4cf088b8 --- /dev/null +++ b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/kustomization.yaml @@ -0,0 +1,89 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: kubeflow + +resources: + - ../../base + +components: + - ../../components/istio-common + - ../../components/istio-ambient + - ../../components/kfam + # - ../../components/prometheus-noauth + # - ../../components/prometheus-authz + # NOTE: the common component should always be last, to ensure it labels all resources. + - ../../components/common + +patches: + - path: patches/remove-namespace.yaml + - path: patches/deployment.yaml + +configMapGenerator: + - name: profiles-config + behavior: replace + envs: + - params.env + + - name: profiles-namespace-labels-data + behavior: replace + files: + - namespace-labels.yaml + +replacements: + # Replace KFAM host in HTTPRoute + - source: + fieldPath: metadata.name + kind: Service + name: profiles-kfam + version: v1 + targets: + - fieldPaths: + - spec.rules.0.backendRefs.0.name + select: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: profiles-kfam + version: v1beta1 + - source: + fieldPath: metadata.namespace + kind: Service + name: profiles-kfam + version: v1 + targets: + - fieldPaths: + - spec.rules.0.backendRefs.0.namespace + select: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: profiles-kfam + version: v1beta1 + - source: + fieldPath: spec.ports.0.port + kind: Service + name: profiles-kfam + version: v1 + targets: + - fieldPaths: + - spec.rules.0.backendRefs.0.port + select: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: profiles-kfam + version: v1beta1 + # Update the ServiceAccount + - source: + fieldPath: metadata.namespace + kind: ServiceAccount + name: profiles-controller-service-account + targets: + - fieldPaths: + - subjects.[kind=ServiceAccount].namespace + select: + kind: ClusterRoleBinding + name: profiles-cluster-rolebinding + - fieldPaths: + - subjects.[kind=ServiceAccount].namespace + select: + kind: RoleBinding + name: profiles-leader-election-rolebinding diff --git a/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/namespace-labels.yaml b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/namespace-labels.yaml new file mode 100644 index 00000000..8a314812 --- /dev/null +++ b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/namespace-labels.yaml @@ -0,0 +1,18 @@ +# Below is a list of labels to set on Profile Namespaces +# +# FORMAT: +# - ADD a Namespace label: `key: "value"` +# - REMOVE a Namespace label: `key: ""` +# +# WARNING: +# - The controller will NOT overwrite a label if one with same key already exists. +# - To override the value of a previously applied label: +# 1. REMOVE the label: `key: ""` +# 2. Apply new ConfigMap +# 3. RE-ADD the label: `key: "value"` +# 4. Apply new ConfigMap +# +app.kubernetes.io/part-of: "kubeflow-profile" +katib.kubeflow.org/metrics-collector-injection: "enabled" +pipelines.kubeflow.org/enabled: "true" +serving.kubeflow.org/inferenceservice: "enabled" \ No newline at end of file diff --git a/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/params.env b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/params.env new file mode 100644 index 00000000..a6dd7020 --- /dev/null +++ b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/params.env @@ -0,0 +1,12 @@ +ADMIN= +WORKLOAD_IDENTITY= +USERID_HEADER=kubeflow-userid +USERID_PREFIX= +ISTIO_INGRESS_GATEWAY_PRINCIPAL=cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account +NOTEBOOK_CONTROLLER_PRINCIPAL=cluster.local/ns/kubeflow/sa/notebook-controller-service-account +KFP_UI_PRINCIPAL=cluster.local/ns/kubeflow/sa/ml-pipeline-ui +KATIB_CONTROLLER_PRINCIPAL=cluster.local/ns/kubeflow/sa/katib-controller +SERVICE_MESH_MODE=istio-ambient +CREATE_WAYPOINT=true +WAYPOINT_NAME=waypoint +WAYPOINT_NAMESPACE= diff --git a/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/patches/deployment.yaml b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/patches/deployment.yaml new file mode 100644 index 00000000..7b283338 --- /dev/null +++ b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/patches/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: profiles-deployment +spec: + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: manager + command: + - /manager + - -userid-header + - $(USERID_HEADER) + - -userid-prefix + - $(USERID_PREFIX) + - -workload-identity + - $(WORKLOAD_IDENTITY) + - -service-mesh-mode + - $(SERVICE_MESH_MODE) + - -waypoint-name + - $(WAYPOINT_NAME) + - -waypoint-namespace + - $(WAYPOINT_NAMESPACE) + - -create-waypoint + - $(CREATE_WAYPOINT) diff --git a/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/patches/remove-namespace.yaml b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/patches/remove-namespace.yaml new file mode 100644 index 00000000..b3e9326c --- /dev/null +++ b/components/profile-controller/manifests/kustomize/overlays/kubeflow-ambient/patches/remove-namespace.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: v1 +kind: Namespace +metadata: + name: profiles-system diff --git a/components/profile-controller/manifests/kustomize/overlays/kubeflow/kustomization.yaml b/components/profile-controller/manifests/kustomize/overlays/kubeflow/kustomization.yaml index 0d862602..e6e742d1 100644 --- a/components/profile-controller/manifests/kustomize/overlays/kubeflow/kustomization.yaml +++ b/components/profile-controller/manifests/kustomize/overlays/kubeflow/kustomization.yaml @@ -7,7 +7,8 @@ resources: - ../../base components: - - ../../components/istio + - ../../components/istio-common + - ../../components/istio-sidecar - ../../components/kfam # - ../../components/prometheus-noauth # - ../../components/prometheus-authz